This Security Awareness training is provided free for use. Haekka offers a fully integrated training platform in Slack, enabling customers to meet their compliance, privacy, and security training requirements using modern, relevant content delivered 100% in Slack.

Security is Everybody's Job

The most secure data is data that is locked up and inaccessible. This is not a reality today as systems, networks, individuals, phones, home devices, and clouds are connected to one another 24/7. Additionally, data drives many technologies and services today, meaning data has to flow within and between corporate systems. This new world of interconnected systems and data as a valuable asset changes the strategy and operations of security.

Security is no longer simply the purview and challenge of the security group. Employees, in all departments of a company, are constantly being targeted by sophisticated, and highly personalized, attacks being managed and run by software systems. These attacks target weak device security, passwords, and human nature.

• There are now databases of billions of real usernames and passwords. These compromised credentials can be used by anybody with a computer willing to buy hacking tools for as low as $20.
• Phishing attacks, with real appearing links, are attempted millions of times per day.
• The average data breach costs close to $4M.

With interconnected systems and software, employees are now the largest threat vector for most companies, meaning employees are the primary target for attackers. Once attackers gain a foothold, even if it is confined to 1 system, they have methods and tools to use that foothold to gain access to systems and data. Often, breaches accounts and systems are not detected for months or even years, meaning attackers have time to gain additional access.

Every employe is a potential entry point into corporate systems for attackers. The best thing you can do is be diligent about the security of your devices and your accounts, both personal and corporate. When it doubt about security best practices or emails with links, be sure to ask questions of your security team before taking any action. It is much cheaper and easier to answer questions before a breach than marshall the resources to investigate and resolve a breach after it happens.

Security is your job. If you have questions or something feels suspicious, ask questions.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

Security vs Privacy vs Compliance

The terms privacy, compliance, and security are often used and the differences between them rarely appreciated. While the terms are related, they are separate and distinct functions. For smaller companies, these functions often overlap with employees having ownership and accountability across two or even all of these domains. As organizations grow, there is more separation between the functions and entire departments dedicated to each one.

Below is a summary table of how the functions are different from each other. These are very general rules that can differ from company to company.

Comparison Table

In practicality, the functions need to work together to create a functional privacy stack, also called an information security management system (ISMS), compliance program, or privacy program.

Each of the functions builds on the others. Privacy defines the policies and procedures for the ways data should be handled and protected, security implements controls and technology to meet the policies and procedures, and compliance verifies the chain from privacy up through security does not have gaps.

• Privacy makes promises. Security implements those promises. Compliance validates promises are kept.

Ideally, these functions have boundaries to ensure separation of duties and to avoid conflicts of interest.

The following sections go into more detailed explanations of each function.

Privacy

Privacy is the first step. Once a compliance DNA, or framework, is chosen or assigned to an organization, relevant regulatory controls need to be addressed with privacy policies and procedures. Given the dynamic nature of compliance regulations in 2020, privacy policies and procedures need to be revisited and kept up to date.

Security

Once privacy policies have been written and acknowledged by all employees, it is up to security to implement them. Security often falls under IT. Security is in charge of configurations and security monitoring, with a plethora of new tools in the market and lots of noise from constant alerts.

With rapidly changing technology, especially services from cloud providers like AWS, Google, and Microsoft, keeping security configurations up to date is a constant challenge.

Compliance

Compliance is about keeping promises. It’s about building trust. It is the best representation to the market, customers and partners that you have created and executed privacy policies and procedures. Compliance is largely about proof, and the collection of that proof can be a bane on both security and privacy.

Compliance, in larger organizations, is lumped into Governance, Risk, and Compliance (GRC). GRC, both the functional area and the product category, is associated with large, enterprise companies. In smaller organizations, formal GRC groups rarely exist; in these smaller companies, the functions of governance, risk, and compliance are divided between ops, IT, legal, and HR.

