Let us all strive for information security along with a healthy and prosperous new year.
See you all in 2011 !!!!!!!!!!!!!!!!
Friday, December 31, 2010
Tuesday, December 21, 2010
Cost Benefit Analysis
Arguably, the most important part of your business case is being able to clearly communicate the costs and benefits of a program. Below is a suggestion for this final part of your business case.
Costs:
To fulfill the required mandate for a security awareness training program, we will need to allocate resources and purchase materials for this purpose. To ensure the program’s success on a long-term basis, we are requesting that a Security Awareness Training Manager be appointed to this program. Expenses will include this individual’s salary as well as the costs for developing and/or delivering the awareness program. Cost estimates are summarized in the table below
Item
Program Manager Salary
Commercial of the Shelf Online Training Program License Costs
Customization costs for online program
Learning Management System – rental or purchase costs and comparison if required
Promotional materials for communicating the awareness program (ie., posters, games, videos)
Additional staff that might be required from time to time for delivery of program
Benefits:
Our proposed information security awareness program will realize the following benefits:
1. Make employees aware and communicate more effectively internal security policies and procedures.
2. Create a culture of security awareness by providing both the motivation and an understanding of the risks and threats and how to mitigate them.
3. Reduce the number of threats and potential risks and safeguard important company information.
4. Comply with federal/state regulations on security policies and practices.
5. Provides a basis from which disciplinary and/or legal action can be facilitated.
6. Reduce the risk and cost of breaches.
Costs:
To fulfill the required mandate for a security awareness training program, we will need to allocate resources and purchase materials for this purpose. To ensure the program’s success on a long-term basis, we are requesting that a Security Awareness Training Manager be appointed to this program. Expenses will include this individual’s salary as well as the costs for developing and/or delivering the awareness program. Cost estimates are summarized in the table below
Item
Program Manager Salary
Commercial of the Shelf Online Training Program License Costs
Customization costs for online program
Learning Management System – rental or purchase costs and comparison if required
Promotional materials for communicating the awareness program (ie., posters, games, videos)
Additional staff that might be required from time to time for delivery of program
Benefits:
Our proposed information security awareness program will realize the following benefits:
1. Make employees aware and communicate more effectively internal security policies and procedures.
2. Create a culture of security awareness by providing both the motivation and an understanding of the risks and threats and how to mitigate them.
3. Reduce the number of threats and potential risks and safeguard important company information.
4. Comply with federal/state regulations on security policies and practices.
5. Provides a basis from which disciplinary and/or legal action can be facilitated.
6. Reduce the risk and cost of breaches.
Tuesday, November 23, 2010
Security Awareness Program Management
An information security awareness steering committee will govern the program and will be ultimately responsible for ensuring the program’s success. Yearly, the business case will be reviewed and updates made by the committee. The committee will be responsible for appointing the manager of the program and for reviewing quarterly updates on the effectiveness of the program.
For effective delivery of the program, we propose that the security awareness program reside within the Information Security (IM) department. The manager of the program will gather information from the experts within the security department for the content and will also liaise with the legal and human resources and training departments ensuring communication to the employees is clear, accurate and complete.
Program Plan and Delivery
A cyclical, ongoing program is being proposed in this plan. In order to provide a foundation for a secure organization and to continue to increase the level of awareness inherent with changing best practices and threats, we believe this method to be the most effective. A communication plan and schedule will be key to rolling out the program efficiently. Engaging and interesting marketing methods will be deployed to raise the initial awareness of the training, followed by the actual training and then ongoing reinforcement materials will be prepared and delivered following each segment of the training. Constant monitoring and updating of the program will be done in parallel.
Program Measurement
Measurement is essential to the continuing improvement and management of the program. In addition, measuring provides quantifiable data that can be communicated to management to prove that the program has delivered value and to justify the investment.
For effective delivery of the program, we propose that the security awareness program reside within the Information Security (IM) department. The manager of the program will gather information from the experts within the security department for the content and will also liaise with the legal and human resources and training departments ensuring communication to the employees is clear, accurate and complete.
Program Plan and Delivery
A cyclical, ongoing program is being proposed in this plan. In order to provide a foundation for a secure organization and to continue to increase the level of awareness inherent with changing best practices and threats, we believe this method to be the most effective. A communication plan and schedule will be key to rolling out the program efficiently. Engaging and interesting marketing methods will be deployed to raise the initial awareness of the training, followed by the actual training and then ongoing reinforcement materials will be prepared and delivered following each segment of the training. Constant monitoring and updating of the program will be done in parallel.
Program Measurement
Measurement is essential to the continuing improvement and management of the program. In addition, measuring provides quantifiable data that can be communicated to management to prove that the program has delivered value and to justify the investment.
