August 31, 2016

Awareness and Training (PR.AT)

Objectives of Awareness and Training

The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.

PR.AT-1: All users are informed and trained

  • RULE : Do not click on hyperlinks and attachments in emails unless you explicitly provoked the email to arrive, such a verification email from a website that you were just on.  Even if it’s from someone you trust, they may have been compromised.  If you need the link or attachment, use VirusTotal to check the link or file for you.
  • RULE : Do not give your username and password away to anyone.  Especially in someone called you claiming to be from the Help Desk, Tech Support, or anything like that.  If they are the actual administrators, then they don’t need your username and password, they already have the authority to administer your account.
  • RULE : Find and use a easy online backup solution such as Carbonite,
  • RULE : Stay up to date on the latest patches.  Vulnerabilities are discovered everyday.  Attackers move quickly to exploit them before end users apply the patch.
  • RULE : Do not use the same password on multiple sites.  Use LastPass to generate and manage your passwords. This keeps your facebook account from being compromised and your user credentials being used on your bank’s websites and you money stolen.
  • RULE : Don’t use Internet Explorer, get Chrome or Firefox.
  • RULE : Add the uBlock Origin browser extension to stop help stop XSS attacks.
  • RULE : Add the AddBlock Plus browser extension to stop malicious adware.
  • RULE : If someone can gather the answers to your secret security questions from social media, then they aren’t secret, use fake answers that ONLY YOU KNOW.  Mother maiden name, first pets name, high school, etc. can all be found on facebook.  Make up fake answers for each site and put them into lastpass as Secret Notes along side the username and password to keep track of it all.

PR.AT-2: Privileged users understand roles & responsibilities

  • RULE :

PR.AT-3: Third-party stakeholders understand roles & responsibilities

  • RULE : Third-party stakeholders refer to suppliers, customers, partners

PR.AT-4: Senior executives understand roles & responsibilities

  • RULE :

PR.AT-5: Physical and information security personnel understand roles & responsibilities

  • RULE :