• User Awareness: How Important Is It? Javvad Malik from Black Hat Europe 2012 explores

    | May 3, 2012 | Comments (0)

    I find this to be a very interesting piece regarding information security awareness.  I may be viewing from a different perspective; however it seems as though each of the experts involved in the video completely are in agreement on the importance of user awareness training.  Yet, we continue to struggle to define effective measures and […]

  • Customer Shielding PIN From Prying Eyes

    Do You Shield Your PIN at the Store?

    | January 15, 2012 | Comments (1)

    When you approach an Automated Teller Machine, or ATM, it is widely accepted that there will be at least one camera that is fixed on your actions.  Typically, this is a facial shot, and law enforcement uses these videos to capture your face and assist in crime investigation.  While it is not with 100% accuracy, […]

  • Security Awareness Training Framework (SATF)

    Practitioners launch Security Awareness Training Framework

    | November 3, 2011 | Comments (0)

    The Security Awareness Training Framework (SATF) is an open-membership community that brings one’s unique perspectives on security awareness to help put an end to the slippery slope of deficient security awareness training. Nearly 12 years after the introduction of the Love Letter and Melissa worms, organizations still struggle in providing effective training to the end […]

Security Reminders

Security Reminders

| July 23, 2013 | Comments (0)

At my last job I developed a card that reminded users to lock their computers when they left their desk. People either loved them or hated them but it did help to remind people to lock their computers.


Security Awareness Training Starts to Get the Respect it Deserves

Security Awareness Training Starts to Get the Respect it Deserves

| March 14, 2013 | Comments (0)

Original Source: http://threatsim.com/2013/03/11/security-awareness-training-starts-respect-deserves/

Thanks to Mike Rothman at Securosis making the case for security awareness training.  Mike and the rest of the Securosis gang have a great perspective on the state of information security and threats.  I’ve always appreciated their pragmatic advice, and how they regularly promote ways to enhance your security program through process improvement rather than just throwing more technology at the problem.

Mike talks about a rebirth of security awareness training, which definitely is gaining more respect in the industry. His concluding sentiment is perhaps the most powerful:

Get on board with security awareness training. Or keep cleaning up the mess.

The other week at RSA there was a debate on whether or not awareness training was worth doing at all.  The panel was overwhelmingly not for awareness training, but the audience was! (Note to RSA: Get some awareness professionals for your next pannel).   The majority of the audience confirmed that their awareness programs were meaningful and provided benefit.

I feel the industry is starting to learn that security awareness shouldn’t be limited to a once-a-year presentation that is done solely to meet an audit requirement.  Those programs are only effective in keeping an auditor happy.  Today’s security awareness professionals are taking a risk-based approach and developing creative techniques to get the right information, the right people, at the right time — which is challenging but effective in reducing risks to the human element.

Phishing is doing a lot to raise the need to address employees as part of your overall defense strategy.  Something most infosec engineers would rather not have to do — but can no longer deny.

5 myths about awareness

5 myths about awareness

| March 12, 2013 | Comments (0)

Original Source: http://www.csoonline.com/article/728625/5-myths-about-awareness-

Lance Spitzner of SANS Securing the Human program outlines five common misconceptions about security awareness programs

By Lance Spitzner

February 11, 2013 — CSO

I’m often amazed by all the myths and misconceptions that pervade the security community when it comes tosecurity awareness training. Here are the most common falsehoods I have heard, and why they are wrong.

1. Training does not work
I often hear people say: “Awareness does not work. I have never seen an awareness program actually change peoples behavior.”

To be honest, I have to agree with this statement. Most awareness programs in the past have failed to change behavior. However, that is because most programs in the past were not designed to change behavior. Their only goal was to meet compliance requirements, to check the box. As a result, the absolute minimum was invested.

These bare-minimum awareness programs are the ones where someone runs a single PowerPoint presentation once a year, or perhaps sends out a quarterly security awareness newsletter.

