20 tips for information security around human factors and human error

91 %
9 %
Information about 20 tips for information security around human factors and human error

Published on April 25, 2014

Author: torunakata

Source: slideshare.net


Most of information leakage are caused by human errors of employee not by the outsiders. Here are some key tips to protect the information security with keeping efficiency of business.

Toru Nakata (Senior Researcher, AIST, Japan)

 Good security sticks to efficiency of business.  Not protection of information. Utilize them.  Bad security is reactive and passive.

 You should close your company, if your goal is just to avoid information leakage.  Dwell on why you are using a number of information and computers.  Good goal is more concrete and intentional about business; it mentions about service time, service quality and security quality.

 The Weakest link dooms your company ◦ A security expert company, which has excellent management on email and web, was attacked via FAX. A fraud FAX deceived the employee into changing security settings.  Survey all equipment, systems, information flows in your company.

 Imagine your business scene. ◦ “Go out for the customers with bringing laptops. Give presentation, Negotiate, send mail and so on.”  When, where, why, what, and how much is information needed?  Reveal the minimum set of necessary information.

 Over 90% of accidents is caused by employees; lost of information, sending wrong address, and mistakes about system settings.  Apply Systematic protection ◦ Email system to prevent wrong emailing.  Make Management more practical ◦ Consider why your employees behave so risky to bring out the information. Is there any inconvenience at your office?

 Wrong security policy is dangerous. ◦ “Do not connect PCs to the net.”  People uses USB memories to convey files.  Lose memories.  There is no silver bullet. Even the best methods have some bad side effects.  Compare several ways to promote your business and security.

 Information security is the main issue of company performance.  The best and brightest employees should take care of it.  Technology experts are to support.

 Plan before incidents  Reinforce the security policy periodically  Drill against human error incidents and cyber attacks.

 The 3 typical tactics of cyber fraud 1. Authority impersonation ◦ “The security department require you to read the attachment file of this mail!” 2. Panic maker ◦ “I am meeting the customer and need to open a locked file. Please tell me the password now!” 3. Lightly-favored trap ◦ “Lights of someone’s car in the parking is left on. The photo is attacked to this mail.”

 Change typical mail addresses as decoys ◦ admin@your.com, webmaster@your.com, etc.  Prepare decoy names of company employees and organizations ◦ Adversary: “Sorry, I forget the name of the person I met yesterday.” ◦ Employee: “Well, Mr. Suzuki is our boss.” ◦ Adversary: “Yes, Mr. Suzuki is he.” ◦ Employee: “There is no such person in our company!”

 Passwords are hard to hide perfectly. ◦ Key logger, reusing same password, etc.  Do not rely only on passwords.  Require additional and physical keys to access.

 Naïve passwords are often attacked, but they are very popular. ◦ “123456”, “password”, “admin” , etc.  Even complex passwords are breakable when they are challenged limitless times. (Offline attack) ◦ Locking files by passwords are not safe.  Very complex passwords will be written down and posted around the desk.  Two-factor authentication is recommended for various business uses.

 Guessing is very easy. ◦ Birthday date, year. ◦ Telephone number ◦ Car number ◦ Postal code  Isn’t it?

 The present state may be not safe anymore. ◦ Technology changes quickly. ◦ Severe security holes are found every month. ◦ Old-fashioned technology like FAX should be reconsidered to be continued.  Buy powerful solutions, if you have enough budget.  Otherwise, change the policy more protective.

 Watch “122” and read as “112”  Separate long sequences of digits into 2-digit clusters ◦ Write as “12-2”  PC can read numbers aloud. Hear the voice to check the numbers.

 Risks are often hidden individually. ◦ Violations of security policy. ◦ Virus-affected PC. ◦ Passwords known only by one person.  During long vacation, the risks cannot be hide.

 Retiring employees bring information with them. ◦ Knowledge in the brain is inerasable. There is no perfect control.  Have audits with them, and make consensus about information management. ◦ What kinds of information are left, and what are not.

 Do not put all eggs in one basket ◦ Files accessible for everyone? ◦ PCs open to everyone? ◦ Administrators always use powerful admin account?  Put partitions for information.

 Information becomes power when it is exchanged.  If you say nothing, the counterpart says nothing. ◦ Too strict security policy stops your business.  Plan win-win strategy ◦ Some of your information can be given to the counterpart without damaging you. ◦ Likewise, some of their information are vice versa.

 Information flow must not stop especially under disasters. ◦ Natural disasters ◦ Business disasters (Terrors against your products)  Keep several channels to communicate with customers, employees, and neighborhoods.  Utilize social networking services.

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Human reliability - Wikipedia, the free encyclopedia

Ten Questions About Human Error: a new view of human factors ... Crew Systems Ergonomics Information ... “How to Avoid Human Error in IT“ “Human ...
Read more

Chapter 14 Human Factors - faa.gov

Human Factors Chapter 14 ... of maintenance errors involve human factors. If they are not ... 20 30 Not Complex Flight Exercise Caution
Read more

Human factors and ergonomics - Wikipedia, the free ...

Human factors and ergonomics ... is a federation of ergonomics and human factors societies from around the ... Human error; Human Factors in Engineering ...
Read more

PNNL: EIOC - Situational Awareness

Situational Awareness ... the critical information needs for situational awareness and how that ... the Human Factors and ...
Read more

Defining and reducing human error - Reliability Center

Defining and reducing human error ... impossible to put definitive boundaries around. Some of ... *Tax Information
Read more

Protecting Patient Privacy in Healthcare Information Systems

... to refine and build consensus around a set of privacy and security ... Information Security ... security of, health information systems.
Read more

Human Trafficking - publicsafety.gc.ca

A set of interrelated "push" and "pull" factors contribute to human trafficking. "Push" factors ... Security Council (UNSC), Human ... information on human ...
Read more

Human factors/ergonomics – Organisational culture

Human factors: Organisational culture; ... Culture can be best understood as "the way we do things around here". ... Reducing Error and Influencing ...
Read more

SANS Securing the Human - Cyber Security Awareness ...

Created by an Advisory Board of clients and 50+ SANS instructors with over 20 ... around the world. Securing The Human ... Human is one of the best ...
Read more

Building An Information Technology Security Awareness and ...

Building an Information Technology Security Awareness ... 20 3.5 Setting the Bar ... Department of Health and Human Services
Read more