 Where should security effort be focused these days? (ScottWright)
posted Fri January 27th 2012 @ 7:01 AM
Yesterday, I was on a panel at the Information Systems Security Association’s Ottawa Chapter meeting. We had a great discussion on the security challenges of 2012. Clearly, there is a lot of concern among security professionals around the threats and vulnerabilities related to mobile devices and about outsourced data and services that are said to be in “the Cloud”. The other members of the panel included Greg Young (Gartner) and Chris Ellis (McAfee). They had some great insights on what organizations are doing, and should be doing, about these issues. Read More »
 If you think you use mobile devices securely, consider this new Sophos data (ScottWright)
posted Wed December 28th 2011 @ 8:10 AM
New data from an innovative study by security software vendor, Sophos, shows an eggregious lack of security awareness among the owners of USB drives that were lost.
How do they know? They bought 50 devices at a Sydney, Australia rail company's auction of “lost and found” items. It was a great way to obtain a real sampling of what kind of security practices people apply to their USB drives. But what they found should make you stop and think about how you protect your own mobile devices.
Here’s a quick snapshot of the Sophos findings, and their lessons learned.
Malware is Everywhere
Two-thirds of the devices had malware on them that is known to infect Windows systems. Seven infected devices were clearly owned by Mac users, who would have been spreading this malware, even if their machines did not become infected themselves.
Lesson #1: Remember to scan any device that has been used in another computer (i.e. from friends, coworkers, or even your own device if you lend it to somebody to copy a file for you). Even Mac users should now use anti-malware protection. So, you have to assume that every device around you is infected with hostile malware.
Nobody Protects Sensitive Data on Mobile Devices
None of the devices had any kind of safeguards applied to them such as encryption, biometric or password protection. So, all of the data was easily accessible, and included documents related to personal taxes, activist meetings, university assignments, family photos, CV’s and source code of software programs.
Lesson #2: Use encryption to protect any files you put on a USB device. You never know when or where it might be lost, and to what risks you might be exposing yourself.
Here’s a link to the original Sophos blog post with the description of their study.
http://nakedsecurity.sophos.com/2011/12/07/lost-usb-keys-have-66-percent-chance-of-malware
Conclusion
So, this kind of study shows how lax most of us still are with respect to protecting our mobile data and devices.
We are clearly not getting any better at managing the risks of mobile device usage. In upcoming columns I plan to discuss more about mobile risks around other types of mobile devices that we all use on a daily basis.
Unfortunately, I expect that 2012 will be a particularly bad year for mobile risks. With the explosion of powerful new phones and tablets, and very little in the form of inherent security features in operating systems like Android, we are all on our own when it comes to making sure we don’t get burned by the convenience of these new devices. Read More »
 How ID badges can hurt security and what can be done about it (ScottWright)
posted Wed November 9th 2011 @ 6:00 AM
Most of us accept the need for ID badges in organizations that have more than a few people who recognize each other. It makes sense that we need a way to recognize those who are authorized to be there, even if we don't know them personally. ID badges help fulfill this need, for the most part. But they can be a weak link in security of the organization. Read More »
  Using fun and games to engage employees for security awareness (ScottWright)
posted Fri October 7th 2011 @ 8:02 AM
For those of you who may have just realized that October - National Cyber Security Awareness Month (NCAM) - is upon us, or just passed us by, and are looking for a quick way to engage and educate staff on security awareness issues, I may have just what you need.
I have just created an Intranet-based security quiz game, currently called “The IT InSecurity Challenge Game”. The format might look familiar to anyone who has watched TV game shows.
It may seem sacrilegious to put something as serious as Information Security into a context of casual fun, but from my experience, this is an effective tool.
Please watch the short video above and let me know what you think.
Read More »
 Implementing a robust Intranet that leverages social media technology (ScottWright)
posted Wed July 27th 2011 @ 7:16 AM
For a while now, I have been keeping an eye out for technologies that might help organizations leverage social media securely, within an Intranet environment for business purposes. Recently, I came across a success story about the Canadian Medical Association’s recent implementation of a social Intranet using an out-of-the-box product by ThoughtFarmer. That article (posted on the ThoughtFarmer blog) tapped the CMA project leader, Tanis Roadhouse, for tips on some of the key points in her blue-print for the CMA site’s implementation. So, I decided to check into the story.