For an awareness program to effectively change behavior, you need to create a program that is designed from the ground up to change behavior.

2. It’s not worth it because someone will still mess up
People tell me that awareness is a failure; that no matter how much you train people, there is always a small group of people that will still fall victim. Folks, security is all about reducing risk, not eliminating it.

Awareness is nothing more than another security control. Why people hold awareness to a different standard is something I’ll never understand. Awareness is no different than encryption, firewalls or intrusion detection. However, with awareness, you can get a tremendous return on your investment, in many cases reducing up to 95 percent of the human risk, according to measurements taken in phishing tests. Show me any other control that will get you that type of ROI.

3. People already know what to do
I’ve read interesting reports from academics that say people already know what secure behaviors to follow, they just choose not to follow them.

Wow, where are these people getting their data? With the organizations I work with, not only do people usually have no idea what secure behaviors they should follow, but they are also hungry to learn. They know there are bad guys online, but they don’t know what to do to protect themselves from them. The problem is not the people. The problem is that we are not effectively training them. What is the number-one thing that, in my experience, people did not know? They had no idea that keeping operating systems and applications current was critical to keeping their computers and mobile devices secure.

4. It’s all about prevention
When people discuss awareness, they usually focus on just prevention —they’re trying to implement the idea of the “human firewall.” While prevention is important, why limit ourselves? Why not train people to become human sensors as well?

Teach workers the indicators of a compromise and have them report potential incidents. For example, if you are doing phishing assessments internally, you should not just track how many people fall victim, but also how many detect and report the attacks. Just think how much stronger your organization would be then.

5. It’s simple
Many people I work with assume that creating an awareness program is simple. If your only goal is compliance, then yes, awareness programs are simple. But if you want to effectively reduce risk by changing human behavior, you need to have a plan. Specifically, you need to identify who you are targeting in your program, what changes in behavior reduce the greatest risks to your organization, and how you will engage and communicate those changes in behaviors.

One of the most common obstacles to effective awareness programs that I see at companies is that they do not know where to begin. You can find a complete set of free planning resources developed by the community, for the community, on the SANS Securing the Human website, which includes a poster that documents each step to take and provides all the templates and checklists you need to build your program.

I’m a huge fan of awareness, and I have seen the tremendous impact it can have. However, until we as a community start securing the Human OS, the bad guys will continue to have it easy. Technology alone can only go so far.

Lance Spitzner is the training director for the SANS Securing the Human Program.

Read more about security leadership in CSOonline’s Security Leadership section.

Risky business: why security awareness is crucial for employees

Risky business: why security awareness is crucial for employees

| March 12, 2013 | Comments (0)

Original Source: http://www.guardian.co.uk/media-network/media-network-blog/2013/feb/12/business-cyber-security-risks-employees

lap top is logged onto the social networking site Facebook

Employees can often be unaware they are giving out sensitive company information on social media sites, such as Facebook. Photograph: Chris Jackson/Getty Images

People are now the weakest link in the security chain. The latest security technology may protect core systems, but it cannot protect against employees giving away information on social networks or using their own, less secure, mobile devices for business purposes.

“It is a myth that technology will protect you,” says Tony Dyhouse, cybersecurity director at the UK Technology Strategy Board’s ICT Knowledge Transfer Network. “Those who attack us have no wish to spend a lot of time and money defeating our technology. They attack the user, which is much easier.”

It has become increasingly important to embed ICT security awareness at all levels of an organisation. “The most at-risk personnel are uninformed, innocent and unaware employees,” says Kevin Bailey, research director, European security software, at research company IDC.

“Many external attacks – more than 60% – target employees via social engineering,” he says. “They were opportunistic, exploiting activities such as unexpected communication through email and social media.”

IDC reported a growth of more than 40% in the uptake of smart devices during 2011–12, compared with a flat PC market. Employees are increasingly using their own devices for work, and much of this activity is out of their employer’s control. “A recent survey shows that over 30% of respondents believe that BYOD [bring your own device] is already happening informally in their organisations,” says Bailey.

