Posts Tagged ‘security training’

SANS Internet Storm Center’s Lenny Zeltser put together an article that caught my attention for being both accurate and blunt: “Security Awareness Training Is Boring.”

So true, and perhaps why it’s not kept up, or is completely ignored. And when something is ignored, it’s a good time to shake it up. We’ve offered some suggestions in the past for being creative in training methods.

Lenny put together some ideas for shaking things up in the security training department – doing things that are unsual and personally relevant to make them remember. Ideas include making a “commercial” style interruption during another meeting, one that reminds employees of security issues. Rewarding employees for reporting unsafe IT practices anonymously can work, and has been suggested in many articles. Also, “bribes” like food at security meetings can help bolster attendance.

And you can integrate funny videos like this one, “The Duhs of Security,” created by the Virginia Government:

The SANS article references another great article written by Marcum Ranum entitled “The Six Dumbest Ideas in Computer Security“. Worth a read.

Bruce Schneier put together a good article for The Guardian about choosing a strong password. Passwords are a huge security issue for businesses, as this report indicated.

Though the most common password used in a 2007 survey was “password”, not much has improved for 2008: the most common password is now “password1″. In order to describe what makes a “good” password, Schneier describes how programs are used to hack passwords. These programs are sophisticated, testing hundreds of thousands of passwords per second in an intelligent pattern.

The password-hacking programs will try the most likely passwords first, then will move on to typical password combinations of root+appendage (or prefix). Something like “nachos123″, for example. There are common number and letter sequences that people use to prefix or suffix common words. 24% of all passwords can be cracked with the first 100,000 combinations of these options. The password program will try different dictionaries, will replace letters with common symbols such as “@” for “a”, etc. Running all of these combinations, which could take weeks, will break two thirds of all passwords.

If the hacking program is fed personal information about you, like the name of a pet, birth date, or postal code, the effectiveness shoots straight up. If you save your password anywhere on your computer memory, including browser-recalled passwords, it can track them down.

So, how do you choose a good password?

Bruce Schneier recommends a password creation process that will turn a sentence into a password. His example was:

“This little piggy went to market” ===> “tlpWENT2m”

This way, you choose a sentence that is meaningful to you, and also choose your own method of code to break it down into a more secure character string. Once you have a password, don’t write it anywhere or use it for multiple applications. If you fear you won’t recall your password, write it down and keep it somewhere more secure, like in your wallet. If you can avoid writing the exact password, write the un-abbreviated sentence or a hint instead. You can also use a program such as Password Safe (free) to create an encrypted username / password list and a single Master Password.

Continue reading this post about choosing strong passwords.

Image: Clipart

Employees continue to ignore security policies, notes another survey from RSA. Over 50% of employees work around existing IT security policies in order to get their work done.

The insider threat survey, conducted among 417 industry event attendees by RSA, polled workers across a range of industries, heavier in financial and technology sectors. Nearly half of respondents worked in IT. The survey indicates that, despite awareness of IT policies, convenience trumps security.

Highlights from the survey:

• 94% are familiar with their organizations’ IT security policies
• 53% have felt the need to work around IT security policies in order to get their work done
• 64% frequently or sometimes send work documents to their personal email address in order to access and work on them from home.
• 15% have held a door open for someone at work that they did not recognize
• 89% frequently or sometimes conduct business remotely over a virtual private network (VPN) or webmail
• 58% frequently or sometimes access their work email via a public computer / 65% via a public wireless hotspot
• One in 10 has lost a laptop, smartphone and/or USB flash drive with corporate information on it
• 79% frequently or sometimes leave their workplace carrying a data device containing sensitive information related to their jobs
• 43% had switched jobs internally and still had access to accounts/resources which they no longer needed
• 37% have stumbled into an area of their corporate network to which they believe they should not have had access

As you can tell, may of the results mirror the study from Cisco that came out earlier in October. Basically, the lesson to take from this is to rethink the “insider threat” as not just malicious actions taken by employees, but also the “innocent” rule breaking that they do day-to-day in order to get stuff done.

