Posts Tagged ‘training’

Absolute Software and the Ponemon Institute announced the findings of a new study on the use of encryption on laptops in the corporate environment. The study found that 56% of US business managers disable laptop encryption, an action which increases the risk of data and identity theft. The study was also conducted for the UK and Canadian markets with very similar results.

The study was conducted in order to understand employees’ perceptions about ensuring information entrusted to their care remains effectively managed. This includes using encryption, strong passwords, and keeping their laptop physically safe when traveling. The study unearthed a number of troubling issues including a perception by employees that encryption solutions make other security measures unnecessary. IT security professionals were the most careful in abiding by precautionary steps in safeguarding data on their laptops, but non-IT employees were not so as careful (with 56% turning off encryption).

92% of IT security professionals indicate that a laptop has been lost or stolen in their organization. Of those stolen, 71% resulted in a data breach. In the event of a theft, companies relying solely on encryption cannot be sure whether all stored data on a laptop has been encrypted, if it has been compromised, or even which files have been accessed by thieves. To help solve security risks that encryption alone cannot adequately address, companies can employ a security solution that can locate a stolen or lost laptop, detect which data has been accessed, and remotely delete sensitive data. Such a solution, like Absolute’s Computrace, is not dependent on the diligent behavior of corporate employees.

“The data suggests that, because of user behavior, encryption alone is not enough to protect mobile devices and the sensitive data stored on them. These statistics are especially disconcerting when combined with our recent studies demonstrating that lost or stolen laptops are the number one cause of data loss, with 3 out of 4 companies experiencing a data breach when a laptop has been lost or stolen.” - Dr. Larry Ponemon, chairman and founder of The Ponemon Institute

“The Human Factor in Laptop Encryption: U.S. Study” key findings:

• 92% of IT security practitioners report that someone in their organization has had a laptop lost or stolen and 71% report that it resulted in a data breach;
• 56% of business managers have disengaged their laptop’s encryption;
• Only 45% of IT security practitioners report that their organization was able to prove the contents of missing laptops were encrypted;
• Only 52% of business managers – employees most likely to have access to the most sensitive data (personally identifiable information and/or intellectual property) – have employer-provided encryption;
• 57% of business managers either keep a written record of their encryption password, or share it with others in case they forget it;
• 61% of business managers share their passwords, compared to only 4% of IT managers; and,
• Business managers are much more likely than IT security practitioners to believe encryption makes it unnecessary to use other security measures for laptop protection.

The survey breaks down the types of encryption solutions used to protect data assets, from whole disk encryption to thumb drive encryption. The same questions were asked to IT professionals vs non-IT professionals (business managers), with differing perceptions of security protocols. Here’s a preview of one of the data segments from the survey:

To receive a full copy of the study on the Human Factor in Laptop Encryption, for the US, UK and Canadian markets, fill out this form.

Bruce Schneier put together a good article for The Guardian about choosing a strong password. Passwords are a huge security issue for businesses, as this report indicated.

Though the most common password used in a 2007 survey was “password”, not much has improved for 2008: the most common password is now “password1″. In order to describe what makes a “good” password, Schneier describes how programs are used to hack passwords. These programs are sophisticated, testing hundreds of thousands of passwords per second in an intelligent pattern.

The password-hacking programs will try the most likely passwords first, then will move on to typical password combinations of root+appendage (or prefix). Something like “nachos123″, for example. There are common number and letter sequences that people use to prefix or suffix common words. 24% of all passwords can be cracked with the first 100,000 combinations of these options. The password program will try different dictionaries, will replace letters with common symbols such as “@” for “a”, etc. Running all of these combinations, which could take weeks, will break two thirds of all passwords.

If the hacking program is fed personal information about you, like the name of a pet, birth date, or postal code, the effectiveness shoots straight up. If you save your password anywhere on your computer memory, including browser-recalled passwords, it can track them down.

So, how do you choose a good password?

Bruce Schneier recommends a password creation process that will turn a sentence into a password. His example was:

“This little piggy went to market” ===> “tlpWENT2m”

This way, you choose a sentence that is meaningful to you, and also choose your own method of code to break it down into a more secure character string. Once you have a password, don’t write it anywhere or use it for multiple applications. If you fear you won’t recall your password, write it down and keep it somewhere more secure, like in your wallet. If you can avoid writing the exact password, write the un-abbreviated sentence or a hint instead. You can also use a program such as Password Safe (free) to create an encrypted username / password list and a single Master Password.