Social media

Many people are familiar with dodgy-looking emails purporting to be from a bank and they know not to click on links. The latest threats are much more sophisticated and personal, including “spearphishing”, whereby the attacker uses information gleaned from social media to personalise an email to an individual. People are much more likely to open an email that has specific personal information in the header. They may even open innocent-looking attachments or give away further information replying to these emails.

Prof Steven Furnell from Plymouth University, head of the Centre for Security, Communications and Network Research, points out that employees need some basis to understand how and why threats could affect the organisation, or target them as individuals. “Threats such as social engineering often work because people don’t appreciate the value of what they’re giving away,” he says.

Best practice in the office, such as protecting passwords and using privacy settings on social media sites, has become best practice for people’s personal lives and effective security awareness training is tapping into that.

“In most organisations, employees remain the weakest link. Whether it is malicious or unintentional, they pose the biggest security risk. An education programme which embraces home and business use of security is the most effective, making these policies second nature,” says Cheryl Martin, head of the Cyber Security practice for Logica UK, now part of CGI.

Dyhouse adds a word of caution. “Avoid the temptation to try to turn all your staff into security gurus. Nothing quite beats real-life examples, especially if they are family focused.

“We make a lot of mistakes in the security industry,” he adds. “We make things too complex. We expect people to be interested. There are just two very simple rules, and if everyone followed them we would cut out 80% of attacks. The first is ‘Don’t open attachments.’ The second one is ‘Don’t follow links from emails.’ There is no reason we can’t change these behaviours.”

Educating staff

Siân John, UK and Ireland security ­strategist at Symantec, has been carrying out a number of workshops at a large global bank and an accredited association that focused on getting employees to take on board security risks: “That is the biggest challenge – ­getting people to really think about how this could bring the business down.”

The workshops are half an hour or an hour long. “We don’t want them to be too long. We start with social and phishing risks from a personal point of view, not business. We don’t get too technical.”

One company John has worked with offers the latest mobile gadget as an incentive to attendees of their security awareness sessions: “That was so successful that when a new gadget comes out now they need to schedule more awareness training,” she says.

Tim Holman, president of the Information Systems Security Association in the UK, believes a culture of security awareness must begin at the top: “Everyone has a responsibility to be vigilant at all times in protecting their company’s data and resources against cyber-attacks. If only they all knew it.

“We are always hearing tales of organisations suffering security breaches due to users’ oversight and whilst some might point the finger at information security managers for not raising security awareness, apathy has to be the biggest ­challenge,” he says. “Large companies and even the UK government don’t seem to care about cybersecurity threats to business, so why should our employees?

“Yes, everyone is responsible for security, but only once those at the top of the pyramids start taking things seriously can the rest of us follow suit.”

Staff training: taking security seriously through comedy

Twist and ShoutTwist and Shout used humour to create videos on the IT risks of using social mediaPhil Cracknell, recently appointed head of IT security at TNT Express and until late 2012 director of security at Yell (now Hibu), has a passion for comedy. He believes humour is the key to getting the security message through to all levels of staff.

“At Yell we set out to change the culture. I met Jim Shields who runs media company Twist and Shout and is also a stand-up comedian. The discussion was around how do we make IT security awareness stick? We have been trying to cram awareness down people’s throats for 20 years,” says Cracknell.

It was important to get senior level buy-in, he says. “At the time, the chief technology officer of Yell authorised me to go and make a whole bunch of Star Wars videos all about awareness. We bought Darth Vadar suits. There is one scene where Darth appears at reception and he has forgotten his ID card and he is doing the ‘You know who I am’ routine. We decided to focus on security as a whole and especially the weak links, such as people writing down passwords.”

The videos were a massive hit. Cracknell created them in bite-sized chunks, two-minutes long, and emailed them to staff every other day during their first week at Yell. “We looked at the time it took for people to open them up from when they were mailed and they were responding to those quicker than they were responding to any other email,” he says.

