|
IN THIS ISSUE - Focus on cost-effective security, and avoiding being tricked
1) For Executives -
* Identifying your most important assets and business systems can make security more cost-effective.
* Beware of the jokers
* Beware of the phishers
* Is Facebook seen as a tool or a threat by organizations? (Take the Poll)
4) For Security Professionals -
* Penetration testing can be fun... But maybe you shouldn't let the boss know that
Did You Know?
No single anti-virus or anti-spyware program can protect your computer against all current threats.
Commonly used anti-virus programs such as Norton, McAfee and AVG are pretty good at finding most common viruses. However, hackers are always trying to develop viruses that are harder to detect.
The time between the release of a new virus by hackers and the publishing of new anti-virus signature updates by security vendors can range from hours to days, depending on its complexity and how fast the virus spreads.
During this time, most systems are vulnerable to infection. So, it is always important to avoid risky situations such as clicking on unexpected e-mail links and attachments. Even web sites you visit can become infected with viruses that can spread to your computer. High profile websites such as Amazon, eBay, Yahoo and Google are fairly diligent about preventing their computers from becoming infected. But other sites can be a much higher risk.
Some people use more than one anti-virus product in order to get better coverage. But there can still be a gap, so don't rely totally on them for protection.
More Articles at:
http://www.securityviews.com
There are now over 90 of my categorized articles on topics such as insider threats, chain letters, password strategies, awareness training, application security, and many other issues.
You can subscribe to these articles using the Feedblitz link in the sidebar, or you can use a feed reader. If you would like to use any of my articles in your organization's newsletters, please let me know.
Wondering About Security?
Let me know if any of the following topics, or any others you can think of would make good subjects for future newsletters or speaking engagements:
Please reply if you received this newsletter in an e-mail message, or contact me with your questions or suggested topics by clicking HERE.
Free Security Tools
I have developed some security self-assessment tests that you can use to score yourself on security at home and in the office. Just click HERE to go to the "Free Tools" Web page at http://www.securityviews.com where you will find the links to download these printable PDF files.
About Scott Wright
Looks can be deceiving. So I can't rely solely on my picture to convey the full effect of how I can bring value to your organization.
Security Perspectives Inc. provides a variety of ways to help "Protect the Bottom Line" in your organization.
Our role can involve facilitating change in areas such as corporate strategy, policy and process analysis, compliance, security awareness, product development methodology and deployment.
Methods we can use include surveys, interviews, workshops, organizational development, technical analysis, strategic discussion, training, coaching and keynote speaking on various topics.
I am a member of the Linked-In network, and would be happy to add you or your associates to my network. You can send an invitation to: swright@securityperspectives.com.
Distribution Information
You have received this initial distribution because you are one of the following:
- A business associate of mine whom I thought might be interested
- A Security Professional
- A person who uses a computer, and might be interested in some practical information on how to secure your personal and private information!
- A friend or associate of one of the above, and they thought you might be interested.
If you are not in one of these categories, or just wish to be removed from my email distribution list, simply reply and let me know. If you aren’t on the mailing list, but would like to be, you can also send me a reply or click HERE to sign up.
This newsletter is available in either HTML (with graphics and formatting), or in "Text Only" versions. Just click HERE to change your profile.
You should feel free to print, copy or forward this newsletter to anyone who you feel might benefit, or be interested. I especially encourage you to pass it along to colleagues in other organizations, or to others at different levels in your organization. However, if you are forwarding or using an excerpt, please include the following copyright attribution:
|
|
|
The Practical
Security News
Issue 03, November 2007
Authored by Scott Wright,
Security Management Coach, Consultant and Presenter
Security Perspectives Inc.
The Practical Security News (TPSN) is aimed at providing news and information you can use today... in the board room, in the office or at home. For more information on this newsletter, why you are on the distribution list, and how to subscribe or unsubscribe, please see the note in the bottom left of this message.
|
|
|
Identifying your most important assets and business systems can make security more cost-effective.
As an executive, what do you really need to know about security? Many at the executive level believe security is driven by the IT group, or by the Facilities group when it comes to physical security and access control. But is this really the most effective way to protect your systems, assets and accumulated goodwill? I don't think so.