Monday, November 8, 2010
Delivery Methods
The method of delivery will be dependent upon the overall goals and expectations of the program. Delivering content monthly would be ideal. However, more realistically, content will be delivered on a quarterly basis. An approach that combines communication of the upcoming training topic (via posters, videos, banners or a game) will introduce vocabulary and make the end user aware of the upcoming training topic. Ideally you should try to do roll-out the communication materials 2 weeks prior to the online topic being delivered. Delivery of the content would then follow with a time allowance of 2 weeks. A reinforcement tool such as a newsletter, interactive game, etc. would then follow 2 weeks after online topic completion completing this training topic segment. The cyclical nature of this process allows time between topic deliveries to review online scoring and allowing for any remediation if necessary to take place prior to the next topic being delivered.
Tuesday, October 26, 2010
The Body of Knowledge
Having established the functional areas in which the training needs are focused, we now focus on the body of knowledge that must be incorporated within a suitable training course.
Information systems security training content can be organized into three major categories, namely:
• legal, regulatory, and ethical framework relevant to information systems security. This includes local, national, and international (e.g. European) pertinent legislation, national and international standards and guidelines, legal and liability issues and ethical issues and relevant codes of conduct;
• information systems security policies. These include the high-level security policy itself, as well as the means for developing it (e.g. risk analysis and management);
• information systems security controls. This includes system-specific security policies, all kinds of controls included in such policies (physical, procedural, technical, personnel), the implementation and operation of such policies, the management of security and the training and awareness activities required to support the policies.
The above contents constitute the complete body of knowledge that a complete training course in information systems security should cover. However, only a subset of this knowledge is necessary for managers. The association between functional areas of responsibilities and training content can be comprehensively described by a matrix, whose rows are training contents and columns are functional areas of responsibility.
Information systems security training content can be organized into three major categories, namely:
• legal, regulatory, and ethical framework relevant to information systems security. This includes local, national, and international (e.g. European) pertinent legislation, national and international standards and guidelines, legal and liability issues and ethical issues and relevant codes of conduct;
• information systems security policies. These include the high-level security policy itself, as well as the means for developing it (e.g. risk analysis and management);
• information systems security controls. This includes system-specific security policies, all kinds of controls included in such policies (physical, procedural, technical, personnel), the implementation and operation of such policies, the management of security and the training and awareness activities required to support the policies.
The above contents constitute the complete body of knowledge that a complete training course in information systems security should cover. However, only a subset of this knowledge is necessary for managers. The association between functional areas of responsibilities and training content can be comprehensively described by a matrix, whose rows are training contents and columns are functional areas of responsibility.
Saturday, October 16, 2010
Security Awareness Program Content Database
A robust content list fed to the end user on a monthly or quarterly basis will avoid information overload and will allow flexibility in the program so immediate response to current information security risks can be dealt with. A monthly or quarterly approach also prevents the repetitious, boredom that often accompanies learning sessions that are not delivered in small manageable chunks.
Topics can be arranged according to a baseline examination that is recommended to understand the gaps in the existing end user knowledge base and immediately work on areas where the organization feels is most important. Baseline examinations can be derived from existing organization materials or resources or purchased from a security awareness vendor and delivered via a learning management system that is either existing within the organization or a purchased or hosted option can be chosen
Suggested topics for end user awareness training:
Information Security
• Introduction to Information Security
• Information Classification
• Information Management
• Managing Sensitive Information
• Marking and Labeling
• Intellectual Properties
• Physical Security
Information Protection
• Electronic Mail Message (Email)
• Unsolicited Mail Message (SPAM)
• Confidentiality on the Web
• External Communications
• Clean Desk Policy
• Privacy
• Using Passwords
IT Security
• Main Concepts of IT Security
• Threat and Risk Management
• Internet Usage
• Mobile Devices and Removable Media
• Secure Mobile workplace - Mobile Users
Physical Security
• Access Control
• Transport and Transmittal of Sensitive Information
• Destruction of Sensitive Information or Assets
• Storage
Awareness of External Threats
• Malicious code – Myths and Reality
• Malicious code – Protection Measures
• Spyware
• Identity Theft
• Social Engineering
Communicating the Message
Delivering key messages that relate to the organization’s policies or rules tied to the monthly or quarterly learning topics will help to solidify and reinforce those policies. Any regulations, or fundamental security issues or concepts that need to be communicated should be planned along with the delivery of the online training component.