Cracknell went on to set up Rose Tinted Security with Twist and Shout to create humorous videos that come with 3D-style rose-tinted glasses. “We put a whole campaign around it that we started to trickle out on Twitter,YouTube and Flickr. We used social media to highlight some of the risks of using social media,” he says.

“These videos got two hits for every member of staff we sent them out to. We know it worked, as people were sending the videos to others who didn’t even work for the company.”

Overprivileged, Well-Meaning, And Dangerous

Overprivileged, Well-Meaning, And Dangerous

| March 12, 2013 | Comments (0)

Original source: http://www.darkreading.com/insider-threat/167801100/security/news/240150554/overprivileged-well-meaning-and-dangerous.html

Non-malicious insiders add a lot of risk when IT gives them too much access and not enough education

By Ericka Chickowski, Contributing Writer
Dark Reading

Let’s face it, everybody makes dumb mistakes at work. But these days, employee ignorance about the impact of certain IT technologies, a lack of controls around critical infrastructure and data, and a legion of employees armed with way too many system privileges are drowning enterprises in a potent cocktail of risk factors.According to security experts, the only way that organizations can reduce the risk of that combination is to be pragmatic. Rather than trying to completely eradicate stupid behavior — a nigh impossible feat — enterprises need to find ways to minimize the risk around the mistakes non-malicious insiders make.

“It’s not realistic to eliminate the user behavior nor identify all the vulnerabilities or attacks in advance,” says Brian Hanrahan, senior systems consultant at Avecto. “You have to start from the assumption that any user through willing, or unwilling involvement may become the nexus of your next infiltration.”

Whether it’s digging spearphishing messages out of the junk mail box to click infected links, sending out inappropriate email messages on powerful communications systems they shouldn’t have access to, or fat-fingering configuration files to bring down broad swaths of IT infrastructure, well-meaning users can wreak plenty of havoc within IT operations. In some cases, purely dumb behavior can directly result in embarrassment to the organization, breached data or information assurance problems.

[What about malicious insiders? See 5 Lessons From The FBI Insider Threat Program.]

Mike Murray, managing partner for consulting firm MAD Security, says he has seen his fair share of insider incidents that were “more than a little boneheaded.” For example, earlier in his career, he came across an incident where an employee accidentally sent pornographic images to an entire 5,000-person organization.

“It wasn’t an ‘internal attack,’ but it was definitely stupid,” he says. “I had another one more recently [where] one of the developers working on one of our systems made a stupid Unix mistake and caused our system to be down for almost a week. I’ve seen something like that happen more times than I can even count.”

Not only are there direct security ramifications from that class of scatterbrained mistake, but they also can eat up valuable incident response time that could be better used elsewhere.

“At the bureau, about 24 percent of our incidents that we track on a yearly basis have to do with just accidental insiders, people being a knucklehead and we do spend about 35 percent of our incident response time [on them],” says Patrick Reidy, CISO for the FBI.

Plus, the reputation damage factor can’t be underestimated — particularly when some simple controls could have mitigated the situation. Take, for instance, a recent case in the city of Washington, Pa., where a city councilman used a citywide email emergency system to add the offensively prankish term ‘Brian is gay’ to a test email sent out to city denizens.

“[That] is a great example of why organizations implement approval processes for privileged operations,” Hanrahan says. “It’s important that privileged access is dispensed after review, and monitored carefully to detect risky behavior.”

However, he says that while lapses in judgments and silly errors can certainly cause harm, non-malicious insiders pose other more latent risks for organizations. More commonly, these insiders act as an unwitting lever for malicious actors who take advantage of the insider’s normal behavior to compromise that user’s endpoint and take advantage of that insider’s wide-reaching access to other systems on the network, he says.

“The reality is that most attacks result not from boneheaded moves, but normal activity plus privileged access,” Hanrahan says. “The vulnerabilities used to infiltrate corporate environments today rely on normal user behavior to gain a foothold. Web browsers, media plug-ins, Java exploits, and removable media are the common vectors of introduction.”