Continue reading this post about choosing strong passwords.

Image: Clipart

Cisco recently released a whitepaper about data leakage worldwide and the resulting costs. The global study, polling more than 2000 employees and IT professionals in 10 countries, indicated that insider threats were far more prevalent than previously thought.

Cisco commissioned the security study from InsightExpress in order to understand if social and business cultures had any impact on data leakage. The results indicate that “insider threats”, caused by uninformed, careless or disgruntled employees accidentally or purposefully doing something which breaches data, have the potential for greater financial losses than outside attacks to the company. In the context of this survey, they also considered that every device capable of storing data added to “insider threats”, given that the loss of these devices pose a high risk.

Cisco put together two papers focused on employee behavior that could put corporate data at risk. The papers found that IT professionals are often unaware of the employee behaviors which put data at risk – this obviously makes preventing loss quite the challenge.

The study examined the effectiveness of security policies – how they are created, communicated and how compliance is enforced. The lack of a policy and compliance with existing policies were large factors in data loss. Unfortunately, the survey showed that IT professionals lack an awareness of how many employees understand and comply with security policies.

Highlights from the study:

• 39% were more concerned about the threat from their own employees than the threat from outside hackers
• 33% were most concerned about data being lost or stolen through USB devices
• 27% admitted that they did not know the trends of data loss incidents over the past few years
• 43% said they are not educating employees well enough
• 19% said they have not communicated their security policy to employees well enough
• 9% reported that they have lost or had their corporate device stolen (26% of those experienced more than one incident in the past year)
• IT professionals believe that employee behaviors slipping, in terms of safeguardint intellectual property, stem from too much information being dealt with (48%) and a growing apathy towards security stemming from faster-paced jobs (43%)
• 11% reported that they or fellow employees accessed unauthorized information and sold it for profit, or stole computers

The study concludes that a lack of awareness and of diligence, as well as purposeful defiance, place a significant risk to data loss. The report lumps the loss of laptops and other portable devices in with the “diligence” section, for the most part. Sadly, most lost laptop reports back up the findings: that employee behaviors are to blame for a lack of data safeguards in laptops. Leaving laptops logged on, leaving passwords in sight, leaving laptops in cars, etc.

“Preventing data leakage is a business-wide challenge. IT professionals, executives, and employees at every level of responsibility must work together to protect critical data assets…

Like outsider threats, addressing the insider threat demands a comprehensive approach that includes education, policy, and technology.”

The recommended approach focuses on education and accountability. Technologies can help, such as Absolute’s Computrace solutions, which solves some compliance issues by tracking assets and even monitoring software.

Download link: Data Leakage Worldwide White Paper: The High Cost of Insider Threats [PDF]

Joan Goodchild has put together an article entitled “Social Engineering: Eight Common Tactics” for CSO Online. Knowing some of these tricks, and integrating tips such as these into regular employee training, can help ward off some of the threats to data security. Several of the tactics regard employees unwittingly giving information to criminals via the phone, while others are more traditional cybercrime issues.

“Social engineering is the art of manipulating people into performing actions or divulging confidential information… The term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.” - Wikipedia

8 Common Social Engineering Tactics to Avoid

1. Ten degrees of separation - criminals may try to draw out information from the “front line” employees, each time gaining information to access employees further inside the organization. Another tactic is to be friendly, slowly drawing out more and more information.
2. Learning your corporate language - if a criminal sounds familiar, your guard may be down to disclosing confidential information
3. Borrowing your ‘hold’ music – to pretend to be from inside the company
4. Phone-number spoofing – as above
5. Using the news against you – as lures for spam, phishing and other scams. Particularly dangerous if targeted to company news.
6. Abusing faith in social networking sites – suggest typing site names manually, not clicking links
7. Typo Squatting – for web URLs
8. Using FUD to affect the stock market - FUD = fear, uncertainty, doubt. Can be used in a number of ways to scam stock prices.

You can read the full details here. You can also read the latest McAfee Security Journal report about the increase in use of social engineering techniques in cybercrime.