This type of rule breaking is a little complex, as it may be due to a lack of clear instructions. Although employees may be familiar with IT security policies, those policies may be vague in some areas, or employees may receive mixed messages by overlapping policies or a mismatch of policy and procedures. For example, if certain programs and websites are, by policy, not allowed, they should be, by procedure, blocked. That’s not always the case.

As in many cases with security policies, it comes down to training and enforcement. Train all new employees well, but keep on training existing employees on an ongoing basis. Everyone could use the refresher. And enforce the rules – employees should know what the potential outcomes are of crossing the line at the corporate level (risk of data breach) and the personal level (being reprimanded for going against policy, regardless of outcome).

Technology solutions like Absolute’s asset management software can help you identify if users are operating outside corporate policies.

Via CSO Online ; image: mconnors @morguefile

Cisco announced the findings for a new study about data loss and its sources. The survey, conducted by InsightExpress of more than 2000 employees, outlines 10 common risks and mistakes employees make that put data at risk. The study, which was conducted across 10 countries, also found that behavioral risks of employees can vary by country and culture. 100 employees and 100 IT professionals were surveyed in each country.

The study was commissioned in order to understand the risks of an increasingly distributed and mobile business force. With the lines between work life and personal life blurring on a global scale, there are new risks. The collaborative tools that make this type of workforce possible also pose new challenges. Given that security is not just about technology, but about people and their behavior, this is a very interesting examination of the behavioral side of risks to data loss. The results could help businesses better tailor their security policies.

The 10 most noteworthy risks and mistakes by employees were:

1. Altering security settings on computers – 20% of employees bypass IT policy to access unauthorized websites
2. Use of unauthorized applications – 70% of IT professionals said unauthorized applications and websites resulted in as many as half of the data loss incidents
3. Unauthorized network/facility access - 39% of IT professionals said they have dealt with an employee accessing unauthorized parts of a company’s network or facility
4. Sharing sensitive corporate information – 24% of employees admit to verbally sharing sensitive information
5. Sharing corporate devices – 44% of employees share work devices with non-employees
6. Blurring of work and personal devices, communications – nearly two thirds of employees use work computers daily for personal use – music downloads, banking, blogging, chat rooms, personal email
7. Unprotected devices – at least one in three employees leave computers logged on and unlocked when away from their desk. Laptops often are left on desks without logging off.
8. Storing logins and passwords – one in five employees store login / password information on their computer or write them down near their computer
9. Losing portable storage devices - 22% of employees carry corporate data on portable storage devices
10. Allowing “tailgating” and unsupervised roaming – 13% of employees allow non-employees to roam around their offices unsupervised, 18% have allowed unknown people into corporate facilities

Some of these figures have been broken down by country in a great analysis here.

Check out more here:

• Data Leakage Worldwide: Common Risks and Mistakes Employees Make – Summary

Data Leakage Worldwide: Common Risks and Mistakes Employees Make [pdf]

Via network world

Glen Kosaka has a feature article on CSO Online entitled “Five Ways to Turn Employees into Security Assets for Protecting Data“. Considering that employees are often the source of data breaches, this is a look at how to turn your employees from security liabilities into security assets. While some data breaches happen as the result of accidents, many are unavoidable.

The 5 recommendations for turning employees into security assets are:

1. Make data security part of the company culture - getting department managers involved in locating sensitive data & setting access, use & protection policies; training employees for their own use and on ensuring others observe policies
2. Integrate data leak prevention processes into overall workflow – have policies on data access & tracking that extend to new data, new employees, new departments and for mobile computing (or other new threat vectors)
3. Make employees feel like security assets, not liabilities – with training and awareness programs
4. Prevent the temptation to engage in “harmless” policy violations – by clarifying grey areas like taking data offsite, copying or storing data and transporting data
5. Teach employees about policies while enforcing them – take action quickly and block actions that are not desirable. Have data leak protection technologies to monitor and prevent leaks, but also to educate employees if they try to do something that is against policy.

Read more details about these recommendations here.