As he puts it, the name of the game is in effective containment.

“Containment requires limiting the resources immediately available to the attacker, and thwarting propagation within the organization, both of which are nearly impossible when the attack runs with elevated privileges,” he says.

Murray agrees, saying that the reason why phishing and advanced persistent threats succeed is that at most organizations once the attacker has compromised an employee’s system inside, that person has free rein in the environment. Murray says that organizations need to address the non-malicious insider problem by looking more closely at their control architecture.

“The key is actually in the control architecture. I still see organizations that take the philosophy of ‘hard external, soft chewy inside’ when designing their security strategy,” he says. “The control around assets needs to be close to the assets in order to detect threats from both outside and inside.”

Does Security Awareness Training Actually Improve Enterprise Security?

Does Security Awareness Training Actually Improve Enterprise Security?

| March 12, 2013 | Comments (0)

Original Source: http://www.safelightsecurity.com/does-security-awareness-training-actually-improve-enterprise-security/

At last week’s RSA 2013 security conference, four prominent members of the security industry participated in an emotionally charged debate (at least for the audience) concerning whether or not end user security awareness training was critical to end user security or more beneficial towards implementing controls to protect users from themselves. 

The panel was made up of Bruce Schneier (BT), Dave Aitel (Immunity), Fran Brown (Stach & Liu), and Hord Tipton (ISC2). In a one-sided discussion that did not include anyone from the security awareness training community, the panel members were adamant in their insistence that end user security awareness training was a waste of time and resources. 

…Since there was no audience Q&A portion of the debate, I’m going to rebut a couple of the arguments the panel mentioned as reasons why they did not support end user security awareness training.

Stop Chasing the 100% Success Rate

In his opening remarks, Dave Aitel started off the debate by listing some statistics that described how frequently his testing team was able to trick users that had presumably taken a security awareness course into falling for an email phishing attack.  Aitel concluded that since security awareness training could not stop 100% of the users from falling prey to a phishing attack, then security awareness training was a waste of time and resources.

This is a misguided conclusion because no single layer of security- for example, security awareness training- will ever be 100% effective in stopping an attack.  Using multiple layers of security, also known as “defense in depth”, is the key to protecting users and sensitive data from attacks.

Security awareness training is just one layer of an organization’s defenses- just like installing firewalls on a network or using an intrusion detection system.  Neither of those security tools will stop every attack, but when used together, they decrease the risk of a successful attack.

By having users complete a thoughtfully designed security awareness training program, an organization will mitigate the risk of a data breach occurring.

Some Things Change, BUT Some Stay the Same

Bruce Schneier began his dismissal of the value of end user security awareness training by stating that awareness training was not useful when dealing with environments that were constantly changing.

While it is true that attackers are continually creating new attacks, our applications are continually updated with new functionality, and our operating systems are continually being patched, there are elements within a user’s computer experience that remain unchanged.

For example, it is common for users to send each other links within an email.  Users have been doing this for years and years and will probably continue the practice. Yet, we also know that attackers will attempt to send a user a malicious link within an email in hopes they will click on it.

Since this is a user experience that will most likely not change in the near future, a security awareness course can instruct a user about the dangers of clicking on links within emails.

A well-designed security awareness course will focus on insecure user behavior that is unchanging so that the lessons learned are ones that can be applied for years to come.

Finding the Silver Lining

The debate about the value of end user security awareness training left me feeling very disappointed.  Without any security training providers to defend the value of their security awareness courses, the debate felt very one-sided against their value.

…However, there was a silver lining.

After the debate, the moderator took a poll of the hundred or so members of the audience to find out how many believed that end user security awareness training was valuable:

It appeared that around 75% of the audience still felt like training was important. 

Perhaps, in their opinion, they also believed that a well-designed end user security awareness course that focused on common insecure user behavior could be a valuable layer of defense within an organization.