Sources of Information
Relevant materials can be found within the organization, previously taught security awareness courses, security standards, directives or policies. External sources are abundant, SANS has a great library of materials as does Microsoft that is free for use. Awareness communication messages can be derived from these sources and delivered via posters, newsletters, reminder stickers, games, etc. Alternatively, many security awareness vendors also offer either free or for a small fee these types of resources. Where necessary creation of new materials internally may need to be created
Topics can be arranged according to a baseline examination that is recommended to understand the gaps in the existing end user knowledge base and immediately work on areas where the organization feels is most important. Baseline examinations can be derived from existing organization materials or resources or purchased from a security awareness vendor and delivered via a learning management system that is either existing within the organization or a purchased or hosted option can be chosen
Suggested topics for end user awareness training:
Information Security
• Introduction to Information Security
• Information Classification
• Information Management
• Managing Sensitive Information
• Marking and Labeling
• Intellectual Properties
• Physical Security
Information Protection
• Electronic Mail Message (Email)
• Unsolicited Mail Message (SPAM)
• Confidentiality on the Web
• External Communications
• Clean Desk Policy
• Privacy
• Using Passwords
IT Security
• Main Concepts of IT Security
• Threat and Risk Management
• Internet Usage
• Mobile Devices and Removable Media
• Secure Mobile workplace - Mobile Users
Physical Security
• Access Control
• Transport and Transmittal of Sensitive Information
• Destruction of Sensitive Information or Assets
• Storage
Awareness of External Threats
• Malicious code – Myths and Reality
• Malicious code – Protection Measures
• Spyware
• Identity Theft
• Social Engineering
Communicating the Message
Delivering key messages that relate to the organization’s policies or rules tied to the monthly or quarterly learning topics will help to solidify and reinforce those policies. Any regulations, or fundamental security issues or concepts that need to be communicated should be planned along with the delivery of the online training component.
Sources of Information
Relevant materials can be found within the organization, previously taught security awareness courses, security standards, directives or policies. External sources are abundant, SANS has a great library of materials as does Microsoft that is free for use. Awareness communication messages can be derived from these sources and delivered via posters, newsletters, reminder stickers, games, etc. Alternatively, many security awareness vendors also offer either free or for a small fee these types of resources. Where necessary creation of new materials internally may need to be created
Thursday, September 30, 2010
Determining Content
In deciding what content is needed to be learned in order to change end user behaviors, you will need to identify what is important to the organization in terms of security. You should use best practice guidelines and establish a baseline of knowledge from end users to understand where the weaknesses are in their knowledge base and where to start.
Use internal security policies and guidelines as well as best practice guidelines. Establish a baseline of knowledge – look at existing security training companies who have developed baseline tests.
In determining the content to be introduced, NIST provides some good guidelines (NIST SP 800-50) including:
Recent incidents - The assessment of recent security incidents (within the last one to two years) provides insight into weaknesses in employee knowledge of processes or security principles in general.
Regulatory issues - The awareness program is a good tool for supplementing regulatory compliance training efforts.
Employee concerns - Many employees are already aware of security fundamentals. They can be a good source of information about day-to-day problems related to information asset assurance.
Management concerns - Management’s perspective is usually more operational or strategic. More emphasis is placed on investor, vendor, customer, and employee welfare overall. Management’s input helps to complete the picture illustrating internal concerns about security.
Customer concerns - With today’s rising rate of identity theft, there is a growing concern among consumers about how companies protect their information. Addressing customer concerns isn’t just good business, it’s the right thing to do.
Investor concerns – The level of investor confidence in your organization’s ability to protect sensitive information (intellectual property, financial information, PII, etc.) is directly related to your level of working capital. Be sure to view your company’s level of protection from the investor perspective..
Developing content internally can be both time challenging as well as expensive. Look at on line training that can provide best practice knowledge for end-users, management and IT professionals. Look for courseware that can be delivered as-is, or customized to meet the needs of your organization’s unique culture.
An effective security program requires a solid awareness foundation. You need to ensure that your end users are aware of your organization’s policies and have learned how to adhere to those policies. The only way to ensure that you have an effective information security program is by implementing a solution that includes communication planning, training on the importance of security and reinforcing newly learned behaviors.
Use internal security policies and guidelines as well as best practice guidelines. Establish a baseline of knowledge – look at existing security training companies who have developed baseline tests.
In determining the content to be introduced, NIST provides some good guidelines (NIST SP 800-50) including:
Recent incidents - The assessment of recent security incidents (within the last one to two years) provides insight into weaknesses in employee knowledge of processes or security principles in general.
Regulatory issues - The awareness program is a good tool for supplementing regulatory compliance training efforts.
Employee concerns - Many employees are already aware of security fundamentals. They can be a good source of information about day-to-day problems related to information asset assurance.
Management concerns - Management’s perspective is usually more operational or strategic. More emphasis is placed on investor, vendor, customer, and employee welfare overall. Management’s input helps to complete the picture illustrating internal concerns about security.
Customer concerns - With today’s rising rate of identity theft, there is a growing concern among consumers about how companies protect their information. Addressing customer concerns isn’t just good business, it’s the right thing to do.
Investor concerns – The level of investor confidence in your organization’s ability to protect sensitive information (intellectual property, financial information, PII, etc.) is directly related to your level of working capital. Be sure to view your company’s level of protection from the investor perspective..