Maybe it would help if you started to think of security in terms of preserving shareholder value, or customer loyalty. These are concepts that you should be more familiar with, and they are objectives you know you need to protect. The IT and Facilities groups need to be told what the most important elements of the organization are that need protection. These are things that should be defined at the executive level.
If you stop and think about your customer contact lists, financial databases, marketing strategies, product designs, help desk requests, etc. you will realize that there are some core systems that your business couldn't do without, or information that you can't afford to have leaked to outsiders, or even insiders. If nobody is driving security from this point of view, the IT and Facilities groups will be trying to protect everything with blanket security, and won't have the resources. Do they seem stressed lately? Maybe its because they don't know the organization's priorities for protecting what's most important.
The most important thing I believe an executive needs to know about security is that you can't afford to protect everything with the same level of security. It makes more economic sense to isolate systems and data by their criticality, and allocate whatever budget you have for security proportionally to each level of criticality. This way, you don't waste money protecting things that either won't be at risk, or whose value is not critical to the operation of the organization.
If you do this right, you can delegate a lot of day-to-day responsibility for security so you can concentrate on strategic issues. But you are driving the Security Bus and you are ultimately responsible for making sure it's on the proper route.
Beware of the jokers
There is a movement under way in the world of security professionals that you should be aware of. It's called penetration testing. To some, this means having an "ethical hacker" launch attacks on your network from inside and outside your firewalls. Your IT Security team may have already undertaking this type of testing. This is one aspect of what is now a larger realm. The intent is to locate weaknesses in an organization's defences before the attackers do. Penetration testing can also take the form of having someone scan open offices for sensitive information lying unattended and confiscating it. Or they may also looking for ways to trick staff, and even executives, into revealing information that can be used to launch attacks on your IT systems and data. One of the best known penetration tests occurred when a tester scattered a number of USB Memory Sticks around the parking lot of the company they were hired by. As employees came into work they would find the devices and figure they could make use of them, or see what was on them so they could find out who to return them to. In any event, the devices had a program on them that would start up as soon as it was plugged into a PC. The program would simply send a message to the tester to notify him when it was plugged in. (See my article "USB Tokens Can Be Risky" by clicking HERE). A lot of employees fell victim.
This is a great illustration of how easy it would be for an attacker to steal information off internal desktop computers, or about the internal network, and send it to the "mother ship", enabling larger scale targeted attacks in future.
So, keep your eyes peeled for such penetration tests, especially if your IT Team feels the need to give people a wake up call about lax security and awareness. It is done with good intentions, but can lead to embarrassing situations if it isn't done properly. Don't say we didn't warn you!
Beware of the phishers...
You may not believe that penetration testing (above) is needed, but you have to be pretty diligent to avoid being a victim. I'd rather be caught by an internal penetration test than by a highly targeted hacker attack.
There was a recently reported example of how good intentions and over-confidence in his company's anti-virus program could not save an executive from having his computer become infected with a program from a dangerous e-mail link that looked like it was from the Better Business Bureau. The malicious program may have been collecting passwords and personal information without his knowledge. Click HERE for this story from the Wall Street Journal. It can happen to anyone if they aren't careful.
See the story below on "The best defence is..."
| |
|
For Managers and Office Staff
The best defence is... a set of simple rules
We've all heard the mantra "The best defence is a good offence". But I don't believe the analogy holds all that well in business. When you do good things like increasing your sales, you are presumably adding value to the organization. But adding value creates more of a target and more of potential for loss.
So, the more you add value, the more you need to preserve it. In this sense, security safeguards for business are more like the precautions you take when building a tunnel. Every time you extend the tunnel, you need to shore up what you have exposed.
But it doesn't have to be as complicated as it seems to protect the organization's most important assets. Yes, there should be policies governing protection of assets and information that show up as procedures and guidelines for each job function. These should be developed by the executives, with the help of a security professional.
But the most common failures of security are not in processes that are documented. They are in decisions made daily when situations arise that aren't covered by the procedures.
Many people trust their anti-virus/anti-spyware programs too much. There is no single security product that can protect against every single type of virus.
