If you're not sure you've seen an incident - report it anyway

Most security folks (and IT folks, for that matter) would rather hear about a problem from you than to figure it out afterwards while troubleshooting a system failure. If a phone call from User Support doesn't sound quite right, if a common email announcement is just a little off, or if a caller on the phone is too stressed to remember his or her password — don't be pressured and don't be rushed. Rush and pressure are among the "social engineering" hacker's best tools. Ask for help! Call your supervisor, call your IT group, and call your InfoSec group on the spot for assistance. You are as responsible (or more) to the whole company as you are to the one person on the phone! Don't let one person's stress jeopardize the organization's information security.

October is National Cyber Security Awareness Month

October is National Cyber Security Awareness Month and it is an opportunity to engage public and private sector stakeholders – especially the general public – to create a safe, secure, and resilient cyber environment. Everyone has to play a role in cybersecurity. Constantly evolving cyber threats require the engagement of the entire nation — from government and law enforcement to the private sector and most importantly, the public. Cyberspace is woven into the fabric of our daily lives and the world is more interconnected today than ever before. We enjoy the benefits and convenience that cyberspace provides as we shop from home online, bank using our smart phones, and interact with friends from around the world through social networks. This year marks the tenth anniversary of National Cyber Security Awareness Month sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center. Through a series of events and initiatives across the country, National Cyber Security Awareness Month engages public and private sector partners to raise awareness and educate Americans about cybersecurity, and increase the resiliency of the Nation and its cyber infrastructure.

Privacy and Security Training

There are several types of harm that emerge from a privacy or security incident: damage to the organization’s reputation, financial harms (costly litigation, large damage awards, and expensive and burdensome notification requirements), lost time and resources, harm to clients, customers, and employees, soured relationships and lost trust, and regulatory consequences. According to a Ponemon Institute study, the average cost of a data security incident is more than $7 million. Agencies such as HHS and the FTC are stepping up enforcement, and penalties can be big. Fines for HIPAA violations can go up to $1.5 million per provision of HIPAA violated, and FTC settlements can require auditing of companies for 20 years! Training reduces the risk of an incident because many incidents are the product of a human mishap. A review of the thousands of reported privacy and security incidents across many industries has revealed a common theme. A sizeable majority of incidents happen because of a lack of guidance and awareness about privacy and security. An article in the Wall Street Journal aptly said that an organization’s biggest data security risk is “you.” Data security is not just a technical problem but a human problem.

Security Awareness Training Does Work

Thought I would share a success story of security awareness training.  This was posted by a security manager whose employees learned from their training and acted.  This just goes to show how important awareness training is.

------------------------------------------------------------------------------

I was alerted that the contractors that were hired by our building management company had tried twice to gain access to our suite without authorization or without checking in at the front desk. In the first instance, one of the contractors was engaging in dialog with another employee while someone was entering their code to open the door. The other contractor was then on the other side watching the code being entered. The employee noticed this and alerted their manager.

In the other instance, after two employees entered through the coded door and the door was about to close the contractor forced his hand and foot to prevent it from latching to gain access. They immediately called the Information Systems Manager who came by and took control of the situation.

I brought all of the employees into my office and asked them to tell me what happened. Then I gave them each a gift card for lunch on the company today, thanked them, and gave them huge kudos for a job well done! They all did exactly what they should have done and while there wasn’t any actual malicious intent, the contractors were just trying to do their job, it’s instances like these that could cause a major breach.

This doesn’t mean that my users will catch everything. But the user layer of our defense worked this time around! This is my favorite layer of our defense because contrary to popular belief, when your users care about security, they are a force to be reckoned with!

Why security awareness is crucial for employees

Employees can often be unaware they are giving out sensitive company information on social media sites, such as Facebook. People are now the weakest link in the security chain. The latest security technology may protect core systems, but it cannot protect against employees giving away information on social networks or using their own, less secure, mobile devices for business purposes.


It is a myth that technology will protect you. Those who attack us have no wish to spend a lot of time and money defeating our technology. They attack the user, which is much easier.

Many people are familiar with dodgy-looking emails purporting to be from a bank and they know not to click on links. The latest threats are much more sophisticated and personal, including "spearphishing", whereby the attacker uses information gleaned from social media to personalize an email to an individual. People are much more likely to open an email that has specific personal information in the header. They may even open innocent-looking attachments or give away further information replying to these emails.

Employees need some basis to understand how and why threats could affect the organization, or target them as individuals. Threats such as social engineering often work because people don't appreciate the value of what they're giving away.

In most organizations, employees remain the weakest link. Whether it is malicious or unintentional, they pose the biggest security risk. An education program which embraces home and business use of security is the most effective, making these policies second nature.

Security Awareness & AP Twitter Hack

This is a classic case of why information security awareness is needed and should be taken seriously by senior leadership.  It should not be viewed  as something to meet the checkbox compliance we see so often today.  What will it take for those in charge to wake up to some simple facts. 

Security awareness will not cure all information security ills but it is a necessary component in the protection of our information resources.

If Twitter needed any more evidence that it has a serious security problem, this should do it: Stocks plunged sharply on Tuesday after a hacker accessed a newswire's account and tweeted about a false White House emergency.

And there it is: After years of hacks that typically involved little more than obscene language, Twitter's subpar security measures have now caused serious real-world consequences.

Many hacks happen when account owners use guessable passwords or access Twitter over public Wi-Fi and shared computers. If one person who tweets from a corporate account loses his or her phone, an entire corporation's Twitter account could be at risk.

The AP incident appears to be an example of social engineering. The news service posted a story Tuesday afternoon explaining that attackers gained access to the account after launching phishing attempts. When phishing, attackers pose as legitimate companies, such as Twitter, in an attempt for account holders to give up their passwords.

Essential Roles

Another essential role of information security is in properly distributing the policies. Having a perfect set of policies and standards is one thing, but if it’s never put into the hands of those who do the work, it is of very limited value. Security awareness training must be more than just a checkbox we check to get through an audit. Awareness of corporate policies and standards should be provided through formal training, but also gorilla marketing, regular staff meetings, reminder emails, and performance reviews.

Once the policies are in the hands of our entire staff, it is up to them to successfully implement data security. Whether the policy is password complexity rules, sensitive data handling, or secure coding standards, we depend completely on our employees to implement it. We cannot overlook any employee group; even the least likely-seeming employee will have access to our organization, and could be used as a jumping off point for an attack. A thorough and consistent security message, delivered to every area of the organization, is required.

In order to ensure that each employee hears the appropriate message, we need to customize their training to their daily experiences. There are some areas that every employee should be taught (secure password rules, avoiding tailgaters, how to spot an intruder), there are many others that are essential in departments, but unnecessary for others (secure coding standards, firewall configuration rules). By tailoring the training to the intended recipients we successfully reduce the amount they need to be taught, while make the training both more interesting and more effective.

Every Employee is a Security Partner

The information security department is responsible for writing policies, creating awareness training, tracking compliance, and generally leading the data security program at an organization. But when it comes down to it, we are not the ones who do most of the practicing. The ground-level implementation of security in the organization simply cannot be the work of a few information security employees; it needs to be performed by every employee in their day to day tasks.

The information security team is responsible for the creation of the policies and standards. This is the framework that a security program is built on. By using a well-tested framework we can ensure that our organization’s security needs are adequately documented. The policies are critical, but they are only the framework. To flesh out the program we need the actual implementation, and that’s where the rest of the staff comes in.