In modern technology companies, even larger ones, modern tools have been adapted to accomplish the functions of GRC platforms. One notable example of this is Atlassian, which uses its own software products for GRC.

Compliance, security, and compliance are separate and distinct function that sometimes get lumped together at smaller organizations.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

The World has Changed

There's a perfect storm of changes that have driven a paradigm shift in how work gets done in 2020. These changes are only accelerating as we move into the 2020s decade. Unfortunately, this new paradigm requires new, more proactive approaches to security. Approaches that impact every single employee.

• Software, not hardware. The world has shifted from hardware to software.
• Data. Similar to the shift to software, data is not the driving force behind much of the economy. Moving hardware is not important, moving software and data is.
• The cloud. The cloud has become more than a computer in somebody else's data center. The shift to the cloud has driven an entirely new form of physical infrastructure that is deployed and managed purely with software.
• Remote work. COVID-19 has rapidly accelerated this shift. The move to remote-mandatory or remote-optional is here to stay. And working remote changes how you securely connect to company resources and colleagues.
• Sophisticated attacks. It has never been easier to attack corporate systems and data. And, both governments and large crime syndicates are throwing resources at well trained teams to try to gain unauthorized access to your company systems.

All of these changes have shifted how work gets done. And you are now at least partially responsible for being at the front line of your company's data security program.

We breakdown security tasks in three buckets, covered over the next three lessons:

1. Securing your accounts - protecting your software / SaaS accounts and your online identity.
2. Securing your computer - protecting the device you use to do work.
3. Securing your phone - protecting your mobile device, which is increasingly used for a mix of private and professional functions.

We will walk through security best practices in the next several lessons but, for now, it is important to understand that the way you work has changed and security is a part of your every day job.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

Securing your Accounts

Given the massive changes in how and where work is being done, the security best practices and priorities need a refresh. One of the big challenges facing security groups is securing cloud and SaaS services. The number of services, the low cost of those services, and the ability of end users to deploy new services compounds the problem. It is not uncommon for employees to have to use 10+ or even 20+ different software applications today, software applications that are often owned and managed by different groups.

Below are best practice considerations for securing your accounts and your identify online. These apply to both personal and company software and accounts. You should review your company policies and procedures to ensure alignment with these practices.

• Identity. Securing identities across multiple SaaS services is a challenge. One easy way to help solve this is using a single sign-on soluton like Okta. This unifies identity management and is the easiest way to standardize managing identities across multiple SaaS apps.
• Passwords. Passwords in 2020 are an inherently necessaery but weak form of protecting accounts. Passwords reuse across both corporate and personal accounts is problematic due to widely available databases of breached passwords. Some new applications forego the use of passwords in place of secure, dynamic, unique links. Nevertheless, passwords are still here. Some best practice rules are to use long passwords (over 8 characters), do not use easy to guess or dictionary words, and do not reuse passwords.
• Password manager. Password managers are a good and secure way to store complex passwords across multiple services. Password managers can also generate long, strong passswords for you. Make sure that you control access to your password manager. Good examples are 1Password and LastPass.
• Multi-factor authentication (MFA). MFA requires multiple forms of verification (not just username and password) before granting access to systems. There are multiple methods to implement MFA including phone / SMS, authenticator apps, and token-based applications. Whatever the method, using MFA reduces the chance of account compromise by over 99%. Duo is a provider of MFA solutions for businesses.
• Access requests. There should be an established process to request and grant access to applications. Each application should have an owner - either a group or individual - that has to explicitly grant access to SaaS services. Each one of these access requests should be formally documented.

With identities increasingly online, attacking them has become a lot easier. And attacks can be launched at scale. Gaining access to your software accounts often leads to additional attacks.

Set strong, unique passwords and make sure you use multi-factor authentication (MFA).

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

Securing your Computer

Securing your software accounts and your online identity, as we covered in the last lesson, is only the first aspect of your digital security. Your computer, whether you use your own or are issued one by your company, and whether you use it from home, in the office, or at a coffee shop, needs to be secured.