For these reasons, you need a set of simple rules such as the following:
-
DON'T CLICK - Don't click on links or attachments in unexpected e-mails
-
ONLY AUTHORIZED TOOLS - Don't use unauthorized software or hardware, and don't visit untrusted websites
-
CLOSE PROGRAMS - Close programs when you don't need to access them
-
LOG OUT - Log out or lock your workstation when you leave
-
BACK IT UP - Make back-up copies of work in progress and completed work
-
LOCK IT UP - Lock up files, media and valuables and offices when you leave
-
CHALLENGE STRANGERS - Challenge strangers if they are alone in the office area. Attackers rely on the indifference and fear of confrontation of employees for gaining access.
-
REPORT INCIDENTS - Report incidents that look unusual, or unusual computer behaviour which could be due to malicious progam infections
-
USE GOOD PASSWORDS - Use unguessable passwords and don't share them with anyone, especially not people who ask you for them
There are other potential rules that could be added for different circumstances. The important thing is to start keeping the rules in mind at all times. Use them in situations when procedures aren't specific enough to guide you.
Coincidentally, because there are enough of these simple rules that you won't be likely to memorize them all at first glance, I just created some aids to remembering some of them:
- The Subliminal Security Lanyard - This is a yellow neck strap for holding ID badges, with rules printed on it. Very hard to miss, and the rules are always handy.
-
Please contact me by clicking HERE if you would like to discuss strategies for using Security Awareness as a springboard for making big improvements in the day-to-day protection of your bottom line.
The Is Facebook seen as a tool or a threat by organizations?
The use of Facebook by an increasing number of people at work is a situation that could use some attention. Some security professionals are very concerned about the risks to the organization, and the privacy risks that Facebook and other social networking sites, such as Twitter, expose us to.
On my Security Views website, I have set up a poll that allows you to contribute anonymously to allow everyone to get an idea of how organizations are treating the use of these sites, from a policy point of view. Are they clamping down, or are they allowing it?
In many cases, management is hesitant to block access to Facebook because they see it as such a useful tool. But incidents of harrassment and identity theft related to the use of these sites seem to be on the rise. This can use up valuable resources in the form of incident response and investigations requiring HR, Legal and Security staff.
Tell us how your organization is dealing with social networking site usage by clicking HERE to participate in this anonymous poll, and view the results to date.
Beware of ALL unexpected e-mails
The other day I received a very strange e-mail that looked like it had been sent to me by mistake. It appeared to be a confirmation e-mail that I would normally get when I sign up for an on-line service. But the salutation started "Dear Louise, Thank you for signing up for ..." This one appeared to be from a financial institution.
It's a bit scary to think that a bank could accidentally send a confirmation e-mail to the wrong recipient. In this case, it was a banking institution that I know I've never even heard of. That's the first tip-off. But hackers are getting better at finding e-mail addresses and any information that affiliates that address with an organization or activity.
By the way, social networking sites like Facebook and Linked-In are a treasure-trove for hackers doing this kind of research because of the amount of personal information people make public there. So, e-mails that look like they could be related to an organization or activity you deal with should be treated with care. Don't instinctively reply or click on anything. That's all the hackers want you to do. It confirms that your e-mail account is real, and that you are someone who clicks on things!
The next clue in my mysterious e-mail was a very courteous invitation to log in with the username and password contained in the e-mail and explore the great services I was now entitled to. This is a very bad business practice, for exactly this reason. You don't want an e-mail with usernames and passwords to get into the wrong hands.
So, I am then supposed to think to myself, "What harm could there be in logging into this account and seeing what it has access to?" This is how spammers and hackers are now trying to entice people into clicking on something... anything. They appeal to our curiosity and greed. Maybe there is some service at the other end that I was just given free access to. Who's going to know?
The basic rule you should follow is, "If you weren't expecting an e-mail, there's very little chance that you can benefit from taking any action of any kind." In fact, it's very risky. They may even put a phone number in the message that you can call to verify it's authenticity... "Thanks for calling the First Internet Bank. May I have your name and address for security verification please?"... They just got you.
If my mystery e-mail was really from a financial institution, I have no idea how they got my e-mail mixed up with someone else's. I wouldn't deal with any organization that had such poor quality control.
