I find this to be a very interesting piece regarding information security awareness. I may be viewing from a different perspective; however it seems as though each of the experts involved in the video completely are in agreement on the importance of user awareness training. Yet, we continue to struggle to define effective measures and [...]
While the Security Awareness Training Framework has been chugging along behind the scenes, very little has been updated on our public-facing presences. With the announcement that the Derbycon 2012 Call For Papers has been opened, all of the planning and debating is in full swing. Over the next week or so, members will be busy [...]
When you approach an Automated Teller Machine, or ATM, it is widely accepted that there will be at least one camera that is fixed on your actions. Typically, this is a facial shot, and law enforcement uses these videos to capture your face and assist in crime investigation. While it is not with 100% accuracy, [...]
The Security Awareness Training Framework (SATF) is an open-membership community that brings one’s unique perspectives on security awareness to help put an end to the slippery slope of deficient security awareness training. Nearly 12 years after the introduction of the Love Letter and Melissa worms, organizations still struggle in providing effective training to the end [...]
By: Zelijka Zorz, HNS Managing Editor
New spam email campaigns are taking advantage of the users’ vague familiarity with the OpenID authentication method to phish their login credentials for a number of different and popular online services, warn Barracuda Labs researchers.
The emails in question currently take the form of an offer from a real estate company to check out “new beautiful and cheap properties for sale around your area”, or of a bogus UPS tracking alert.
After following the offered link, users are presented with a fake login page hosted on a compromised site.
The page itself does not mention OpenID, but the logos of large and popular websites that use and provide the option of OpenID authentication (Google, AOL, Yahoo!, etc.) can fool users into thinking that the page is legitimate.
“This is not how OpenID authentication works,” the researchers point out. With genuine OpenID authentication we would be directed to a secure Yahoo web page which would ask for credentials.”
In this case, the inputed credentials are simply forwarded in plain text to a remote server operated by the phishers, and the user is redirected to the real estate agency’s or UPS’ legitimate website.
Original Source: http://www.net-security.org/secworld.php?id=12874
I find this to be a very interesting piece regarding information security awareness. I may be viewing from a different perspective; however it seems as though each of the experts involved in the video completely are in agreement on the importance of user awareness training. Yet, we continue to struggle to define effective measures and techniques to connect with the audience. What are your thoughts?
While the Security Awareness Training Framework has been chugging along behind the scenes, very little has been updated on our public-facing presences. With the announcement that the Derbycon 2012 Call For Papers has been opened, all of the planning and debating is in full swing. Over the next week or so, members will be busy putting things in motion on the website and our wiki site. Many of the dead links will be replaced by content that reflects the hard work and dedication of our participants.
This summer is going to be an exciting time for the Security Awareness Training Framework! We are seriously hoping that our CFP will be selected so that we can share the most recent progress and cast our vision to all participants. It will take a lot of work, but we feel our project team is up for the task. However, we could seriously use some boots on the ground to help in all areas of the project. If you are interested, contact us at info@satframework.org.
For More Information, please visit http://www.staysafeonline.org/dpd/about
Data Privacy Day is an annual international celebration designed to promote awareness about privacy and education about best privacy practices.
In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this data – what are they doing with it – with whom are they sharing it? Most of all, individuals are asking ‘How can I protect my information from being misused?’ These are reasonable questions to ask – we should all want to know the answers.
Data Privacy Day promotes awareness about the many ways personal information is collected, stored, used, and shared, and education about privacy practices that will enable individuals to protect their personal information.
These are not questions for consumers and citizens alone, however. Business operators and state and federal governments must engage in this dialogue as well. Businesses have to question whether they are complying with laws and regulations requiring consumer privacy protections. They know that customers have to trust their technologies and services before they will use and pay for them. Government representatives need to explore and give effect to legislation in this area that protects consumers but also allows for technological innovation, progress and growth.
Data Privacy Day promotes collaboration and dialogue among all of those stakeholders with an interest in privacy.