Insecure behavior by users, such as an employee of a bank sending sensitive data within an unencrypted email-which actually led to one of my coworkers having his identity stolen while applying for a home loan- can certainly be minimized with the implementation of end user security awareness training. 

Final Thoughts

By not giving our users security awareness training, we are relying on “hope nothing bad happens” as a defense.

…Good luck with that.


What do YOU think?

Follow the conversation on Twitter @SafelightSec

Security Awareness Content: Deciding What is Needed to Change Behavior

Security Awareness Content: Deciding What is Needed to Change Behavior

| March 11, 2013 | Comments (0)

Original Source: http://www.madsecurity.com/security-awareness-content-deciding-what-is-needed-to-change-behavior/

Making good content is hard and easy to mess up. This is evident with the loads of boring training videos, out dated posters, and cheesy slogans slapped on a mouse pad. But don’t fret, just because it’s hard, doesn’t mean it’s impossible. Making good content is all about asking the right questions before hand.

What content needs to be made? What are the different options? What should be used in tandem? What can be used in place of other things? These are all valuable questions that need to be answered when making content that has a lasting effect on your users. If done correctly, your security content will lay a solid foundation of information that is quickly/easily called back to to ensure that your users are able and motivated to change their behavior.

Video v. Posters

Videos and posters serve two very different purposes and need to be seen as supplemental to each other NOT synonymous. A video is an effective tool for transmitting larger amounts of information because –if done right- it grabs the viewers attention through movement and pictures. A poster is just like a billboard on the highway. You have about 2 seconds in which to catch the viewers attention and transmit information. Any poster that takes longer than a few seconds to get the message will be lost.


If used supplementally and correctly videos and posters represent two very powerful resources. Videos create the foundation of information (e.g., common vocabulary, motivating information, etc) on which the posters pull from. Lets use an example. Lets say users are consistently working remotely and being attacked while on an unsecure site at their local coffee shop. Through annual training you provide them with the information that (1) they can be attacked when working remotely, (2) show them how easily a hacker can gain access to their information on an unsecure network, and (3) how to properly protect themselves. Also, you tie the slogan “be aware or be a target” to the information with a picture of a public wifi signal.

All in all this will be about a 3-5 minute video.

Keep in mind, giving them all this information in written form will loose more than half the users before they have even read 3-5 minutes of information. The visual aspect is what helps get all that information across before loosing their attention.

Now that the base of information has been created, you can make posters that have the Wi-Fi signal and words “Be aware or be a target!” in bold letters. Suddenly the poster is calling back to/reminding users about 3-5 minutes of information they were taught in SECONDS!

Newsletter v. Poster

Newsletters and posters are a common duo that shows up in conjunction with training videos but again they are NOT synonymous. Newsletters are great for transmitting larger amounts of supplemental training information (e.g., check lists, how to’s, anecdotes) that are just too much for a poster. Because of this, newsletters are great informers and motivators while posters are much more effective reminders- as mentioned previous. If used synonymously you end up with a 2’x2’ poster covered in 4 pt font. Not only will it take longer for them to read, but now they also have to stand next to the wall to read it.

Animated v. Live action

Recently, more and more videos are being created for security content plans in two different mediums (1) live action and (2) animated. Live action videos are usually, and more effectively, made as a viral video. These viral videos are funny/inspiring/catchy and users share them with each other and their family. They also are watched more than once and not easily forgotten. While live action videos are great at getting a quick

reminder/message/motivator across the company, they are not as effective for training. Training videos are more complex, with denser information, and therefore animation is the better bet. Animation does not limit you to the law of the world and you can easily have a server room fly in stage right- behind your IT guy- without it looking cheesy and weird. You also have the ability to show words, and are not limited to one ethnicity, culture, etc. Viral videos can be culturally specific in order to get the funny message across whereas training videos need to be more general and broadly applicable.