If an attackers gains access to your computer, they can use that access to escalate privileges or to access data stored on your computer. Even if you are using a virtual, shared hard drive, often files are stored locally.

Your company may install and run some form of endpoint protection on your computer. This software monitors your computer to detect threats or other forms of attacks, successful and unsuccessful. In most cases, these attacks can be remotely mitigated.

Your IT department may provide you with a pre-configured computer in which they are responsible for the following security services. In that case, you may not have permission to setup or configure any of the below security services. It's still a good idea to consider these for your personal computer.

• Firewall. A host-based firewall is a software program that runs on your computer and controls incoming and outgoing traffic. It acts as a barrier between your computer and your computers network connections. There are third-party firewalls as well as built-in firewalls for both Windows and Mac, though you need to turn them on and configure them.
• VPN. A common way to protect the security and privacy of your Internet and remote network connections is through a VPN. A VPN routes all of your Internet traffic through a remote server. VPNs essentially mask your identity from your Internet Service Provider, or public wifi provider if using public (coffee shop) wifi, and encrypt all traffic between you and your Internet destinations. VPNs have been in use for a long time for secure, point to point connections, like connecting to a data center or remote computer; but, more recently VPNs have been made available and easy to use for personal use - on both computers and phones. NordVPN and TunnelBear are two common VPN services that have apps for computers and mobile devices.
• Encrypted hard drive. If your computer is stolen, or you leave it on a plane, in an Uber, or at TSA, you want to make sure the data that is stored on the hard drive is secure. The easiest way to do this is by encrypting your hard drive. Both Windows and Mac offer easy ways to do this.
• Updates. You should download and install patches and operating system installs in a timely manner. One of the most commonly exploited vulnerabilities is unpatched operating systems. It is usually best to turn on automatic notifications of updates. You can then choose when to install them.
• Company message. Your company may have a message that is loaded on your computer to be displayed at the login screen. Or you may want to provide a simple message on your computer stating you are the owners of the device and how it is supposed to be used. This is easy to set in both Windows and Mac.
• Screen protector. This is covered in the section on remote work but, suffice it to say, preventing people from reading your screen is important, especially if you travel or work in public places like coffee shops.

Your computer is one layer of defense that needs to be secured in concert with your accounts and mobile devices.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

Securing your Phone

The last third plane you need to secure is your phone. Regardless of the type of phone you have, if it is a smartphone than it is a highly powerful computer capable of real work. It is also a highly powerful tracker of your activities and access point into you private and professional digital world.

While a phone is very similar to a laptop computer, best practices for securing it are different and more extensive. In this lesson, we provide high level guidance on securing your phone with links to more detailed settings you can optionally choose to evaluate.

• Passscode protected (+ biometric). Your phone should be passcode protected, at the very least. Choose a passcode that is not hard to guess (not your birthday or 1234546). Rotate your passcode on some cadence (every 6 months is good). And, if your phone has biometric capabilities like facial recognition or fingerprint, use these for added security.
• Location services. One of the most exploited features and tracking capabilities of smartphones is location services. Apps can log locations when you login or interact. Locations are often attached to your photos and videos. As a rule, you should limit location services to apps that need them (like weather or maps), and even then only allow apps to use location services when the app is running and not at all times.
• App permissions. more generally than location services, you should pay attention to the permissions and access levels that you grant apps. While this has gotten better over the last few years, many apps still ask for the maximum permissions they think they can get.
• Use 2FA or use SMS. This is not a phone security setting per se, but your phone is a good second or third factor for authentication. You can download authenticator apps or use SMS as a second factor. Neither is perfect, from a security perspective, but both reduce the risk to your accounts and identity significantly.
• Incoming remote connections. Some smartphones offer connected to devices that are nearby. You should limit these connections, or not allow them at all. If you do allow them, you should only allow them from your known contacts.
• Personal Hotspots. Many phones, with carrier permission, can be used as personal hotspots to allow internet connections through the phone's access to cellular data. If your phone can be used a hotspot, you should default to leaving the hotspot off until you need it. And, when it is on, you should explicitly grant access to all devices.
• Ask to connect to wifi. Wifi networks are everywhere. And, as you move around with your phone, you can connect to these networks. Some networks are not secure. And some are malicious in intent and try to use the network to gain access to connected devices. At the very least, you should not connect to wifi networks by default.
• Unused apps. If you do not use an app that you have installed on your phone, you should delete it.
• Update apps and OS. Similarly to with you computer, you should update your mobile operating system and apps in a timely manner.