To download Data Privacy Day logos, posters, web banners and tip sheets, please visit our Tip Sheets and Collateral page.
We recently deployed RSA SecurID software authentication tokens to replace the hardware tokens we had been using to provide strong authentication for remote access via a VPN client. Hardware tokens are more secure for two-factor authentication in some ways (but not in every way, as you’ll see), but the software tokens can be used on mobile devices such as phones; they are much less expensive; and they can be deployed more quickly and easily. What’s more, when a user no longer needs access, it’s much simpler to disable a software token than it is to retrieve a hardware token from somewhere like China, Russia or India.
Of course, RSA suffered a notorious security breach last year, but after I was briefed on the details, I felt comfortable moving forward.
Deployments such as this software token rollout can be interesting, because you have a chance to learn about some scary practices that had been going on without your knowledge.
For example, once employees got word that their hardware tokens will no longer be operational, some of them started asking for software tokens to be installed on their home PCs and Macs. Clearly, they had been taking advantage of the fact that the hardware tokens could be used with any computer. Our VPN client allows full network access, and that, combined with our lack of Network Admissions Control, meant that we were ending up with untold numbers of noncompany computers on our network. Naturally, I can’t vouch for the integrity of any of those noncompany assets. Home PCs are often used by family members and other people, any of whom might install untrusted applications, click on things they shouldn’t and end up infecting our internal production network.
I’m also concerned about protecting intellectual property, which is my responsibility. We are free to inspect the contents of any device we have issued to our employees, but we have no legal right to inspect any personal device, even if that device is connected to our network. In addition, laws are vague in some states and countries regarding our ability to monitor activity when an employee is using a personally owned device. If such an employee were to leave the company, our intellectual property could easily go with him.
For good measure, let’s throw in the risk of license compliance issues.
While employees might not be aware that they shouldn’t be connecting to the network from their own PCs, our help desk personnel should know that, right? Truth is, they’ve been helping employees install the VPN client on their home PCs. As an experiment, I called the help desk with an urgent request for access from my home PC. They actually sent me the full VPN client and walked me through the installation on my computer. After that experience, I reviewed some help desk tickets and found that the techs had also assisted in the installation of the VPN client on PCs at public Internet kiosks and hotel lobbies.
These exception requests are being met with a stern response. If an employee needs to access our network from home or another remote location, then the company needs to issue that employee a laptop. In many cases, the employee already has a laptop and is just too lazy to take it home or prefers using a Mac. But until we deploy a more secure method of remote access, such as a virtual desktop environment or a sandboxed VPN, I will hold the line against these sorts of exceptions.
Original Source: http://www.computerworld.com/s/article/9223574/Security_Manager_s_Journal_You_Can_t_Secure_Every_Home
A few weeks ago, a colleague was explaining his challenge of creating a security awareness program in a firm that operated less like a business and more like a law firm. Specifically, the big-dollar revenue producers in his company took exception to being considered average users and refused to participate.
No one likes to be a user. Worse, no one wants to be a loser.
Maybe it goes back to the catchy tuned belted out by McGruff the crime dog when he sang, “Users are losers, and losers are users…”
Just last week, a friend pointed out to me that only drugs and IT have “users.”
The roots of calling people “users” are likely harmless and simple: when computers were new, expensive and in limited supply, only a handful of people actually used the system. As a result, it probably made sense to consider those folks as computer users, eventually shortened to “users.”
Today the situation is different.
Somehow this notion of “users are losers” (sometimes written as lusers) transcended drugs and became part of technology. When technology and security practitioners refer to people as users, I feel like singing some McGruff.
And I would sing, except McGruff was wrong: users aren’t losers.
We need to break this bad habit immediately to advance our practice of security and influence how people protect information.
The word “user” is a label that instantly strips a person of their identity and objectifies them in a way that creates distance and ultimately prevents us from serving their needs.
Distancing ourselves through language and labels is an unintended protection mechanism (I wrote about this in a 2007 column claimingIt’s time to reboot the security industry that reinforces our knowledge, experience and power while shielding us from the knowledge, power and experience of the individuals we work with.
