|
8 SecurityPractices to Use in Your Employee Training and Awareness Program 员工培训以及意识提高方案中常用的8个安全措施 This might be hard to believe, but it is true: 59% of data breaches arehappening not because of some smart hacker who wants to do harm to yourcompany; those breaches are happening because of your own employees. 据统计,有59%的数据泄露并不是因为一些厉害的黑客想要破坏你的公司,而是那些公司员工的某些行为导致了这个后果,这个事实可能令人难以接受,但事实就是这样。 As I’ve argued in my article How a change inthinking can stop 59% of security incidents, in order tostop these incidents, you have to focus on two things (other than investing innew technology): set your internal processes and procedures correctly, andtrain your employees and make them aware of the security threats. 正如我在文章《如何通过在意识上的转变阻止59%的安全事件发生》中所述,为了阻止这些事件的发生,你需要重点关注如下两个方面(而不是购买新技术来替代):正确地构建内部流程和程序,并通过培训,提升员工的安全意识。 In this article I’ll focus on the second issue: which topics to include inyour security training and awareness program. The suggestions below areapplicable regardless of whether your employees are using smart phones orcomputers, of if they’re using their own devices or company equipment.  信安.png (33.55 KB, 下载次数: 15)
下载附件 [url=]保存到相册[/url]
2016-2-24 12:37 上传
下文将会把重点放到第二个问题上:员工安全意识和培训程序中包括哪些主题。无论使用智能手机或电脑,亦或使用自己或公司的设备,下文的建议都适用。 1) Authentication 1)认证 Of course, your employees must use complex passwords, and must never tellthese passwords to anyone. 当然,员工必须用复杂的密码,并且绝对不能把密码告诉其他人。 This is because if their computer, laptop, smart phone, or any otherdevice gets stolen, not only will the thief control all the data on this device– he will also be able to penetrate your company network and create havoc withyour company data. 这是因为,如果他们的计算机,手提电脑,智能手机,或者其他设备被盗,盗窃者不仅可以控制设备上的所有数据,他们也能黑入公司网络,对公司的数据带来极大的风险。 The best practice is to use specialsoftware called password managers, because with such software youremployees will need to remember only one complex password, while the passwordmanager will remember all the others. And the good thing is that one and thesame password manager can be used for all the employee’s devices. 密码管理的最佳实践是用一种叫做密码管理者的软件,这种软件仅仅需要员工记住一个复杂的密码,同时密码管理者会记住其他的密码,它的优点是同一个密码管理软件可以用于员工的所有设备。 Further, for most important services like email and file sharing, youremployees should use even more advanced techniques like 2-factor authentication– such techniques are available for free these days from most of the cloudproviders, and provide a higher level of security even if the passwords getcompromised. These 2-factor authentication systems can work together with aphone (by sending a text message to a legitimate user) or with special USB keys– without them, access to the account would not be allowed. 而且对于最重要的服务像邮件和文件共享,员工应该使用更高高级的技术,比如:双重验证(双因子验证)-现在大多数的云服务提供商已经免费提供这样的服务了,即使密码遭到破坏,它们也能提供一种更高级别的安全防护。双重验证系统需要使用手机(给合法的用户发送一条短信)或者SB密钥协同工作,如果没有它们,则不允许账号访问。 2) Networkconnection 2)网络连接
Unfortunately, wireless connections have proved to be very unsafe. Forexample, your employees should avoid Bluetooth whenever possible, because ithas proved to be the easiest to break. 不幸的是无线网络连接已被证实是非常危险的。比如员工在任何时候都应该避免使用蓝牙,使用蓝牙通讯是最容易被截获的。 Public Wi-Fi networks are often not much better – hackers set up suchnetworks in public places, claiming to be legitimate providers, with thepurpose of gaining access to users’ Internet traffic. In this way, they canaccess all the passwords and other sensitive information. Therefore, one shouldbe very careful which network to connect to. 公共无线网络也是很危险的,黑客会在公共场所设置无线网络,伪装成合法的网络提供者,他们的目的是截获用户的通讯信息。用这种方法,它们可以得到所有的密码和其他敏感信息。因此,我们必须仔细识别所要连入的无线网络。 If the home or office Wi-Fi network is used improperly, it can also be thecause of a security breach – again, the passwords at the router must be complexenough, and WPA2 encryption should be set. 如果家里或者办公室的无线网络使用不当,它也可能造成安全问题,再一次强调,路由器的密码必须足够复杂,并且设置成WPA2的加密方式。 