Developing content internally can be both time challenging as well as expensive. Look at on line training that can provide best practice knowledge for end-users, management and IT professionals. Look for courseware that can be delivered as-is, or customized to meet the needs of your organization’s unique culture.
An effective security program requires a solid awareness foundation. You need to ensure that your end users are aware of your organization’s policies and have learned how to adhere to those policies. The only way to ensure that you have an effective information security program is by implementing a solution that includes communication planning, training on the importance of security and reinforcing newly learned behaviors.
Saturday, September 18, 2010
The Project Plan
Creating a project includes defining business objectives and scope (what’s included and what’s not) in a project plan document. Before diving into the planning process for a security awareness training project, it’s important to assign a project manager and appoint a communications champion as part of the project.
Ideally, the project objectives will closely mirror those described in the business case that was either verbally provided or put into an actual written document to obtain the approvals needed to ensure program success. If you haven't completed the business case yet, then it is imperative you do this first. Ensure you have complete management buy-in before proceeding to the planning stages. To ensure you are working toward the right goals, you should start by answering the following questions:
• How sensitive is the information stored, processed, and exchanged outside entities?
• What regulatory constraints apply (e.g., HIPAA and SOX)?
• What is the company’s security strategy?
• What are the company’s security policies? How do they translate to practical, day-to-day activities?
• What are the company’s critical business processes?
• How does security affect employees’ day-to-day activities?
• How would a major security incident affect the health of the business?
Answering these questions helps focus the training on the ISATP message. A message unique to the combination of company culture, the industry in which the company operates, the regulatory climate, and the kinds of sensitive information processed or stored. The communication of this message and the method of communicating it is the responsibility of the communication champion.
Although the project manager is responsible for coordinating project activities, it’s the communication champion who provides vision and works with management to gain and maintain support for security awareness.
Tuesday, August 31, 2010
Information Security for New Hires
The next several posts will be dealing with the establishment of an information security awareness, training and education program where nothing existed before. I will deal with project plans, policy writing, bureaucracy and the approval process, eLearning modules within an learning management system[LMS] and evaluations. While this may be quite a bit of information it should serve as a starting point or at least a blueprint. Hopefully this will commence in the next week to 10 days.
Wednesday, August 18, 2010
Information leakage: The misunderstood security risk
Information leakage represents one of the most common, but misunderstood, security risks faced by business and government alike. Though it impacts many organizations every single day, they may not even be aware. Firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) are deployed, along with investments in the security mission—yet, the perception of the secure perimeter may be at odds with reality. This is where awareness, training and education come into play.
One set of examples is that of some government web sites that were discovered to have sensitive information assets residing on their Internet presence. Using a tool like FOCA, attackers could download and interrogate data at their leisure. They could then dig to the next level, pulling back metadata and revealing more snippets of unintended releases of information into the public domain or the hands of criminals. Microsoft Office tool Track Changes is yet another way to publish more than was intended to a wide and potentially unauthorized audience. Through lack of process or procedure, such comments can and do get published, resulting in possibilities of embarrassment or, worse, security exposures.
Let us not forget information that gets committed to mobile phones, PDAs, USB keys and laptops, and it very soon it becomes clear that, where no process or policy exists, each and every time any form of memory retentive device is utilized, the potential for creating an interesting leaky footprint for future exploitation exists.
It is amazing where snippets of information may be overlooked. For example, a recent project deployment of simple printing devices demonstrated that one may never take the security eye off the ball. A security impact assessment was conducted and all was found to be in order—the only problem was that the new printer replacements were installed with internal 360GB hard drives, were accessible via IP and retained information post print—a case of data, data everywhere, but not a bit secure! See the post from Thursday, April 22, 2010 “Breach Alert: Copiers Are a Risk”.
One set of examples is that of some government web sites that were discovered to have sensitive information assets residing on their Internet presence. Using a tool like FOCA, attackers could download and interrogate data at their leisure. They could then dig to the next level, pulling back metadata and revealing more snippets of unintended releases of information into the public domain or the hands of criminals. Microsoft Office tool Track Changes is yet another way to publish more than was intended to a wide and potentially unauthorized audience. Through lack of process or procedure, such comments can and do get published, resulting in possibilities of embarrassment or, worse, security exposures.
Let us not forget information that gets committed to mobile phones, PDAs, USB keys and laptops, and it very soon it becomes clear that, where no process or policy exists, each and every time any form of memory retentive device is utilized, the potential for creating an interesting leaky footprint for future exploitation exists.
It is amazing where snippets of information may be overlooked. For example, a recent project deployment of simple printing devices demonstrated that one may never take the security eye off the ball. A security impact assessment was conducted and all was found to be in order—the only problem was that the new printer replacements were installed with internal 360GB hard drives, were accessible via IP and retained information post print—a case of data, data everywhere, but not a bit secure! See the post from Thursday, April 22, 2010 “Breach Alert: Copiers Are a Risk”.