When working with people, distance is a problem. It creates friction and generates resistance that sometimes results in an adversarial state where everything becomes more complex — and expensive.
Security technology and is not enough: we ultimately need individuals to make better decisions. Instead of creating distance, we need to get closer to people and partner with them to guide actions that bridge the Human Paradox Gap.
Introduced in Into the Breach, the human paradox is the unintentional disconnect created between individuals and the consequences of their actions. Because of the gap between actions and consequences, people do not take responsibility and we are powerless to hold them accountable. I explore this a bit further in: Why people are not the problem and where to look.
Our success depends on our ability to get closer to people, to work together to bridge the human paradox gap, to partner on how we protect information.
Dropping the label (protection) of user allows us to build the relationships we need to be successful.
We work with and serve people.
As a starting point, make a conscious effort to substitute people or individual(s) in place of the term “user.” In some cases, citing employees, contractors, colleagues or the like might be appropriate.
When possible, use direct names or descriptions of real people.
It is important to remember and keep focused on the point that we serve people, not users.
By removing the abstraction of “users” and focusing on the people we serve we necessarily change our perspective.
It is a simple, yet powerful shift.
In turn, it changes our demeanor and approach.
For example, with my clients, our meetings reference real people, actual examples and explore the potential consequences (positive, neutral and negative) of our decisions. We invite non-security people to the meetings. And in some cases, we actually conduct interviews of individuals to better learn how they do their jobs.
McGruff sang a catchy tune. But when we realize our users are people, nobody has to lose. In fact, we can all work together to bridge the human paradox gap and make our jobs just a little bit easier.
Original Source: http://www.securitycatalyst.com/2011/07/why-dropping-the-label-of-users-improves-how-we-practice-security/
by Wh1t3Rabbit
You all know that many of the posts here on Following the Wh1t3 Rabbit are inspired directly from conversations and requests from you, right? This post is no different …credit for putting my thoughts on this rail goes to Michael Allen (aka @_Dark_Knight_ on Twitter, go follow this guy) …based off of an interesting conversation we had over email on how you would react if one of your main competitors were to experience a massive, public data breach.
Let’s take this rationally, and head-on. You work for Acme Corp, and your company is one of three authorized organizations which clear currency trades in the Pacific region. This morning you open your Twitter stream (or RSS reader) to find out that your largest competitor has just been outed in a massive data breach. The breach has made the papers, international headlines and is on the morning news too … what do you do?
Assuming you have responsibility for the security of Acme Corp, you are now thrust onto a high-wire act where you balance raising awareness (and perhaps scoring yourself some budgetary gains) and completely scaring your organization away from technology. The two main areas you’ll probably want to go after, if you’re smart, are security awareness and incident response. Why these two?
Well, Michael I completely agree with you, security awareness is and should be the top priority when one of your competitors gets breached. As a security officer you have a brilliant chance to carefully make everyone in your organization aware how important security is, and what kind of damage it can cause your organization in terms of brand loss, financial loss, and legal complications. Rather than playing the role ofChicken Little the rational CISO will approach the situation from a fact-based stance, and realize that not every point will carry over completely to their company. More importantly, sometimes leadership simply accepts risk at face value – and we need to be OK with this. Taking the “they were breached, we can and should avoid this” stance is both rational and responsible, and like honey will gather more favor with the bees. Taking the opportunity to raise security awareness is a huge win in itself – whether it’s in the form of a company-wide seminar, “security month” or targeted training …awareness is a massive step forward to being more risk-averse and secure.
The second big thing to tackle in this situation, as Michael pointed out to me, is incident response. Again, I completely agree. Incident response should be the lynch-ping of any truly effective security program. It’s amazing how many organizations implement training, secure coding programs, patching strategies but never plan for when the worst inevitably happens. I say the worst is inevitable because I think I speak for the security community when I say that security incidents or breaches will happen …the only question is thescale and timing of the incident or breach. There is no such thing as secure, and anyone telling you otherwise is trying to sell you something that is oily and comes from a snake. The concept of secure is a mixture of being risk-averse enough to eliminate all the obvious vulnerabilities and know that you will be hit, and then be prepared to act to minimize the damage. That is modern information security in my book.
