Cyber Awareness and Training
for Computer Security
How NIST 800 Standards Can Keep Your Computer Safe
Recently the government passed a requirement: small business supplying contractors to the Federal Government must assure that they protect Controlled Unclassified Information (CUI). This information includes financial and medical information about their employees, financial records about contracts, patents and trademarks, and other information. If revealed to competitors or hackers, CUI could harm the company or its employees. These companies need to audit their cyber security processes, people, and technologies to assure that adequate protections are in place to keep this information secure.
The National Institute of Standards and Technology (NIST) developed a checklist of controls and practices that facilitate the audit process: NIST Special Publication (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and organization. The publication consists of 14 control families that help provide a defense to protect the confidentiality, integrity, and available of the information stored, processed, or transmitted.
But what about the individual at home? NIST SP 800 can educate the home user on procedures and tools that will make home systems more secure. These recommendations include the use of inexpensive or open source tools, external devices, and procedures that you can easily incorporate into your daily routine to protect your information. These lessons do not tell the reader how to implement these controls or practices – you can find these instructions on YouTube. Instead, these lessons provide a roadmap of ideas to make your system more resilient to hackers. These lessons follow the NIST control guidelines. The first lesson of this series covered access controls. Today we will discuss the second family of controls: awareness and training controls.
What are Awareness and Training Controls?
Often, the user is the weakest link in securing systems. As I like to say: “Every system is secure until the user gets involved.” Why? Users are unaware of how their actions may impact the security of a system.
Making system users aware of their security responsibilities and teaching them correct practices helps change their behavior. It also supports individual accountability, which is one of the most important ways to improve information security.
Trojans, Viruses, and Cyber Awareness
Systems are becoming more “intuitive.” In the point and click (or touch and swipe) interface, users instinctively know how to access information they want. Unfortunately, they don’t understand that as ease of use has evolved, the ability to do harm has also become easier.
Kiddie scripts for implanting Trojans, viruses, or turning your computer into a zombie are freely available and require very little knowledge of programming. Often, the user is only aware that something is wrong when the system starts to slow down, auto-updating stops working, or excessive popups appear.
Cyber Awareness Training
Thus, the first line of defense is the person at the keyboard. As the CEO of your device, it is critical that you are not the weak link in your security system. The purpose of training and awareness is not to turn each person into a operating system guru or cyber security expert, but instead to educate everyone to make their systems harder to hack.
How To Protect Your Data
Change Your Router Password
Every home user has a router – probably sitting on the desk or bookcase – and every router installed uses a default login and password. A recent survey by Catalin Cimpanu Security News Editor for Bleeping Computer indicates that most people do not change the default router credentials, which makes them prime targets for botnet attacks.
At the very least, log into your router (see YouTube for instructions) and change the login ID (usually this is ADMIN) and the password (usually this is some form of password or the company’s name). While you are doing this, there should be a button to install the latest version of router firmware. The latest version protects the devices of known exploits.
While you are redoing your router settings, also change the default setting on your Wi-Fi password. In many cases, this is a 16-character password of numbers and letters. If you want to make the password harder, insert uppercase and lowercase letters and some special characters.
Operating System Features
Now that you have secured your connection to the Internet and wireless LAN, let’s look at some operating system features to make your environment more secure. Again, you don’t have to know much about your operating system to do the following.
Operating System and Browser Security
- Keep your operating systems up to date. All operating systems have vulnerabilities. Even Mac operating systems can be compromised. Turn on “auto-update,” and you won’t have to remember to do this.
- Keep your browser up to date. Fortunately, the big three (Edge/IE, Chrome, Safari) make this easy. Simply type in the browser of choice on the search line and usually the latest version for download is the first response.
- Disable TLS 1.0 and Enable TLS 1.2 in your browser. This is required if you do any financial transaction over the internet – PaypPal, credit cards, etc. Transport Layer Security (TLS) makes it possible for you to communicate securely over the Internet. TLS 1.0 was the default for many years, but it is simply vulnerable to exploits now. It is not sufficient to enable TLS 1.2.; you must also disable TLS 1.0.
- Install an anti-virus program. There are many available, so research to find one best suited for your system. Many anti-virus programs also perform system health checks. They also adjust your firewall setting to minimize the active ports and services that can be used to exploit your information.
- Install PC tracking software. This software helps locate your mobile device if it is lost or stolen. The software sends out a message to you via e-mail, Skype, Facebook, etc. Programs can be simple – from providing a GPS location of the most recent use of the device, to having the ability to lock the device as take and forward a picture of the thief if the device has a camera. This article provides details about how to recover a lost or stolen laptop.
Now that you have taken some steps to make your systems more secure, let’s discuss your computing habits. You are your own CEO, so ultimately you have the responsibility to be as safe as possible when you are online – at home, and on the go. The following are called OPSEC (operational security) controls.
Back Up Sensitive Information
- If you have a laptop that you use outside the house, keep your most sensitive information on a USB auto-encrypt flash drive, and always carry the flash drive on you when you are outside the home or office.
- Backup, backup, backup. It is annoying if your laptop or phone is stolen or is subject to ransomware – but if you kept your most sensitive data on the flash drive and back up other information to the cloud, then at least you can continue with your business. Some anti-virus software provides auto-backup capability. There are multiple applications that allow you select a frequency to perform backups or will automatically backup files after you click “save.” Software that performs this function can be obtain for a monthly fee of under $10 or, if you only want to backup documents, Google Drive provides 15 GB of storage for free.
Hide Sensitive Information
- Install a privacy screen on your device. This will prevent other people from observing what is on your screen. If you have a touch screen, be sure to purchase a touch-sensitive privacy screen.
- Do not use free public Wi-Fi ever with any device, unless you are also using a Virtual Private Network (VPN). There is still a small vulnerability window between when you log onto the Wi-Fi and the start of your VPN session, whereby the configuration of your system may be exposed. However, this exposure is pretty minimal.
- Finally: Be aware of your surroundings. Don’t use your laptop on a subway. A subway makes a stop every few minutes. It is too easy for a criminal to simply grab your laptop and quickly exit the train before you have a chance to leave your seat. Don’t carry your laptop in a hand briefcase. Again, it is too easy to steal. Use a shoulder strap with the briefcase or a backpack. Be aware of people moving in and out of the environment where you are working. If anyone makes you uncomfortable, simply close down your session and leave the area.
Steps for Awareness and Training
- Router: Change login ID and password. Install the latest version of firmware.
- Wi-Fi: Change default password.
- Update OS: Enable auto-update.
- Install an anti-virus program.
- Install PC tracking software.
- Keep your browser up to date.
- Disable TLS 1.0 and Enable TLS 1.2 in your browser.
- Store sensitive information on a USB auto-encrypt flash drive.
- Install a privacy screen on your device.
- Do not use free public Wi-Fi, unless you are also using a VPN.
- Backup sensitive data on a flash drive and other information to the cloud.
- Be aware of your surroundings.