The connection to the Internet through the mobile telecom provider (i.e.,3G or 4G) is considered to be the most secure wireless connection, but it isvery often the most expensive. Of course, using a fixed line is more securethan any wireless connection. 通过移动通信供应商(例如3G,4G)连入网络被认为是最安全的无线连接方式,但它成本也是最高的。当然用固网比任何无线都更加安全。 There is one method that makes the communication much more secure at a relativelylow cost: using the VPN service. This is a method where all the data that istransmitted is encrypted before it leaves the computer, so this is probably thebest way to keep it safe. 有一个方式可以让通信的成本相对比较低同时更安全,即使用vpn技术使用这种方式,所有数据在被传输之前都是加密的,所以这可能是保护数据安全的最好方法。 3) Access to thedevice 3) 登陆设备 Your employees should never provide access to their device to anyone else;OK, in some cases they will want to allow their spouses or children to accesstheir computer for, e.g., playing games or shopping. But, in such cases, theyshould open a separate account on their operating system to allow this personto access the computer; such account may not have administrator privilegesbecause then they will be enabled to (unintentionally) install malware. 员工绝对不能让其他人使用他们自己的设备;在一些案例中,他们可能会让自己的配偶或者孩子使用他们的计算机,比如玩游戏或者网购,在这种情况下,他们应该设置单独的账号以供他人使用计算机,并且不要授予管理员权限,这样他们就无法(无意中 )安装恶意软件。 Allowing someone to access the same account on a computer is a hugesecurity risk – this person doesn’t have to do anything malicious – it isenough that they delete a couple of your files by mistake, or run some programthat is not to be touched. 一种非常大的安全风险是让他人使用相同的账号登录计算机上,即使他们没有恶意,不小心删除一些文件,或者执行一些不该执行的程序,就会造成严重的后果。 4) Physicalsecurity 4) 物理安全 Mobile devices, including laptops and smart phones, are the ones that arevery often the target of thieves – not only because they want to resell thedevice, but also because they know the data on those devices can be far morevaluable. 移动设备,包括笔记本和智能手机,会经常成为窃贼的目标-他们不仅是想要卖掉这些设备,而且他们知道里边的数据会更有价值。 So, here are a couple of tips on how to protect a mobile device: · Mobile devices should never be left in acar. · They should be never left unattended inpublic places like conferences, airports, restrooms, public transport, etc. · The devices should be kept with the userthe whole time, or stored in a facility with no public access – e.g., a room oran office that is locked when no one is present. · 下面是一些如何保护移动设备的提示: · 移动设备不要落在车上。 · 移动设备应该不要落在无人值守的公共场所如会议室、 机场、 厕所、 公共交通工具等。 · 移动设备应该一直带在身边,或者保存到其他人不能接触的地方-比如:房间或者办公室在无人时应该上锁。 5) Data encryption 5) 数据加密 No matter how careful your employees are, a laptop or a smart phone canstill get stolen. This is why you should ask them to protect all of their data(or at least the most sensitive) with encryption. This is still not easy withsmart phones, but this feature is included in most computer operating systems –it just needs to be turned on. 不管如何小心,员工的笔记本或者智能手机仍可能被偷。这就是为什么让他们加密数据(或者至少是最敏感的数据)的原因。加密对于智能手机来说可能不是那么容易,但是在大多数电脑操作系统里都已经包括这个提醒—只需要打开设置就可以。 Since most of the data is now transferred or archived through the cloud,encrypting such data also makes sense. Most cloud providers claim they doencrypt the data in their systems; however, it might be better to encrypt thedata before it reaches the cloud – you never know how much the cloud providercan be trusted. 由于目前大部分数据的传输和归档都是通过云服务,加密这些数据也是情理之中。大多数云服务供应商声称在他们的系统中会对数据做加密;但是数据最好在到达云端前对它进行加密—因为你永远不知道云服务提供商的可信程度。 6) Backup 6) 备份 If data is lost, and everything else fails, backup is usually the lastresort – in many cases, backup has saved not only days, but also months oryears of someone’s work. 如果数据丢失了,没有其它的解决方案,备份通常是最后的手段—在很多情况下,备份不仅仅是挽救一个人数天,而且是数月或者数年的工作。 So, make sure your employees have the right backup system in place (veryoften a simple cloud service will do), but also that the backup is updatedregularly. One word of caution: having a backup system means that data isstored at least in two places – e.g., on a computer, and in the cloud. Thismeans that keeping the data only in the cloud doesn’t constitute a real backup. 