Thursday, July 29, 2010
Security Awareness and Training...it's required
One of the questions asked most frequently is, "Do we really need to have an Information Security awareness and training program?" The question is often followed up by a statement calling into question the perceived value of awareness and training. The standard response is typically along the lines of, "Yes. It is required and, perhaps more importantly, the right thing to do."
Setting aside the value-based approach of 'doing the right thing' to keep information secure and private, most people are surprised to learn Information Security awareness and training is a compliance obligation often required by law, industry regulation, and or business contract. Additionally, it is called out in numerous 'best practice' frameworks.
So, in the spirit of ongoing Information Security awareness and to assist those who have requested more information on this subject, listed here are just a few of the numerous laws, regulations, and frameworks applicable to North America. Bear in mind some are industry specific.
Laws and Regulations (North America)
1. Health Information Portability and Accountability Act (HIPAA): §164.3
2. Canada Personal Information Protection Electronic Documents Act (PIPEDA): Schedule 1 Clause 4.1.4(c), Scedule 1 Clause 4.7.4
3. Privacy Act of 1974: §552a(e)(9)
4. Fair and Accurate Credit Transactions Act (FACTA): §151, §213(d)
5. FACTA Red Flag Rule: §41.90(e)(3), §222.90(e)(3), §334.90(e)(9), §571.90(e)(9), §681.2(e)(9), §717.90(e)(9)
6. Leahy Personal Data Privacy Security Act: §302(b)
7. FFIEC Information Security: Page 7, Page 62
8. NERC: CIP-004-1
9. FDA 21 CFR Pt 11: §11.10(i)
10. Massachusetts 201 CMR 17.00: §17.04(8)
Business Contracts
1. Payment Card Industry Data Security Standard (PCI DSS): §12.6
'Best Practice' Frameworks
1. ISO 17799 / ISO 27002: §8.2.2
2. ITIL Security Management: §4.2.2.2
3. AICPA Privacy: ID 1.1.1
4. NIST 800: numerous publications
Setting aside the value-based approach of 'doing the right thing' to keep information secure and private, most people are surprised to learn Information Security awareness and training is a compliance obligation often required by law, industry regulation, and or business contract. Additionally, it is called out in numerous 'best practice' frameworks.
So, in the spirit of ongoing Information Security awareness and to assist those who have requested more information on this subject, listed here are just a few of the numerous laws, regulations, and frameworks applicable to North America. Bear in mind some are industry specific.
Laws and Regulations (North America)
1. Health Information Portability and Accountability Act (HIPAA): §164.3
2. Canada Personal Information Protection Electronic Documents Act (PIPEDA): Schedule 1 Clause 4.1.4(c), Scedule 1 Clause 4.7.4
3. Privacy Act of 1974: §552a(e)(9)
4. Fair and Accurate Credit Transactions Act (FACTA): §151, §213(d)
5. FACTA Red Flag Rule: §41.90(e)(3), §222.90(e)(3), §334.90(e)(9), §571.90(e)(9), §681.2(e)(9), §717.90(e)(9)
6. Leahy Personal Data Privacy Security Act: §302(b)
7. FFIEC Information Security: Page 7, Page 62
8. NERC: CIP-004-1
9. FDA 21 CFR Pt 11: §11.10(i)
10. Massachusetts 201 CMR 17.00: §17.04(8)
Business Contracts
1. Payment Card Industry Data Security Standard (PCI DSS): §12.6
'Best Practice' Frameworks
1. ISO 17799 / ISO 27002: §8.2.2
2. ITIL Security Management: §4.2.2.2
3. AICPA Privacy: ID 1.1.1
4. NIST 800: numerous publications
Thursday, July 15, 2010
More Than Just Being Compliant
There is more to Information Security awareness than just compliance with any number of laws and regulations. Awareness and training typically deals with the qualitative. Much of what we do to help keep information secure and private is tied directly to people, their roles, and cultivating a 'culture of awareness' within the organization. Spending time with people, both 1-to-1 and 1-to-many, is essential in helping them better understand how to mitigate risk to the organization within their job role. Their secure business practices then aggregate to meeting applicable compliance obligations.
For example, without awareness, how are IT people supposed to know that they ought to be designing and using technical controls? How is management supposed to understand the information security risks the organization faces on a daily basis, or their part in ensuring that those risks are brought under control? In other words, security awareness is much more than just an annual briefing of the troops. Regular employees need to appreciate that they may be scammed and exploited for their access to corporate and personal information, and that there are numerous security controls that depend on them being alert and reacting appropriately to threats that may materialize at any time.
