Page 38 - Cyber Warnings
P. 38
the time if an employee refers to a higher power (e.g. telling the caller they need to ask their
manager or check the regulation before providing that info) a social engineer will break off and
try an easier target.
Employer processes and policies provide a baseline of knowledge for the employee. To be
effective they must be known by every user within the enterprise through education and training
with consequences for violating the policies. To ensure a team approach, the policies and
processes must also be distributed and embraced by top management as opposed to an edict
from the IT department.
Typical policies include 1) procedures for verifying the identity of users to the IT department and
IT personnel to users (secret PINs, callback procedures, etc.); 2) policies governing destroying
(shredding) of paperwork, disks and other storage media; 3) prohibiting divulging passwords, to
whom passwords can be disclosed and under what situations and procedures to follow if
someone requests release of passwords; 4) requirements that personnel log off or password
protect their desktop when away from keyboard; 5) physical security processes preventing
outsiders accessing systems for nefarious purposes; and 6) strong password rules.
The Proactive Defense
In addition to training and definitive policies, a sense of employee ownership is imperative. If
employees begin to take a personal stake in the welfare of their company, they will begin to
make fewer errors and be more vigilant. Make no mistake, the technologies of penetration
testing, patching, firewalls and the like are imperative to a proactive cyber-defense but without
active engagement of company personnel against social engineering attacks, the biggest
liability will remain.
About the Author
Daniel Jetton MBA, MS, MA, CISSP, CAP, PMP is the Vice President of Cyber
Services for OBXtek, Inc., an Award-Winning Government Cybersecurity Service
Provider providing Information Technology Engineering and Support, Program
Management, Software Development, Testing, and Information Security services to
the Federal Government. He is responsible for leading and defining cyber strategy
while ensuring security, defense and risk mitigation for his clients.
Mr. Jetton is a former Army Medical Chief Information Officer with over 25 years of experience
in cybersecurity, management, strategic planning and project management.
Daniel can be reached online at ([email protected]). For more information on OBXtek,
please visit their website at https://www.obxtek.com/aboutus
38 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