The article showed that Tanis, while not being a life-long IT project leader, was pretty well organized, and showed some thought leadership. Here’s a summary of her 7-point blue-print for building a social intranet: Read More »
 Facebook Facial Recognition, Linked In Vulnerabilities and More in Ep. 25 of the SMSEC Podcast (ScottWright)
posted Wed July 13th 2011 @ 6:52 AM
In our 25th episode, we discuss:
- Linked In vulnerability to session hijacking
- Facebook 2-factor authentication
- Facebook facial recognition
- Firesheep for Android phones (FaceNiff)
- Linked In, Foursquare and Netflix on Android store passwords in unencrypted files
- Social media background checks Read More »
 If People Make Bad Electoral Voting Decisions, Will Improving The Technology Help? (ScottWright)
posted Sun July 10th 2011 @ 5:09 PM
Recently, the US Department of Homeland Security did a penetration test (click HERE for the story) that was very similar to the Honey Stick tests that I started doing in February, 2008. I was not surprised at the results they published, which said that 60% of the employees put their systems at risk by plugging in the devices they had found lying around in parking lots, etc. My results from the Honey Stick Project showed that about 65% of the time, people in the general public who found my devices (in food courts, elevators, lobbies and street corners) would make essentially the same bad decisions.
What surprised me in this study was the comments made by people who read the story. Read More »
 Maybe Security Pros Look Too Much Like Hackers [Dilbert] (ScottWright)
posted Tue July 5th 2011 @ 8:28 PM
OK. So, this cartoon is not really about security people and hackers, but it made me think of them. So, there's that.
In the security world, there's often some truth to the old saying, "It takes one to know one." When it comes to recognizing, characterizing, tracking down and neutralizing hackers, security professionals have to think like their adversaries. They shouldn't necessarily look and act like them, but often they do. Read More »
 What Do Security Practitioners Argue About When Nobody is Watching? (ScottWright)
posted Wed June 22nd 2011 @ 9:50 AM
Martin McKeay, who hosts the Network Security Podcast (and one of the originals who inspired me to get into blogging and podcasting) hosted an interesting round-table discussion on June 7, 2011, on the topic of “Which is easier: teaching security guys about the business issues, or teaching business people how to do security?”
The knock-em-down-drag-em-out panel included:
Rafal Los (click HERE for his White Rabbit blog)
Boris Sverdlik (click HERE for his Jaded Security blog)
Mark Nunnikhoven (click HERE for his blog)
Damien Tommasino (click HERE for his Security Nut blog); and of course
Martin McKeay (click HERE for Martin's blog; and HERE for the Network Security Podcast)
This discussion illustrates exactly how security guys like to argue. I was really impressed that these guys each brought a slightly different viewpoint to the discussion. The most encouraging things about this 1-hour podcast are that it’s begging for more cross-pollination between business executive management and security professionals. The discussion included topics such as: Read More »
 A great site for testing your phishing knowledge from Verisign (ScottWright)
posted Thu June 16th 2011 @ 6:34 AM
One of the biggest risks I'm seeing across all industries is Phishing - that is, luring computer users to dangerous websites that attempt to infect your system or steal your identity. It's really getting much harder to recognize not only the links that take you to these sites when you encounter them in emails or on web pages, but what these pages might look like, if you actually end up at one. The sooner you leave the site, the better. But how do you know what they look like?
Verisign has created a great 10 question phishing test that uses side-by-side examples of legitimate vs. phishing sites. You have to look closely to see the sneaky things hackers will do to mimic legitimate websites and trick you into clicking on something in the site, or entering sensitive information like your password - it took me at least 2 minutes to find one of the fakes in the test. So, it's challenging, but very educational.
Read More »
| 
streetsec: From my blog: Where should security effort be focused these days?: Yesterday, I was on a panel at the Informatio... http://t.co/4MNOqlIC 
Canuckflack: These words, "call priority"? I do not think they mean what you think they mean. #waitingforever #smoothjazz 