Activities and events are a more recent addition to an organizations content plan. They create a different, more interactive way of giving users more information on a topic they did not pick up the first time or behaviors they need more motivation to perform. For example, lets say your organization is having a hard time with information on social media. Your content plan is informing, motivating and reminding users that they need to stop putting all their information on Facebook, and to enable their privacy settings. Regardless of these efforts users are still saying things like “I thought I did” or “I don’t know how.” A brown-bag (virtual or in-person) is the perfect place to simply walk them through the process of protecting themselves on social media. In this you can show them (1) how their information is easily seen by everyone, (2) how it can be used against them and (3) how to enable privacy settings to mitigate this risk. While activities can’t be used for everything, they serve as a valuable tool in informing your users, motivating them, and keeping them up-to-date on constantly evolving threats.

Now that we know the proper place and use for each type of resource, now we need to know the challenge of each to ensure that our content is noticed, digested, and effective at changing behavior. Stay tuned.

Microsoft's Katie Moussouris: Humans still the weakest link in security chain

Microsoft’s Katie Moussouris: Humans still the weakest link in security chain

| October 5, 2012 | Comments (0)

By Edwin Yapp:

Original Source:  http://www.digitalnewsasia.com/hack-in-the-box/katie-moussouris-humans-still-the-weakest-link-in-security-chain

  • Despite more advanced use of the Web, users’ lackadaisical attitude to security is still an issue
  • Windows 8 will have ‘significantly better defense’ against cyber-threats to come

AS THE world becomes more interconnected due to the expanding Internet and increasing globalization, software is increasingly becoming a target for exploitation, as it is often the weakest link that can be manipulated by cyber-criminals. And that painted target is going to get worse especially when you’re the world’s largest software company.

But for Katie Moussouris, (pic) who leads Microsoft’s security community outreach and strategy team at the Microsoft Security Response Center, having this target paintedon Microsoft’s back isn’t her biggest frustration.

In an interview with Digital News Asia (DNA), before she comes to town for Malaysia’s premier cyber-security event,HITBSecConf, next week, she shares that getting developers and users to be fully committed to the concept of holistic security is her biggest headache.

“The three biggest challenges in my job are: getting developers to use the latest mitigation technology and security enhancements and tools provided in the development framework; getting users to apply the latest security updates; and getting third-party application developers to respond to security vulnerabilities with a thorough investigation and root cause analysis so that they can fix issues comprehensively once they are discovered.”

When asked what must be done to address such challenges, Moussouris says developer training and communication can help with the first issue, and Microsoft has free tools and templates around the Security Development Lifecycle it uses for its own development process.

“For the home user, it’s about enabling Automatic Updates.” She says that according to the Microsoft Security Intelligence Report, over 90% of computer compromises occurred via vulnerabilities for which an update was already available.

“If you’re taking care of an enterprise, quickly testing and deploying critical updates can help keep the devices of today safer from known threats,” she said.

She adds that large vendors like Microsoft have been refining their vulnerability response processes for years, but most third-party developers still don’t have consistent processes to ensure timely and complete fixes.

“Making sure to update all third-party software as well can help. And, if you need extra mitigation from unknown vulnerabilities, or want to enable the strongest mitigations in third-party applications that you didn’t write, then download and configure EMET, the free enhanced mitigation toolkit that you can use to help protect your computer.”

Moussouris notes that for vendors who need help in implementing a robust vulnerability handling process, they can wait for the ISO standard, due to be published next year.

“Or [you can] get a head start by reaching out to me for tips on how to build or improve your own vulnerability response and remediation program,” she adds.

The new Windows’ security

So that was for the past and present. What about the future, with the impending launch of Windows 8 for desktops, laptops, tablets and phones?

According to Moussouris, Windows 8 incorporates a number of new and enhanced security mitigations, making it more difficult to exploit entire classes of vulnerabilities.

Among these improved protections are enhanced implementations of Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), as well as numerous Windows Heap and Kernel hardening measures that will be turned on by default.

