20 tips for information security around human factors and human error
DESCRIPTION
Most of information leakage are caused by human errors of employee not by the outsiders. Here are some key tips to protect the information security with keeping efficiency of business.TRANSCRIPT
![Page 1: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/1.jpg)
20 tips againstInformation Leakage
by Human ErrorToru Nakata
(Senior Researcher, AIST, Japan)
![Page 2: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/2.jpg)
Good security sticks to efficiency of business.
Not protection of information. Utilize them. Bad security is reactive and passive.
1. Security is not in “countermeasure” but management.
![Page 3: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/3.jpg)
You should close your company, if your goal is just to avoid information leakage.
Dwell on why you are using a number of information and computers.
Good goal is more concrete and intentional about business; it mentions about service time, service quality and security quality.
2. Be Goal-driven
![Page 4: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/4.jpg)
The Weakest link dooms your company◦ A security expert company, which has excellent
management on email and web, was attacked via FAX. A fraud FAX deceived the employee into changing security settings.
Survey all equipment, systems, information flows in your company.
3. Have Bird view. Coordinate
![Page 5: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/5.jpg)
Imagine your business scene.◦ “Go out for the customers with bringing laptops.
Give presentation, Negotiate, send mail and so on.”
When, where, why, what, and how much is information needed?
Reveal the minimum set of necessary information.
4. Defense Plan as Scenario
![Page 6: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/6.jpg)
Over 90% of accidents is caused by employees; lost of information, sending wrong address, and mistakes about system settings.
Apply Systematic protection ◦ Email system to prevent wrong emailing.
Make Management more practical ◦ Consider why your employees behave so risky to
bring out the information. Is there any inconvenience at your office?
5. Accidents are caused by Error
![Page 7: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/7.jpg)
Wrong security policy is dangerous.◦ “Do not connect PCs to the net.” People uses
USB memories to convey files. Lose memories. There is no silver bullet. Even the best
methods have some bad side effects. Compare several ways to promote your
business and security.
6. Compare the measures
![Page 8: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/8.jpg)
Information security is the main issue of company performance.
The best and brightest employees should take care of it.
Technology experts are to support.
7. Elite team controls security
![Page 9: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/9.jpg)
Plan before incidents Reinforce the security policy periodically Drill against human error incidents and
cyber attacks.
8. Be proactive
![Page 10: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/10.jpg)
The 3 typical tactics of cyber fraud1. Authority impersonation
◦ “The security department require you to read the attachment file of this mail!”
2. Panic maker◦ “I am meeting the customer and need to open a
locked file. Please tell me the password now!”
3. Lightly-favored trap◦ “Lights of someone’s car in the parking is left on.
The photo is attacked to this mail.”
9. Lightly-favored is strongest
![Page 11: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/11.jpg)
Change typical mail addresses as decoys◦ [email protected], [email protected], etc.
Prepare decoy names of company employees and organizations◦ Adversary: “Sorry, I forget the name of the person
I met yesterday.” ◦ Employee: “Well, Mr. Suzuki is our boss.”◦ Adversary: “Yes, Mr. Suzuki is he.”◦ Employee: “There is no such person in our
company!”
10. Prepare Honeypot
![Page 12: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/12.jpg)
Passwords are hard to hide perfectly.◦ Key logger, reusing same password, etc.
Do not rely only on passwords. Require additional and physical keys to
access.
11. Use 2-factor authentication
![Page 13: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/13.jpg)
Naïve passwords are often attacked, but they are very popular.◦ “123456”, “password”, “admin” , etc.
Even complex passwords are breakable when they are challenged limitless times. (Offline attack)◦ Locking files by passwords are not safe.
Very complex passwords will be written down and posted around the desk.
Two-factor authentication is recommended for various business uses.
12. Know password weakness
![Page 14: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/14.jpg)
Guessing is very easy.◦ Birthday date, year.◦ Telephone number◦ Car number◦ Postal code
Isn’t it?
13. 4-digit PIN is terrible
![Page 15: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/15.jpg)
The present state may be not safe anymore.◦ Technology changes quickly.◦ Severe security holes are found every month.◦ Old-fashioned technology like FAX should be
reconsidered to be continued. Buy powerful solutions, if you have enough
budget. Otherwise, change the policy more
protective.
14. Evaluate conventional ways again
![Page 16: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/16.jpg)
Watch “122” and read as “112” Separate long sequences of digits into 2-
digit clusters◦ Write as “12-2”
PC can read numbers aloud. Hear the voice to check the numbers.
15. Doublet, where people mistake
![Page 17: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/17.jpg)
Risks are often hidden individually.◦ Violations of security policy.◦ Virus-affected PC.◦ Passwords known only by one person.
During long vacation, the risks cannot be hide.
16. Mandatory Vacation
![Page 18: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/18.jpg)
Retiring employees bring information with them.◦ Knowledge in the brain is inerasable. There is no
perfect control. Have audits with them, and make
consensus about information management.◦ What kinds of information are left, and what are
not.
17. Control retirement procedure
![Page 19: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/19.jpg)
Do not put all eggs in one basket◦ Files accessible for everyone?◦ PCs open to everyone?◦ Administrators always use powerful admin
account? Put partitions for information.
18. Divide and conquer
![Page 20: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/20.jpg)
Information becomes power when it is exchanged.
If you say nothing, the counterpart says nothing.◦ Too strict security policy stops your business.
Plan win-win strategy ◦ Some of your information can be given to the
counterpart without damaging you.◦ Likewise, some of their information are vice versa.
19. No leak, no gain.
![Page 21: 20 tips for information security around human factors and human error](https://reader036.vdocuments.site/reader036/viewer/2022081518/548eb903b47959813b8b4784/html5/thumbnails/21.jpg)
Information flow must not stop especially under disasters.◦ Natural disasters◦ Business disasters (Terrors against your products)
Keep several channels to communicate with customers, employees, and neighborhoods.
Utilize social networking services.
20. Think Business continuity