For more detailed guides on securing your mobile device try the following: Android and iOS.

Your phone is powerful. Protect it to protect yourself.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

Phishing

Phishing is a form of attack that attempts to trick you into giving up certain sensitive information - username / password, social security number, financial info. Gaining access to credentials (username and password), account for about 3/4 of all phishing attacks. The primary account targets are SaaS (hosted software programs) accounts.

Phishing is a massively common form of attack and, due to the scale of it, accounts for 80% or more of all security incidents. This is an incredible statistic and speaks to the reason phishing is a category of threat to which all people need to be educated.

Software packages, sold and distributed on the dark web, are used by malicious groups to automate and scale these attacks. Email blasts of millions of phishing messages can be sent at once. These messages will typically have a link to a bogus website that appears to be legitimate or an attachment. Statistics show that roughly 1/4 of recipients will open a phishing email and roughly 1/10 will open a phishing attachment. These are staggering statistics given the fact that phishing campaigns often send thousands or even millions of messages. And, the recent trend is towards email targeting employees at small to medium size companies.

And phishing attacks are getting more and more targeted. As more information is available about people online through social networks or other public places, this is being combined with public information about companies to launch highly customized phishing attacks, often called spear phishing attacks.

Phishing attacks are by and large email attacks. They can take other forms, including messages through SMS and even Slack, but these are much, much less common. It is imperative that you be suspicious of emails you get, regardless of how "real" they look. Phishing attacks can look like legitimate emails from services like Netflix of Salesforce.

Some email warning signs to look for are below.

• Requests for personal info. How often do you get legitimate requests via email for personal information? Not much. Any request you get for personal info, or to reset something that requires your login information, should throw up red flags.
• Suspicious wording. If a message or even a sentence in a message does not read correctly, be highly suspicious. Phishing messages are auto-generated and information is merged into them. This often results in errors in grammar or spelling.
• Inconsistent wording and tone. As phishing messages are pieced together by software programs, the tone of sentences and subjects can be inconsistent with each other. If the tone suddenly changes or transitions seem abrupt, be suspicious of the message you are reading.
• Urgent requests. Phishing attacks play into human nature. They often attempt to scare you, put you on the defensive, and make you feel rushed. When you get this sense from a message, especially during a busy or otherwise stressful time, you may decide just to click on a link or open an attachment.
• Inconsistent email addresses. If you are suspicious of an email in any way, hover over or click on the address info to see more. Often, the email displayed name looks real but the address is not.
• Messages from senders you don't get messages from. How often does your CEO or CFO or other leaders in your organization send you emails? How often do those emails ask you to urgently take some action? Likely not frequently, or at all. This is a tell tale sign of phishing emails.
• Generic signatures. Look for messages signed by a group, like IT or Support or HR, and not an individual.

Phishing is prevalent. You will likely get phishing emails. You have likely gotten phishing emails in the past. When suspicious, to any degree, ask questions of the sender. But, do not ask by replying to the suspicious message. Ask the sender on a different channel such as phone or chat.

Be suspicious of all emails you get, especially those that request some form of action (clicking a link or opening an attachment).