“For a detailed look at the new protections, check out Matt Miller and Ken Johnson’s BlackHat 2012 presentation. To try some of these new protections out on older versions of the Windows operating system, download and configure EMET, the free Enhanced Mitigation Experience Toolkit, which allows both end users and developers alike try out the new mitigations on older software or on third-party software,” she says.

As for Windows 8 mobile devices that run on ARM, they will have all of the new mitigations enabled by default, Moussouris says.

“Enforcement of the latest mitigation features on all applications for Windows 8 running on ARM will help users have more confidence in the security of their devices, she explains. “All of the new Windows 8-style applications on all platforms will have this level of mitigation enabled by default as well.”

HITBSecConf will take place from Oct 8-11 at the Intercontinental hotel in Kuala Lumpur. The conference will see over 42 of its most popular speakers over the years return to the stage in celebration of its 10th anniversary, and DNA is one of the official online media for the event.

Firearm Safety & Security Awareness?

Firearm Safety & Security Awareness?

| August 30, 2012 | Comments (0)

It was a Sunday morning and I sat in a “classroom” at my local county firing range. I sat front and center as I was one of the first to arrive. I took my Glock19 out of my case, opened up the action, and confirmed that it was unloaded. My “classmates” had different types of pistols, Berrettas, Sigs, and various others. Some pistols have multiple safety mechanisms as a fail safe to prevent a negligent discharge. The instructor said something that stuck out in my head. To paraphrase, he believed that people turned to gun manufacturers to add additional safety mechanisms, but the problem was actually a training problem. Gun operators must rely on some principal safe gun handling rules which do not rely on gun safety mechanisms.

So how does this relate to security awareness? It just highlights the fact that you cannot rely solely on safety mechanisms such as technical controls. For example, if employees do not click random links in e-mails, there isn’t total reliance on security controls like AV. Organizations must invest resources in administrative controls, such as training, to ensure employees are receiving continuous, effective, and digestible learning security materials. If everyone takes ownership of organizational security, no one will shoot themselves in the foot.


Staying out of the headlines

Staying out of the headlines

| August 17, 2012 | Comments (0)

Original Source:  Armstrong, Illena. SC Magazine23. 8 (Aug 2012): 4.

After talking to her office-working brother, my hairdresser the other day was extolling the benefits of using numbers, capital letters and other characters to create the various passwords she enlists to access countless private accounts daily. Up until that impromptu conversation during an Independence Day barbecue with family, she had never given usernames and passwords much thought. Most of the time, her private email address and dog’s name seemed to suffice.

Her brother hadn’t really paid much attention to his personal (or professional) passwords either. However, after some wellpublicized breaches of credentials at the likes of LinkedIn, eHarmony and Formspring, his company felt the need to invest in some enduser security awareness and training.

Unbeknownst to his organization’s executives, their decision could not have been more timely given the now-bedeviling news that some 450,000 Yahoo members have seen their usernames and passwords stolen by the hacker group D33ds Company. Yahoo seemed to make the thieves’ job quite a bit easier by shockingly failing to at least encrypt these bits of juicy information.

So here we have an ever-growing string of attacks that seems to point to some online criminals’ rising interest in stealing and exposing usernames and passwords. Yet a long-standing and recognized company like Yahoo presumably took no measures to ensure sensitive stufflike customer account credentials were kept safe and sound – which undoubtedly will lead to a bevy of additional private goodies and surely some spikes in spam and phishing incidents.

Meanwhile, there are many organizations that have their security and risk management plans down and are constantly evolving them to account for gaps that inevitably arise. These don’t make the headlines. They acknowledge that defense-in-depth measures have their place and that current times dictate an acceptance that their corporate networks likely have been infiltrated by the bad guys, hence the need for newer network monitoring and other more advanced technologies and processes that provide actionable insight when culprits are found. They understand that security awareness training is cheap and, in some instances such as my hairdresser’s brother, impactful.

Large, well-known and successful companies like Yahoo, LinkedIn and others should be one of these. They set the example either way and, sadly, it’s the one not to follow.