If you aren't expecting it, and want to verify the authenticity of an e-mail, most reputable organizations can be located through public directories and phone books. You can find the organization's real phone number and call them to ask if they have recently sent you an e-mail. Never trust a phone number, attachment or web link in an unexpected e-mail.
Before long, hackers will be putting the names of your friends and business associates in the "From" field of their SPAM, making it even more believable. The key is whether it was EXPECTED. If you don't usually get e-mails from your insurance broker or real estate agent saying "Hey check this out!", then be very suspicious.
While I think of it, you probably shouldn't send e-mails with the subject heading "Hey check this out!" because they will probably be met with suspicion, if not by the intended recipient, at least by their SPAM filter.
|
For Security Professionals
Penetration testing can be fun, as well as informative... but maybe you shouldn't let the boss know that
Are you facing daily announcements of new security vulnerabilities from product vendors, and handling an increasing number of security incidents from both outside and inside the organization? This can be enough to make you want to give up the fight to protect your employer's computing environment. Nobody seems to appreciate the incredible stress you are under, and very few realize that you are often the only one actively working to protect the organization from its own ignorance and short-sightedness.
Sometimes it seems like there's nothing you can say to get management to understand the risks that your organization faces. If you are the one being left holding the bag for keeping the business secure, this can be a very stressful situation to be in.
You are probably aware of the traditional types of penetration testing, where simulated attacks on the network infrastructure are launched and vulnerabilities are identified. As I discussed in the "For Executives" section of this issue, this is only one type of penetration testing.
From the point of view of following procedures and maintaining IT Governance, I like to think of two approaches to penetration testing, which can be done simultaneously. The first is the "planned, sanctioned" testing. In this approach, the plans for testing are distributed to all stakeholders, so that response teams are ready and aware of the need to demonstrate proper procedures to identify and contain an event. Even with advance knowledge and preparation, it's surprising how often this type of testing can cause turmoil throughout the organization. People need to see these events played out to make the connection between advance warning of the test, and the fall-out that occurs when monitoring consoles and pagers start to go nuts.
Planned testing is certainly necessary to ensure that seldom used procedures can be executed successfully. However, random, unplanned (or unannounced) testing is also very valuable. Most IT security teams don't do a great deal of this, probably because the impact that unplanned events can have could result in sanctions and put your job at risk.
Here are some points to consider when deciding if unplanned tests should be done, and what type of tests are appropriate:
1) Are you already doing planned testing? If you aren't regularly doing planned tests, it's probably premature to start doing more creative tests. There's no doubt that if the organization doesn't handle planned tests well, unplanned tests can cause serious impacts. This is not the desired outcome of testing.
2) If you are already doing planned testing, but results are consistently poor, then it might be time for a wake-up call to management. The chances are that management doesn't feel the risks are likely to materialize. "It hasn't happened before, so what are the chances it will happen in the future?" My feeling is that you should find an ally in management that understands the situation and the need to raise awareness of the potential risks and vulnerabilities within the organization. You should brainstorm ideas for how to demonstrate the ease with which an attacker could gain unauthorized access to systems or information. If there are particular targets you are concerned with, construct a scenario that could conceivably cause a breach. Discuss all possible consequences of doing an unplanned test and document the safeguards that should be put into effect to ensure that the test itself does not cause a breach.
3) Don't expect a pat on the back, or even a warm reception if the test exposes the vulnerability to many people in the organization. Do everything you can to keep the sensitive information confidential, but definitely document the methodology and results for your own protection. If you are going to do this type of test, you have to show that you have done it in a responsible manner, and with consideration for any impacts it might cause.
4) In the end, if management decides to cover up the results and not act on them, then you have a tough choice to make. That's where having a trustworthy ally in management will help. You will have to decide whether to take the issue to a higher authority (CEO, Board of Directors, etc.), or if you really want to be working in a place that doesn't have the integrity to protect it's stakeholders' information.
5) To be fair to staff, even though the testing is unscheduled, staff should be made aware of the general plan to conduct "random security testing", and that they have no excuse for not being ready for it.
The following links have more good discussions on the ethics of Penetration Testing:
http://www.networkworld.com/newsletters/sec/2007/1029sec2.html
http://www.computerworld.com/blogs/node/6471
(c) Scott Wright, 2007. All rights reserved.
| | | |