What will you do when one of your competitors makes the morning news for a massive data breach? Will you take the opportunity to speak sanely about the need for better awareness and incident response? Will you make incremental gains to your organization’s security posture? Will you accept certain risks that your leadership is simply “OK with”? …or will you play the role of Chicken Little and lose your head? Better still – think about what your competitors will do when this happens to YOU.
Original Source: http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/The-delicate-balance-between-raising-awareness-and-making-people/ba-p/5423285
Posted by d3v1l…
As we promised last month,The Hacker News along with Security-FAQs, SecManiac, Korben, and SecTechno have come together to bring you an outstanding array of internet security and hacking information.
Lee Ives from London, England talk about internet security for your children and what to watch out for and how to protect them and yourself.
Pierluigi Paganini takes us on a visit to China and makes us wonder just how influential China’s hacking is on world internet security.
Mourad Ben Lakhoua takes us on a scary journey of what new Malwares are lurking about and what to expect in the future
Patti Galle’s article on SOPA
Manuel Dorne, administrator from Korben gives us a look at Mozilla Firefox security tools. A must for any techie interested in “how to.”
My submission about DefCamp,the first Romanian Security Conference.Thanks toAndrei Avadanei that is also the Founder
And finally,a good read about politics in general in “No Turning Back” by The Hacker News editorial staff.
Download PDF: http://news.thehackernews.com
Source:
http://security-sh3ll.blogspot.com/2012/01/enter-at-your-own-risk-cyber-awareness.html
By Matt Richtel
Young couples have long signaled their devotion to each other by various means — the gift of a letterman jacket, or an exchange of class rings or ID bracelets. Best friends share locker combinations.
The digital era has given rise to a more intimate custom. It has become fashionable for young people to express their affection for each other by sharing their passwords to e-mail, Facebook and other accounts. Boyfriends and girlfriends sometimes even create identical passwords, and let each other read their private e-mails and texts.
They say they know such digital entanglements are risky, because a souring relationship can lead to people using online secrets against each other. But that, they say, is part of what makes the symbolism of the shared password so powerful.
“It’s a sign of trust,” Tiffany Carandang, a high school senior in San Francisco, said of the decision she and her boyfriend made several months ago to share passwords for e-mail and Facebook. “I have nothing to hide from him, and he has nothing to hide from me.”
“That is so cute,” said Cherry Ng, 16, listening in to her friend’s comments to a reporter outside school. “They really trust each other.”
We do, said Ms. Carandang, 17. “I know he’d never do anything to hurt my reputation,” she added.
It doesn’t always end so well, of course. Changing a password is simple, but students, counselors and parents say that damage is often done before a password is changed, or that the sharing of online lives can be the reason a relationship falters.
The stories of fallout include a spurned boyfriend in junior high who tries to humiliate his ex-girlfriend by spreading her e-mail secrets; tensions between significant others over scouring each other’s private messages for clues of disloyalty or infidelity; or grabbing a cellphone from a former best friend, unlocking it with a password and sending threatening texts to someone else.
Rosalind Wiseman, who studies how teenagers use technology and is author of “Queen Bees and Wannabes,” a book for parents about helping girls survive adolescence, said the sharing of passwords, and the pressure to do so, was somewhat similar to sex.
Sharing passwords, she noted, feels forbidden because it is generally discouraged by adults and involves vulnerability. And there is pressure in many teenage relationships to share passwords, just as there is to have sex.
“The response is the same: if we’re in a relationship, you have to give me anything,” Ms. Wiseman said.
In a 2011 telephone survey, the Pew Internet and American Life Project found that 30 percent of teenagers who were regularly online had shared a password with a friend, boyfriend or girlfriend. The survey, of 770 teenagers aged 12 to 17, found that girls were almost twice as likely as boys to share. And in more than two dozen interviews, parents, students and counselors said that the practice had become widespread.