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

Preventing Phishing

In the last lesson, we covered what phishing is and reasons to be suspicious of certain kinds of email. This lesson is about preventing phishing attacks and what to do 1) if you are suspicious of email and 2) what to do if you think you are a victim of a phishing attack.

Phishing is the most common form of attack that you, as an employee, will see. It is worth extra time and thought to understand what to do if you suspect a phishing attack.

People sometimes assume phishing attacks are easy to detect, like the Web 1.0 Internet scams involving Nigerian princes and bank wires. Modern phishing attacks aren’t like that. They are sophisticated. Like the rest of the web, phishing attacks have incremented to Web 2.0 and 3.0 level sophistication. And the software that runs phishing attacks is only getting better.

And, even if these fake email messages contain signs of being a phishing attack, those signs can be subtle. And you might receive the phishing email at a time when you’re rushing for some reason, like at the very end of the day, or when you’re tired and not paying 100% attention. In those times, you are not vigilant about your email. Trust us, this happens a lot. And the scale of phishing attacks means you will get them in your inbox.

What do you do if you get an email and you suspect it’s a phishing attack?

First, you should have an extremely low bar of suspicion for all emails you receive. Email volume, especially within modern technology companies, is on the decline as more and more communications and workflows are integrated into tools like Slack and Microsoft Teams. Sometimes it is just a sense when you read an email and not an obvious “there’s no way this is a real email”.

Second, do not click on any links or open any attachments in the email. It’s best to not open the email at all or to close the email if you’ve already opened it.

Third, if you have any suspicion about an email you receive, you should immediately contact the sender but not by replying to the suspicious email or through email at all. If it is a phishing email, there is a chance that the sender’s account has been compromised and they do not even know it. If that is the case, replying to the email will only connect you with the attackers. Contact the sender via another channel - phone, chat, or in person.

Fourth, unless you get an immediate confirmation from the email sender that the message is legitimate, reach out to your security team. If you don’t have a security team, reach out to your manager or whoever might be in charge of email. At smaller companies, roles are often overlapping. Again, do not use email here. While it is unlikely that your entire email system has been compromised, it’s better to use another form of communication. The reason to do this is that there is a chance that others at your company got the same message and you want to proactively prevent them from being victims.

Ideally, your company has a process for dealing with suspected phishing attacks and compromised email accounts. If they don’t, and many smaller companies don’t, that’s fine. As long as the email is quarantined and investigated.

The thing to remember about phishing, and email in general, is that you should be suspicious of all emails you receive. Phishing attacks are often not obvious. And we sometimes chance upon opening them when we aren’t paying close attention.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

Malware

Malware, which is a term for malicious software, is similar to phishing in that victims are overwhelmingly (92%+) targeted via email. While phishing most commonly attempts to get victims to click a link and enter sensitive information, capturing login information on bogus websites, malware typically involves getting uses to open attachments.

The most common form of attachment is a Microsoft Office attachment, or an Office Macro. Tools to create this kind of malware are incredibly cheap, costing between $5-$10, which is why this is such a common form of attack.

Clicking malware attachments installs software on your computer. When malware victims open the attachments, they don't realize they are installing software, meaning the software can continually run without the victim knowing it. Essentially, once malware is installed, users have lost control of their computers, and they don't know it.

Malware, as a catch all term for malicious software, can do several different things (or multiple of the below):

• Initiate install of additional malicious.
• Join the computer to a botnet, most often used to send spam.
• Run in the background, capturing keyboard information like usernames and passwords, and sending that information off to malicious actors.
• Lock down parts of the computer or network to create a ransomware attack where companies are forced to pay to regain access to their data.

Avoiding malware is similar, but often easier, than avoiding phishing attacks. And many email services, including Gmail and Office, detect, scan, warn, and remove malicious attachments used for malware attacks.

The take home message is to maintain a high bar of suspicion when it comes to email, verify the sender, and ask questions of senders on separate channels (not by replying to the suspicious email).