For example, without awareness, how are IT people supposed to know that they ought to be designing and using technical controls? How is management supposed to understand the information security risks the organization faces on a daily basis, or their part in ensuring that those risks are brought under control? In other words, security awareness is much more than just an annual briefing of the troops. Regular employees need to appreciate that they may be scammed and exploited for their access to corporate and personal information, and that there are numerous security controls that depend on them being alert and reacting appropriately to threats that may materialize at any time.
Wednesday, June 30, 2010
The Human and Technology - Both Are Needed
Technology will not completely secure us in spite of what some vendors tell us. The way in which we use this technology has a large effect on the security level we can attain. But social engineers and others are putting great effort to defeat these technical controls but hacking the people directly. Sometimes the attacker has to only ask for the information and it is readily given out. No technical appliance can prevent that.
While security awareness will never be fully sufficient to secure information it is a fundamental in the information security process. By making people aware of information security and the vital part they play in it, this will go a long way as a full partner with technological appliances to secure what is needed. Technical controls and non-technical controls go hand-in-hand, are supportive of each other, and both are required to be successful.
If we buy a security appliance and place it on-line straight out of the box we are completely defeating its purpose. This is where the vendors, sales and technical reps, have an important role. It is imperative that they educate the customer and make them aware of what can happen if the appliances are not properly configured. While they cannot force the customer to secure the device, using it securely, they can practice security awareness buy educating the customer.
In risk management people are a large source of information security vulnerabilities. This can happen by exposure of passwords, not securing computers, giving out information without thinking, having visitors or service agents move around unescorted. There a myriad of other possibilities where valuable information can be lost or compromised. The solution for this is SECURITY AWARENESS, but you must remember it is NOT a 100% foolproof solution.
Information security is both a human and technical responsibility. Those who are truly serious about information security need to treat both equally along with the physical aspects of security in a concerted effort towards the main goal and responsibility of properly securing information to the best or our abilities. We need to create a culture and mindset of security as part of a continuing and ongoing program as we need to maintain the vigilance of our employees.
While security awareness will never be fully sufficient to secure information it is a fundamental in the information security process. By making people aware of information security and the vital part they play in it, this will go a long way as a full partner with technological appliances to secure what is needed. Technical controls and non-technical controls go hand-in-hand, are supportive of each other, and both are required to be successful.
If we buy a security appliance and place it on-line straight out of the box we are completely defeating its purpose. This is where the vendors, sales and technical reps, have an important role. It is imperative that they educate the customer and make them aware of what can happen if the appliances are not properly configured. While they cannot force the customer to secure the device, using it securely, they can practice security awareness buy educating the customer.
In risk management people are a large source of information security vulnerabilities. This can happen by exposure of passwords, not securing computers, giving out information without thinking, having visitors or service agents move around unescorted. There a myriad of other possibilities where valuable information can be lost or compromised. The solution for this is SECURITY AWARENESS, but you must remember it is NOT a 100% foolproof solution.
Information security is both a human and technical responsibility. Those who are truly serious about information security need to treat both equally along with the physical aspects of security in a concerted effort towards the main goal and responsibility of properly securing information to the best or our abilities. We need to create a culture and mindset of security as part of a continuing and ongoing program as we need to maintain the vigilance of our employees.
Tuesday, May 25, 2010
The Dangers of Facebook
Finding and making friends online using social networking Web sites such as MySpace and Facebook has almost become a rite of passage. Students at universities around the world chronicle their lives by building online profiles and sharing personal information, photographs, and opinions in order to connect with new people. If you use one of these sites to stay in touch, to express yourself openly, and to find like-minded people, that’s great. Just be sure you stay smart and safe in the process.
This includes knowing what Facebook and other social networking sites intend to do with your profiles. In 2007, Facebook enabled user profiles to become searchable through its new Public Search Listings. If you have a profile posted on Facebook, and don’t want your name and profile picture indexed by one of the major search engines such as Google, Yahoo and MSN Search, you need to edit your Facebook privacy settings. While Facebook has some restrictions on the Public Search Listing of a profile, many people post their information on Facebook without realizing it can be made available to virtually anyone with an Internet connection.
You should consider some other important things as well. First, while you can meet new friends online, you may also come into contact with malicious people misrepresenting themselves. These are people you don’t want to know. Internet thieves and sexual predators are only too eager to exploit personal information found on social networking sites. They are out there and willing to hurt you unless you take precautions to protect yourself.
A second consideration, frequently overlooked, is that information you post on a social networking site may reveal indiscretions and worse to future employers, college professors, or even your parents. It’s on the record that students have been suspended and expelled for escapades and threats posted online. In some instances, potential job offers have been withdrawn because of information posted on a social networking site. Keep these things in mind when taking advantage of the pluses of social networking.
A third consideration, which does not often get much thought is you current place of employment. Think carefully as to what you post, as you may think its OK, you maybe placing yourself and/or your copmany in a vulnerable position. The posted may place you and/or the company in legal or regulatory trouble.