In a recent column on the tech-news Web site Gizmodo, Sam Biddle called password sharing a linchpin of intimacy in the 21st century, and offered advice to couples and friends on how to avoid missteps.
“I’ve known plenty of couples who have shared passwords, and not a single one has not regretted it,” said Mr. Biddle in an interview, adding that the practice includes the unspoken notion of mutually assured destruction if somebody misbehaves. “It’s the kind of symbolism that always goes awry.”
Students say there are reasons, beyond a show of trust, to swap online keys. For instance, several college students said they regularly shared Facebook passwords — not to snoop on or monitor each other, but to force themselves to study for finals. A student would give her password to a friend to change it — and not disclose the new password — thereby temporarily locking out the Facebook account holder and taking away a big distraction to studying.
Alexandra Radford, 20, a junior at San Francisco State University, said she had done this for friends several times during exams. One friend wanted to know the new password before finals ended, but Ms. Radford held firm.
“Once finals were over, I gave it to her,” she said. “She was, like, ‘Oh, my gosh, thank you.’ She knew I was good about not giving her the password back.”
But Ms. Radford is more sheepish about the passwords she shared a few years ago in high school with her boyfriend. They even changed their passwords to reflect their relationship. Hers: ILoveKevin. His: ILoveAly.
“We did it so I could check his messages because I didn’t trust him, which is not healthy,” she conceded.
Counselors typically advise against the practice, and parents often preach the wisdom of password privacy. Winifred Lender, a child psychologist in Santa Barbara, had her three sons sign “digital contracts” that outline terms for how much media they will consume, how they will behave online and that they will not share passwords. Still, Ms. Lender said, her 14-year-old was recently asked by a friend for his password.
“He said: ‘You give me yours and I’ll give you mine.’ ”
Her son was taken aback but then relied on a tried-and-true excuse for saying no. “He blamed it on his parents,” Ms. Lender said of her son. “He said, ‘If I give you my password, my mom will have a cow.’ ”
Emily Cole, 16, a high school junior in Glastonbury, Conn., felt the sting of password betrayal in seventh grade, when she gave her e-mail password to her first boyfriend.
Then she started to develop feelings for another student, she said, and sent an e-mail to her. Her boyfriend read the e-mail and started spreading it around the school, calling Ms. Cole a “pervert.”
Ms. Cole said it was deeply hurtful. And yet, despite what happened, she said she would not have reservations about sharing her password with her new boyfriend.
“I know this sounds kind of weird, but we have a different relationship,” she said. “We’re not in seventh grade. I trust him in a different way, I suppose.”
Ms. Cole’s mother, Patti, 48, a child psychologist, said she believed her daughter would be more judicious now about sharing a password. But, more broadly, she thinks young people are sometimes drawn to such behavior as they might be toward sex, in part because parents and others warn them against doing so.
“What worries me is we haven’t done a very good job at stopping kids from having sex,” she said. “So I’m not real confident about how much we can change this behavior.”
by Mirko Zorz
In the last six-to-twelve months, we have witnessed many different cyber attacks. Hacktivists were making a statement, the players behind the so-called Advanced Persistent Threats were often searching for company and government secrets, run-of-the-mill cyber gangs were looking for financial information.
The players were different, and so were their goals, but the great majority chose to initiate their attacks with social engineering and phishing techniques aimed at tricking employees into opening the doors for them.
In this podcast recorded at RSA Conference Europe 2011, Hugh Thompson, Program Committee Chair for RSA Conferences and Chief Security Strategist at People Security talks about a new breed of attackers and why the need for security awareness is now bigger than ever.
He points out that security is coming more and more down to the little decisions that every single employee makes every day, and that information security professionals should concentrate on teaching users to question every piece of data that comes their way.
Follow the link for the entire podcast:
Enter your email address below to receive updates each time we publish new content.
View Calendar
✔ Subscribe
Add to Google