With malware, do not open attachments unless you are 100% sure of the message origin and you 100% need to open the attachment.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

Security Consideration for Remote Work

Remote work, as a trend, has been steadily gaining adoption over the last 10 years. Some notably companies, like Gitlab and Atlassian, operated remote workforces to grow very large business. But, remote work tipped with COVID-19. Initially forced because of quarantine measures, remote work is now something that many large companies like Facebook and Twitter are allowing, and some are requiring, for the long term.

Whether companies go 100% remote or go remote 100% of the time, the amount of employees working remotely is significant in 2020. Remote work changes culture, work habits, and interactions in significant ways. With those changes, there are security considerations that are specific to remote work or at least amplified because of remote work.

Below are remote considerations. Your company may have created specific guides and / or amended its acceptable use policy for remote work. Be sure to check on that.

• Public wifi. Computers are constantly connected to the Internet and to connected devices (speakers, peripherals, etc). The types of connectivity are through wifi connections and bluetooth, most commonly. While there are documented attacks using Bluetooth, this is rare. When it comes to Wifi, there are network everywhere. You should only join trusted, known networks. This can include coffee shop networks. Be wary of public networks you don't know and that have names you do not recognize.
• Passwords even more important. As remote work mandates remote access to systems and networks, password protections are even more important. Use unique, long passwords.
• Multi-factor authentication. With remote work, using multiple factors to secure you accounts and identity are even more important.
• Secure remote connectivity. VPNs are easy enough for anybody to use. This, and even secure remote desktop services, can be used to prevent eavesdropping on connections and transmitted data.
• Meetings and calls in public. Be cognizant of your location and the content of your conversations. Don't speak too loudly and openly about sensitive company or customer information and data.
• Zoom security. Or Meet or Teams security. You should use unique meeting IDs. You can use passwords for your meetings though this does add friction when people join.
• Screen protector. You should use a screen protector on your laptop if you use it in public or shared places. This will prevent others from reading what is on your screen.
• Lock screens in shared places. You should always lock your computer screen when you leave it. In shared settings, this is an imperative.
• Writing notes. When in a private setting, like at your desk in an office, you might write down sensitive information and leave it accessible, even if not in the open. In shared or public spaces, be more protective of things you write down.

Remote work is new and strange to many people in 2020. There are lots of positives and negatives to the trend.

Without the physical protections of an office and direct connectivity to company networks, personal security becomes more important to your daily work.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

What to do When Something Goes Wrong

You should have a very low bar for suspicion about digital security. And you should have a similarly low bar when it comes to reaching out to appropriate people at your company if you suspect, detect, or otherwise feel uneasy about anything related to your digital security. Waiting to ask will never benefit you or your company.

It is safe to assume that you are under attack at all times. There are many groups initiating attacks, those attacks are using software to scale, and that software is easy and cheap to acquire. The key is staying ahead of the attackers and the key to staying ahead of the attackers is to be proactive when you see or sense something that doesn't feel right.

If you suspect any of the following, even just slightly, reach out to your manager and / or IT group that is responsible for security.

• You open an attachment in email.
• You get an email that has a mismatch of sender name and email address.
• You get an email with grammatical errors asking you to click a link.
• You get an email about a personal service, like Netflix, on your business email address.
• You learn that a computer user you share a computer with, say a spouse or child, has had one of their accounts compromised.
• You lose your phone or computer.
• You learn that a public data breach impacted your username and password and you use the same password at work.
• You find a service running on your computer or phone and you don't know what it is.

Employees represent the perimeter of company defense. And they are taking on more responsibility in that defense when they work remotely.

Be suspicious and proactive about the security of all of your devices and accounts.

Slides - Available via Haekka slack plugin. Coming soon!

Comprehension - Available via Haekka slack plugin. Coming soon!

© 2020 DayZero Inc. All rights reserved.

Questions? Reach out to us - hello@haekka.com

‍