This includes knowing what Facebook and other social networking sites intend to do with your profiles. In 2007, Facebook enabled user profiles to become searchable through its new Public Search Listings. If you have a profile posted on Facebook, and don’t want your name and profile picture indexed by one of the major search engines such as Google, Yahoo and MSN Search, you need to edit your Facebook privacy settings. While Facebook has some restrictions on the Public Search Listing of a profile, many people post their information on Facebook without realizing it can be made available to virtually anyone with an Internet connection.
You should consider some other important things as well. First, while you can meet new friends online, you may also come into contact with malicious people misrepresenting themselves. These are people you don’t want to know. Internet thieves and sexual predators are only too eager to exploit personal information found on social networking sites. They are out there and willing to hurt you unless you take precautions to protect yourself.
A second consideration, frequently overlooked, is that information you post on a social networking site may reveal indiscretions and worse to future employers, college professors, or even your parents. It’s on the record that students have been suspended and expelled for escapades and threats posted online. In some instances, potential job offers have been withdrawn because of information posted on a social networking site. Keep these things in mind when taking advantage of the pluses of social networking.
A third consideration, which does not often get much thought is you current place of employment. Think carefully as to what you post, as you may think its OK, you maybe placing yourself and/or your copmany in a vulnerable position. The posted may place you and/or the company in legal or regulatory trouble.
Thursday, April 22, 2010
Breach Alert: Copiers Are a Risk
An important lesson about leased copy machines: many contain hard drives that should be scrubbed of information before the copiers are returned.
As part of an investigation, CBS Evening News bought four copy machines from a company that had leased them to four different organizations and hired a firm to analyze what was on their hard drives. The machines contained confidential medical information, according to the analysis by Digital Copier Security Inc., Shingle Springs, Calif.
Most copiers have hard drives. Most copiers used in business settings are leased, and most of the machines in use today have at least one hard drive. The hard drives are necessary, because most copiers also now handle printing, faxing, scanning and e-mail.
The information stored on a copier's hard drive varies widely by manufacturer. Some machines more readily capture and store images on the hard drive. Some have a hard drive that has a large part of its capacity used for operating code. Who knows what types and the amount of confidential and/or restricted information is going out the door.
As a matter of security awareness organizations may want to restrict who can use the copier and train staff members on what information should not be copied, scanned or e-mailed using the device. Organizations need to develop, implement and make their staff aware of the information security issues.
Before returning a leased copier, the user should remove all information from the hard drive. This can be accomplished by scrubbing the hard drive, removing it, destroying it, and replacing it with a new drive before the copier is returned.
As part of an investigation, CBS Evening News bought four copy machines from a company that had leased them to four different organizations and hired a firm to analyze what was on their hard drives. The machines contained confidential medical information, according to the analysis by Digital Copier Security Inc., Shingle Springs, Calif.
Most copiers have hard drives. Most copiers used in business settings are leased, and most of the machines in use today have at least one hard drive. The hard drives are necessary, because most copiers also now handle printing, faxing, scanning and e-mail.
The information stored on a copier's hard drive varies widely by manufacturer. Some machines more readily capture and store images on the hard drive. Some have a hard drive that has a large part of its capacity used for operating code. Who knows what types and the amount of confidential and/or restricted information is going out the door.
As a matter of security awareness organizations may want to restrict who can use the copier and train staff members on what information should not be copied, scanned or e-mailed using the device. Organizations need to develop, implement and make their staff aware of the information security issues.
Before returning a leased copier, the user should remove all information from the hard drive. This can be accomplished by scrubbing the hard drive, removing it, destroying it, and replacing it with a new drive before the copier is returned.
Thursday, March 11, 2010
Train employees - your best defense - for security awareness
New security threats and identity theft schemes are being developed every day, and large corporations continually invest millions of dollars and thousands of man-hours to keep their information and identity safe and their network secure. But investing time and money into securing the organization and its customers can be completely undermined if employees don’t understand their role in the security plan. Even when an organization has state-of-the-art technology, strict security policies, and a highly skilled IT staff to manage policies, some organizations are not as secure as they could be. In fact, a recent survey conducted showed 40 percent of IT managers surveyed reported that their organization had experienced at least one security breach in the last year.
However, with the right training, employees can become an organization’s strongest security asset. A security awareness program enables organizations to improve their security posture by offering employees the knowledge they need to better protect the organization’s information through proactive, security-conscious behavior. To successfully protect information assets, employees at every level - from the top down - need a basic understanding of security policies as well as their respective responsibilities in protecting these assets.
Management personnel with security responsibilities require additional training. Without this understanding, organizations cannot hold employees accountable for protecting the organization’s resources and ultimately, its profitability.
