This post is the tenth and final in a series of what I consider the top ten topics for any security awareness program.  Selecting the right topics with greatest value for your organization is key to a successful program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start.  For the tenth topic we finish your program with Hacked, specifically how end users can figure out if they have been compromised, and what to do if they have.  More and more I see the security community changing focus from just prevention to one also of identifying and responding to incidents.  The faster you respond to a successful attack, the greater you can mitigate the damage.  Why not turn end users into part of your own sensor network? In fact, SANS has already done this for network administrators with their new SEC 464 course.  These are some of the key points I have found most helpful. 1. First, set expectations.  End users may be scared to report an incident, the last thing anyone wants to admit is they have been hacked.  Be sure your employees understand that bad guys are very persistent and very good, sooner or later it can happen to all of us.  Make sure they understand there will be no retribution, in fact by reporting they are helping both the organization and themselves. 2. Second, tell them what to look for, what are indications of a compromise that a end user can detect?  Some ideas include
  • Their browser is taking them to websites they do not want to go to.
  • Their anti-virus reports an infected file.
  • There are suspicious or un-authorized accounts added to the system.
  • There are suspicious or un-authorized programs added to the system.
  • Passwords no longer work or they are locked out of their account.
3. Finally, be sure to tell them how to report it, such as a website or email address.  One thing I recommend is have this contact information on every communication you send out on awareness, such as on  every email, newsletter, poster, screensaver, video, or presentation.  You want to make your contact information as consistent and simple as possible.  Be sure the contact information is not a person's name but an alias.  You do not want changing the contact information every six months. What are some of the most effective ways you have seen using end users as part of you detection mechanisms?  How can we get end users to report incidents?
About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.