The top five questions asked at security education and awareness presentations

Online security can be frustrating and confusing for end users, leading to a greater number of successful cyber-attacks. Attackers are increasing their sophistication in line with advancements in online technology and things go wrong when the end user is confused – attackers prey on this confusion and supplement it with fear. Many issues relating to cyber security can be avoided by demystifying some of the threats, methods, motives, and by providing simple advice for online safety. That’s where security education and awareness presentations come in.

The team at Asterisk deliver many education and awareness presentations to clients covering information security policy and demystifying online threats. These presentations also educate users on security controls (both technical and non-technical) that they can apply easily at home and in the office.

From C-level executives to IT Managers, support desk, workshop and administrative staff, everyone has a question to ask. Here are the top five questions we are regularly asked at security education and awareness presentations:

Q: “How do I make my passwords secure?”

A: We recommend using passphrases instead of passwords. A passphrase is a group of words together such as “Sunny Commodore Apple Polyester” that is easy for you to memorise but hard for attackers to crack. The trick is to make sure the words are random, anything that would be obvious to people you know or who follow your public social media accounts, such as your favourite sports, animals, or TV shows should be avoided.

Where you can, we also recommend turning on multi-factor authentication, so your account will perform a second check (or factor) before letting you in. The most common second factor used for personal services is to send an SMS to your mobile phone. This means that even if your password is guessed or cracked, the attacker won’t be able to get into your account without the second factor – your phone.

If you would like to read more about passwords we recommend the NIST guidance which is available here.

Q: “Are password managers safe to store all my passwords?”

A: Generally yes, password managers are a safe place to store your passwords, as long as you choose a good one! There are a number of free and subscription-based password managers on the market so we recommend reading reviews before deciding which one to use. Some products allow you to sync your passwords across all your devices so you can have access on your desktop, laptop or phone, and others will include a secure password generator that will create strong passwords for you. Remember, your password manager is only as secure as your master password. We suggest you always enable two factor authentication and use a strong passphrase rather than a password to access your password manager.

Q: “Are banking apps on my phone safe to use?”

A: Yes, if they are installed from the genuine app store (Apple App Store, Android Marketplace, Google Play Store, etc) and the bank is a major player in the Australian market. Always use trusted apps and never install an app from a website or email link. The bank should be listed as the app publisher or seller. If you have any suspicions about the authenticity of a mobile banking app, contact your bank for verification.

Also, remember not to store any of your banking passwords or other information that could be used to access your bank accounts on your device.

Q: “Is it safe to use Public or “Free-Wifi” when available?”

A: Connecting to public free Wi-Fi use comes with several risks. Public WiFi networks are generally not encrypted, which means anyone nearby with some basic monitoring tools can see the information passing between your device and the access point you are connected to. In our opinion, the safest option is to not use these networks at all, but if you do find yourself needing to connect to a public wi-fi network, consider using a trusted virtual private network (VPN) to encrypt the information that is moving across your connection and never log in to online banking sites or websites that store your credit card information.

It’s also good practice to turn off Wi-Fi or Bluetooth connections when not in use, which is also great for your battery life!

Q: “Can I use the same strong password on many sites?”

A: Reusing the same password across different accounts is never a good idea. If one site is breached or someone gets hold of that password, they can use it to access multiple accounts. You should always use unique passwords for your work and personal accounts and be extra careful with sensitive accounts like online banking or accounts with a lot of personal information like MyGov. If you think your password may have been compromised or you notice anything suspicious, change your password immediately and report it where appropriate. Password managers can assist with keeping track of different passwords and generating strong passwords that are less likely to be guessed or cracked.

 

Security education and awareness presentations are not just “one size fits all”. Surveys are conducted to identify gaps in staff knowledge, then training content is tailored to cover those gaps and fit the culture of the business. By undertaking training, staff can learn how to work safely online and create a culture of security – both at work and at home.

For more information about on how a security education and awareness presentation can benefit your organisation, contact the team at Asterisk on 1800 651 420 or contact@asteriskinfosec.com.au

 

Our favourite infosec books

We have a clever bunch working here at Asterisk. From directors to testers, consultants, and business development managers, everyone is passionate about information security. There may be regular debates over music, coffee vs tea, and the best place for lunch in the city, but we’re all on the same page when it comes to information security.

To share our love of all things infosec, we surveyed some of the team on their favourite books. These 11 titles have educated, enlightened and entertained and come highly recommended for anyone interested in information security…

 

I loved ‘The Cuckoo’s Egg’ by Cliff Stoll. In the 80’s Stoll was an admin for a university shared computing system and investigating a minor accounting discrepancy led to him basically uncovering a spy ring working for the Russians. True story.