To be effective, a security awareness program must be ongoing and include continuous training, communication and reinforcement. A one-time presentation or a static set of activities is not sufficient to address the ever-evolving threats to the security landscape. The key messages, tone and approach must be relevant to the audience and consistent with the values and goals of the organization. Equally important, an awareness program must influence behavior changes that deliver measurable benefits.
However, with the right training, employees can become an organization’s strongest security asset. A security awareness program enables organizations to improve their security posture by offering employees the knowledge they need to better protect the organization’s information through proactive, security-conscious behavior. To successfully protect information assets, employees at every level - from the top down - need a basic understanding of security policies as well as their respective responsibilities in protecting these assets.
Management personnel with security responsibilities require additional training. Without this understanding, organizations cannot hold employees accountable for protecting the organization’s resources and ultimately, its profitability.
To be effective, a security awareness program must be ongoing and include continuous training, communication and reinforcement. A one-time presentation or a static set of activities is not sufficient to address the ever-evolving threats to the security landscape. The key messages, tone and approach must be relevant to the audience and consistent with the values and goals of the organization. Equally important, an awareness program must influence behavior changes that deliver measurable benefits.
Monday, February 15, 2010
Social Engineering: Train Your Employees to Spot and Stop the Scams
You've invested smartly in information and physical security, and think your organization is safe from external attacks? Well, the strongest defenses in the world are worthless if someone leaves the gate open. That "someone" is any one of your well-intentioned employees, and the key to the "gate" is that individual's susceptibility to social engineering. You need to be up to date on:
• The Latest Social Engineering Scams;
• Why Social Engineering Is So Effective;
• What Happens After You Have Been "Socially Engineered";
• Proactive Measures To Mitigate the Effects of "Being Socially Engineered ";
• How to Test Your Employees Preparedness;
• How to Test the Effectiveness of Your Awareness Efforts.
Despite all the media hype about hackers and viruses, the greatest threats to an organization's information security are the employees of the company. They're the ones who too often, too willingly, fall victim to Social Engineering ploys and open the doors wide to slick-tongued fraudsters.
When an intruder targets an organization for attack, be it for theft, fraud, economic espionage, or any other reason, the first step is reconnaissance. They need to know their target. The easiest way to conduct this task is by gleaning information from those that know the company best. Their information gathering can range from simple phone calls to dumpster diving. It is not beyond an attacker to use everything at their disposal to gain information. Much like the telemarketer badgers the elderly couple into investing in fraudulent stock; a social engineer uses all the tricks in the book to obtain the goal.
Being aware of these types of attacks, educating your employees about the methodologies of the attacks, and having a plan in place to mitigate them are essential to surviving these manipulations. This should focus on the core issues of social engineering's methodologies, effectiveness and prevention - the core components of a social engineering program should include:
• Identifying the many forms in which the attack may occur;
• Understanding the intention of the attack;
• Educating the potential victims;
• Creating a policy to minimize the impact of the attack;
• Testing employees' abilities to sniff out social engineering scams;
• Managing a program to ensure that ongoing reviews and updates are in place;
• Regular testing to ensure the effectiveness of your training initiatives.
Remember, everyone is susceptible to "being Socially Engineered."
• The Latest Social Engineering Scams;
• Why Social Engineering Is So Effective;
• What Happens After You Have Been "Socially Engineered";
• Proactive Measures To Mitigate the Effects of "Being Socially Engineered ";
• How to Test Your Employees Preparedness;
• How to Test the Effectiveness of Your Awareness Efforts.
Despite all the media hype about hackers and viruses, the greatest threats to an organization's information security are the employees of the company. They're the ones who too often, too willingly, fall victim to Social Engineering ploys and open the doors wide to slick-tongued fraudsters.
When an intruder targets an organization for attack, be it for theft, fraud, economic espionage, or any other reason, the first step is reconnaissance. They need to know their target. The easiest way to conduct this task is by gleaning information from those that know the company best. Their information gathering can range from simple phone calls to dumpster diving. It is not beyond an attacker to use everything at their disposal to gain information. Much like the telemarketer badgers the elderly couple into investing in fraudulent stock; a social engineer uses all the tricks in the book to obtain the goal.
Being aware of these types of attacks, educating your employees about the methodologies of the attacks, and having a plan in place to mitigate them are essential to surviving these manipulations. This should focus on the core issues of social engineering's methodologies, effectiveness and prevention - the core components of a social engineering program should include:
• Identifying the many forms in which the attack may occur;
• Understanding the intention of the attack;
• Educating the potential victims;
• Creating a policy to minimize the impact of the attack;
• Testing employees' abilities to sniff out social engineering scams;
• Managing a program to ensure that ongoing reviews and updates are in place;
• Regular testing to ensure the effectiveness of your training initiatives.
Remember, everyone is susceptible to "being Socially Engineered."
Subscribe to:
Comments (Atom)