因此,确保你的员工已经有了合适的备份系统(往往一个简单的云服务就行),而且备份也是被定期更新的。切记:备份系统意味着数据至少存储在两个地方—例如,在电脑上和云端,这意味着仅仅把数据传到云端并不是真正的备份。 7) Softwareinstallation and patching 7) 软件安装和打补丁 First of all, you should provide a list of allowed software to youremployees, and allow the installation of only that software onto the devicesthat are used for business purposes. Very often, there are some games orutility software that are offered as free downloads on the Internet, only to bediscovered later that they were used by hackers to inject viruses onto your employees’computers with the purpose of extracting information. 首先,你应该为你的员工提供允许安装的软件列表,并且只允许将该软件安装在用于商业目的的设备上。很多时候,在互联网上提供一些免费的游戏和工具软件的下载,到后来才发现这些软件被黑客注入了病毒用来获取员工电脑中的信息。 Unfortunately, the approved software will also have securityvulnerabilities, allowing malware to be installed on the device – this is whyit is crucial to install all the security patches as soon as they arepublished. The best would be to ask your employees to set the updates to beinstalled automatically. 不幸的是,已批准安装的软件也会有安全漏洞,即允许恶意软件安装在设备上—这就是为什么尽早安装所有发布的安全补丁非常重要的原因。最好的办法是让你的员工将软件设置成自动更新。ITSM 8) Basic security“hygiene” 8) 基本的安全“保健” There are some security practices that should be considered as normal, forinstance: · Your employees should install anti-virussoftware, and enable its automatic updating. · The firewall on the computer should beturned on, and the traffic that is allowed should be chosen very carefully –only the applications that are trusted should be allowed to communicate withthe Internet. · Links in emails should be clicked very carefully– some links might take your employees to infected websites, and it is enoughfor a visitor to spend a fraction of a second on such a website for a virus topenetrate the computer. · Similarly, surfing the Internet onsuspicious websites should be avoided – as explained, some of the websites aredeveloped with the sole purpose of spreading malware. · Transferring data with USB flash drivesshould be avoided – they are the easiest way to infect a computer with a virus,because it is very difficult to stop such a malicious program once the deviceis physically connected to the computer. 这里有一些常用的安全实践,例如: · 你的员工应该安装杀毒软件,并开启了自动更新。 · 计算机上的防火墙应该是打开的,而且允许通过的流量应该非常小心—仅受信任的应用程序才被允许同互联网通讯。 · 电子邮件中的链接,在点击时也应当非常小心—有些链接可能会让你的员工访问被感染的网站,在访问者停留在网站的几分之一秒的时间内足够让病毒去渗透他们的计算机。 · 同样地,在访问互联网时应该避开可疑的网站—如上文所解释的,一些网站存在的唯一目的就是传播恶意软件。 · 应该避免使用USB闪存驱动器来传输数据—这是让计算机感染病毒最简单的方法,因为一旦这些设备连接到计算机,就很难去阻止恶意软件运行。 Invest wisely in your security 在安全方面的投资产生效益 Of course, eachcompany will have to adapt its training & awareness programs according toits own needs, so you should not take these 8 items as a definitive list. Thebest would be to use a framework like ISO 27001, the leading information security standard, to provide you detailedguidance on how to perform security training & awareness. See also: How to performtraining & awareness for ISO 27001 and ISO 22301. 当然,每个公司必须根据自己的需要来调整它的意识和培训程序,所以你不应该将这八大措施作为最终列表。最好的方法是使用一个框架体系如ISO27001,ISO27001是领先的信息安全标准,可以详细指导如何去实施安全意识和培训。参考:如何为ISO27001和 ISO22301实施意识和培训。 No matter how you train your employees and how you make them aware ofsecurity, remember the most important thing: simply purchasing the newtechnology won’t increase your level of security; you also have to teach yourpeople how to use that technology properly, and explain to them why this isneeded in the first place. Otherwise, this technology will only become whatbusiness owners fear the most: a wasted investment. 不管你如何培训你的员工,让他们意识到安全的重要,记住最重要的事情:只购买新技术不会增加你的安全等级;你必须教会员工如何正确地使用这项技术,并且向他们解释为什么需要它们。否则这项技术只会让老板最担心的事情变成现实:一项没有产生效益的投资。 *作者:Dejan Kosutic *译者:Bill,Terry 审稿:小九 * 文章有修改,转载请注明来自信息安全管理先锋论坛(www.iso27001cn.com)
| 
转播
分享
淘帖
()