Mike Loss, Senior Security Consultant

 

‘Future Crimes’ by Marc Goodman is the book that sparked my initial interest in infosec and gave me the urge to explore a career in the industry. I picked it up at an airport book store (I actually thought it was a true crime book – didn’t realise it had anything to do with infosec) but was hooked from the first few pages. It made me realise that just about everything is connected, and as a result just about everyone is vulnerable. I made a decision there and then to try and learn more/get involved in the industry. Also, I encourage anyone who assumes that information security is purely about technology to give ‘Social Engineering: The Art of Human Hacking’ by Christopher Hadnagy a read. It uses a lot of a real world examples and made me question why we so often focus on information security strategies that tend to address technology and product as opposed to people and process.

Sam Moody, Business Development Manager

 

‘Firewalls and Internet Security: Repelling The Wily Hacker’ by William R. Cheswick and Steven M. Bellovin was the book that started it all. First published in 1994, it was one of the earliest (and definitely one of the greatest) books on network security. ‘The Web Application Hacker’s Handbook’ by Marcus Pinto and Dafydd Stuttard was (is) the bible for web application security testing. It’s a little dated now (published in 2011), but still very relevant and full of some great knowledge. Another favourite is ‘The Browser Hacker’s Handbook’ by Christian Frichot, Wade Alcorn and Michele Orru – because Christian is a hipster God, and we all miss him very much.

David Taylor, Principal Security Consultant

 

I read ‘The Cathedral and the Bazaar’ by Eric S. Raymond almost 20 years ago and it was an insight into the world of monopolies and how to succeed without selling code – how Netscape survived, and the differences between top-down and bottom-up approaches to development.

Daniel Marsh, Security Consultant

 

I usually get bored of “career advice” books pretty quick but I picked up ‘Women in Tech’ by Tarah Wheeler after following Tarah and some of the other contributors on Twitter. The advice in the book is stellar, but what I loved most were the personal stories from successful women in tech like Brianna Wu and Keren Elazari woven through.

Cairo Malet, Security Consultant

 

‘Gray Hat Python: Python Programming for Hackers and Reverse Engineers’ by Justin Seitz is a good way to learn both scripting/programming and practical offensive security. Some of the content is a little dated, and for the most part better tools exist to do the tasks that are covered. However, the step-by-step approach provides a great foundation for some common offensive security tools and processes.

Clinton Carpene, Security Consultant

 

The novel ‘Neuromancer’ by William Gibson tells the story of a washed-up computer hacker hired by a mysterious employer to pull off the ultimate hack. The Matrix, cyberpunk, implants – Gibson’s dystopian future is a classic. Another novel, ‘Snow Crash’ by Neal Stephenson, presents the Sumerian language as the firmware programming language for the brainstem, which is supposedly functioning as the BIOS for the human brain. Stephenson is next level Gibson and features the Matrix (Metaverse) and cyberpunk references. Stephenson can get heavy, and satiric, but again it’s a classic for the genre.

Steve Schupp, Managing Director

 

What’s your favourite infosec book?

 

Book covers image source – Booktopia

 

Notifiable Data Breach Scheme

What is it?

The Notifiable Data Breach (NDB) Scheme is an amendment to the Privacy Act 1988 that comes into effect from 22 February 2018. The NDB scheme sets out the obligations of organisations to notify individuals after a data breach has disclosed their personal information and that disclosure is likely to cause serious harm to the individual. Notification of the breach must also be provided to the Office of the Australian Information Commissioner (OAIC).

Who does it apply to?

The scheme applies to all entities that are currently subject to the Privacy Act – as a general rule, this includes all Australian government, business or not-for-profit organisations with an annual turnover of $3 million or more.

What needs to be addressed?

To ensure that applicable organisations are able to respond appropriately in the event of a breach, the following needs to be addressed:

• The ability to identify and respond to security incidents in a timely manner;
• Implement processes to assess if a breach is likely to cause serious harm to individuals;
• Develop a communication plan for notifying relevant parties;
• Ensure your notifications meet minimum requirements as defined by the OAIC;
• Implement remediation activities to avoid the incident reoccurring in the future.

How to notify?

When an organisation suspects or has confirmed that a data breach has occurred, it will need to promptly notify individuals that are likely at risk of serious harm. The Commissioner must also be notified as soon as practicable with a statement outlining the data breach.

Notifications must include the following information:

• The identity and contact details of the organisation;
• A description of the data breach;
• What personal information has been breached;
• Steps that individuals should take in response to the data breach.

How to comply?

General guidance is provided by the OAIC and can be found here: https://oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

If you need assistance with meeting your notification obligations, Asterisk can assist with implementing incident detection and response procedures and communications plans to ensure your organisation is ready to take action should a breach occur.*

* If you have not yet sought legal advice on your organisation’s exact eligibility and obligations under the Privacy Act, Asterisk recommends consulting an appropriate legal professional to ensure all legal requirements have been considered.