Also of interest, ScanSafe has released the 3rd quarter results of their Global Threat Report. [PDF]

Employees continue to ignore security policies, notes another survey from RSA. Over 50% of employees work around existing IT security policies in order to get their work done.

The insider threat survey, conducted among 417 industry event attendees by RSA, polled workers across a range of industries, heavier in financial and technology sectors. Nearly half of respondents worked in IT. The survey indicates that, despite awareness of IT policies, convenience trumps security.

Highlights from the survey:

• 94% are familiar with their organizations’ IT security policies
• 53% have felt the need to work around IT security policies in order to get their work done
• 64% frequently or sometimes send work documents to their personal email address in order to access and work on them from home.
• 15% have held a door open for someone at work that they did not recognize
• 89% frequently or sometimes conduct business remotely over a virtual private network (VPN) or webmail
• 58% frequently or sometimes access their work email via a public computer / 65% via a public wireless hotspot
• One in 10 has lost a laptop, smartphone and/or USB flash drive with corporate information on it
• 79% frequently or sometimes leave their workplace carrying a data device containing sensitive information related to their jobs
• 43% had switched jobs internally and still had access to accounts/resources which they no longer needed
• 37% have stumbled into an area of their corporate network to which they believe they should not have had access

As you can tell, may of the results mirror the study from Cisco that came out earlier in October. Basically, the lesson to take from this is to rethink the “insider threat” as not just malicious actions taken by employees, but also the “innocent” rule breaking that they do day-to-day in order to get stuff done.

This type of rule breaking is a little complex, as it may be due to a lack of clear instructions. Although employees may be familiar with IT security policies, those policies may be vague in some areas, or employees may receive mixed messages by overlapping policies or a mismatch of policy and procedures. For example, if certain programs and websites are, by policy, not allowed, they should be, by procedure, blocked. That’s not always the case.

As in many cases with security policies, it comes down to training and enforcement. Train all new employees well, but keep on training existing employees on an ongoing basis. Everyone could use the refresher. And enforce the rules – employees should know what the potential outcomes are of crossing the line at the corporate level (risk of data breach) and the personal level (being reprimanded for going against policy, regardless of outcome).

Technology solutions like Absolute’s asset management software can help you identify if users are operating outside corporate policies.

Via CSO Online ; image: mconnors @morguefile

Glen Kosaka has a feature article on CSO Online entitled “Five Ways to Turn Employees into Security Assets for Protecting Data“. Considering that employees are often the source of data breaches, this is a look at how to turn your employees from security liabilities into security assets. While some data breaches happen as the result of accidents, many are unavoidable.

The 5 recommendations for turning employees into security assets are:

1. Make data security part of the company culture - getting department managers involved in locating sensitive data & setting access, use & protection policies; training employees for their own use and on ensuring others observe policies
2. Integrate data leak prevention processes into overall workflow – have policies on data access & tracking that extend to new data, new employees, new departments and for mobile computing (or other new threat vectors)
3. Make employees feel like security assets, not liabilities – with training and awareness programs
4. Prevent the temptation to engage in “harmless” policy violations – by clarifying grey areas like taking data offsite, copying or storing data and transporting data
5. Teach employees about policies while enforcing them – take action quickly and block actions that are not desirable. Have data leak protection technologies to monitor and prevent leaks, but also to educate employees if they try to do something that is against policy.

Read more details about these recommendations here.

I’ve previously written about some creative techniques for laptop security training in the office (see: Mission: Laptop Security, Guerilla marketing security campaign), but this one trumps those in terms of impact. This technique is sure to be remembered – and that’s rather the point.

Augusto Quadros Paes de Barros wrote on Security Balance about visiting a company whose employees work almost exclusively on laptops. Each employee is given a laptop security cable, as part of their security training, but the unique aspect comes into play when the cable is forgotten.

When an employee forgets to use the security cable, an IT support employee will “steal” the laptop and leave a note in its place. The note would indicate that the laptop had not been stolen, but was taken to another room to illustrate how easily it could have been stolen. Granted a security cable isn’t the end-all solution to laptop security. It’s a theft deterrent and should be used with other security measures, like a theft recovery service. But if you’re a thief and have a choice of stealing one with or without a cable – you’d probably go for the one without.

Comments on his post indicate that this practice has been used by other companies, some of which place the laptop in the boss’ office. Another incentive not to get “caught.”

What do you think of this technique?