Security Awareness Through Proverbs

In big organizations with lot of employees, not all people have the right attitude or knowledge to use information assets in a good safe way. This is not a complain, just a fact. To educate these people, a security awareness program must be implemented to make them aware of the security risks, how to deal with them and how to react properly.

But, and that’s a human behavior, security awareness must also be a recurrent process. Like the proverb says: “Out of sight, out of mind“. If you don’t remind regularly best practices to people, they will tend to forget them.

Often, security awareness programs use material like posters, stickers, mouse-pads and other goodies as support. While Googling for information, I came on a website with a compilation of well-known proverbs. Everyone remembers those small sentence. Why not use some classic proverbs to remind common security rules? Let’s try! The chosen proverbs do not only address the end-users but also people in charge of the security.

“In the kingdom of the blind, the one-eyed man is king” – Visibility is a key aspect of information security. You have to know and understand what happens in your environment. Due to the amount of information to process, tools exist but are often very expensive. Even if you don’t have enough budgets or resources to set-up a top-notch security environment, try to implement a minimum of controls. Concentrate yourself first on the most business critical aspects.

“Never put off to tomorrow what can be done today” – New vulnerabilities are discovered every day. Some may affect your assets. If it’s the case, apply a countermeasure as soon as possible. If available, install the patch provided by the manufacturer/developer. If it remains unpatched (or while waiting for a release), implement more controls like access lists, monitoring. Don’t wait, do it now!

“Clothes don’t make the man” – Take care of phishing and social engineering attacks. Do not disclose information before checking the reliability of the people asking for it. Do not trust anybody.

“Never tell an enemy that your foot aches” – Protect your assets by not disclosing sensitive information in public forums or mailing lists. Often, people post technical questions in public areas to request some support or tips. Such disclosed information could be very useful for an attacker. Your application must be hardened and never run with the factory settings. Do not answer to polls via phone calls.

“Little brooks make great rivers” – A suite of small incidents may lead to a bigger security breach. All issues must be properly addressed. A small incident can be a first step in the process of compromizing a system (like a port scan). Information security can be compared to airlines: Crashes are sometimes due to a suite of small incidents which occurred in a proper order.

“Sow the wind and reap the whirlwind” – If you don’t properly implement security controls, be prepared to the worst. Be honest and don’t pretend to be “bullet-proof”. Nobody is!

“Better late than never” – Some security controls might require lot of time to be implemented. After a security audit, you may discover that your infrastructure has several weak points. Take the time to review them and fix them.

“An ounce of prevention is worth a pound of cure” – Do not follow the “action – reaction” principle. Perform a analyze of risks and eliminate (or at least, reduce) them. If will be easier (and cheaper) to implement a security control at the beginning of a project than once the application or assets used in production.

“Practice makes perfect” or “Errare humanum est” – Should we add something? We all learn by making mistakes!

“Two heads are better than one” – Do not be afraid to ask for help! First, share your issues internally and discuss with your colleagues. If more help is needed, there are plenty of ways to discuss security online via forums, mailing lists or cool initiatives like infosecmentors.com. People will be glad to help you. Don’t forget: they are no stupid question! Follow security events and build your social network!

“Don’t put the cart before the horse” – Your security controls must be implemented in the right order. Do not implement highly-technical solutions (expensive and difficult to maintain) before applying basic security principles! Example: why deploy a WAF (“WebApplication Firewall“) if your website is not yet safe? Review the code and ask your developers to fix their bugs.

“When the cat’s away, the mice will play” – Well, people are the weakest link of the security chain. As said in the introduction, awareness trainings must be recurrent. Keep an eye on your administrators by implementing separation of duties and least access privileges.

“In too much discourse, truth is lost” – Finally, one word about the communication. In case of incident, be prepared to communicate transparently to your management, customers or partners. Do not try to hide facts. Be honest and transparent.

I’m sure they are plenty of other examples…