Here's where we keep the core content produced for the Streetwise Security Zone. You will have access to the various folders depending on your level of membership.
Free security awareness articles
November 2008 Posts »
Archives »
Originally posted - February 20, 2007
Policy is such a strange word. It can mean so many things in different contexts. Doing a Google search for “What is a security policy?”, I got some interesting results… including “A set of rules that says who can do what to whom”… really? The vast majority of search results I obtained relate to IT Security Policies. That’s not a bad thing, necessarily. But suppose you’re a Chief Security Officer. There’s more to your world than IT Security. Doesn’t a Security Policy deal with other things in “meatspace” (see my “Vernacular” section)?Given that there are so many different views, I thought I would spend a moment to discuss Security Policies.
What is a Security Policy? In my view, a Security Policy is “A clear, over-arching statement of an organization’s objectives with respect to protecting its facilities, assets, personnel, systems, resources, information etc.” It doesn’t (and shouldn’t) go into great detail about what specific safeguards are used. The policy should not have to change as technology changes, unless there are new risks to deal with.
A security policy may defined at more than one level, with subordinate policies such as IT Security, Physical Security, Personnel Security, etc. that go into somewhat more detail. The subordinate policies still should not require frequent changes. Usually, the top level roles are defined for individuals responsible for the policies, so that people in the organization know who to bring issues to for clarification or changes to policy.
A Security Policy will also address universally applicable rules in the form of:
Once a good policy framework is in place, there should be Security Procedures that support each policy directive. They should be traceable from one document to another so that audits can easily verify that policies are being enforced.
Security Procedures detail the implementation and maintenance of safeguards that support the policies. They also specify which personnel roles are responsible for which activities, what activities need to be logged, and how often inspections and reviews are done either internally, or by third parties.
This is by no means a comprehensive lesson on Security Policy, but it may help you to recognize the difference between a policy, a procedure and a safeguard.
One more thing. A good Security Policy is usually readable and comprehensible to everyone in the organization. It can and should, therefore, be made available to the entire organization. This helps with Security Awareness and lets people understand why the safeguards are in place. For a good discussion of IT Security Policies, visit the SANS security education site. If you have comments or know of other good policy resources, please post a comment.
Scott WrightThe Streetwise Security Coach
http://www.streetwise-security-zone.com
Phone: 1-613-693-0997Email: scott@streetwise-security-zone.comTwitter ID: http://www.twitter.com/streetsecLinkedIn: http://www.linkedin.com/in/scottwright
Originally posted - February 15, 2007
Sometimes even the most innocent little thing has a security risk attached to it. When you are sent a good joke or, heaven forbid, a cool animated novelty email, it’s easy to imagine that many of your friends would like to see it, too. While some are legitimate, many of the novelty emails are hiding a malicious program that will infect machines when opened. Let’s assume that you, or your organization have had it drilled into your head not to open email attachments from people you don’t know or trust. That’s great. Now, take a look at the recipient list on those emails you have received and forwarded on to all your friends. Does it show the names and email addresses of others who received it? That’s a BAD thing. One reason it’s bad is that it is revealing the names and email addresses of a lot of people to other people whose only connection to each other is probably the sender. This is not always welcomed by everyone. Not everyone wants to be widely reachable by email.
The other reason it’s bad is that eventually that message with all those email addresses will find its way into a SPAMMER. How? Any one of the recipients who doesn’t have up to date antivirus software running can have a virus, worm or Trojan Horse program they don’t know about running on their computer. These nasty little things can read your email and address books, just looking for addresses to send SPAM to.
So, when you, or someone in your organization has the urge to forward an amusing email, please use the Blind Carbon Copy feature in your email software. It’s sometimes shown as BCC: or Bcc: and it hides the email addresses of anyone else the message was sent to where the sender put their address in that field. It’s a good way to keep those addresses out of the hands of unintended recipients.
For more info see here.
Originally posted - February 14, 2007
What’s interesting to me is the difference between what we think we need now, and what will help us get to a better place. The questions we ask may be what determines how soon we get there. (Deep, I know, but there is a simple point I’m leading to.) To paraphrase Bruce Schneier, we shouldn’t worry too much about the bad things in the news because they hardly ever happen… that’s why it’s called NEWS.
If we had a better security awareness model, we might start asking better questions.Many of us spend time worrying about being a victim of the latest spectacular risk making news. We find it interesting to recount the details with friends and make predictions, but our more pressing risks are hardly ever talked about. Few people seem to understand how to prioritize their risks. We won’t make much headway, as a society, in the battle for control over our computers, workplace, schools, etc. until the majority of us figure out some basic principles.
The reason I say “the majority of us” is that many of today’s risks exist because not enough of us are aware of how to manage risks. We don’t all need to know how to manage risk, but effective risk management depends heavily on general awareness of the population - specifically, what are the “best practices” to reduce risks. This topic is often cited as an essential part of Security Management, but I believe it is still the weakest link. It doesn’t get a lot of mention in press because there aren’t a lot of technologies and new developments that make it newsworthy.
In his book “The Tipping Point” by Malcolm Gladwell, I see some interesting clues as to how we can approach security awareness with an expectation of success. The basic premise is that “social epidemics” (sometimes called fads or trends) share a lot of characteristics with biological epidemics, which we can learn from. Specifically, there are conditions that make it more likely that a social epidemic will spread as an identifiable trend.
So, if we want to raise the level of security awareness within a population, an enterprise or an institution, we can apply some of the observations from The Tipping Point by doing the following:
OK, it may sound complicated, but it can be applied systematically, and at any level of society. I am not the only person who has noticed this possibility. (See Joe Knape’s post “What We Have Here is a Failure to Communicate” on the Security Catalyst blog.) But I am surprised that more people haven’t explored the idea further.
The simple premise is, once you can find a systematic way to bring a compelling, or “sticky” message to the right individuals in a population, the tipping point can be reached, and an “epidemic of awareness” is much more likely. This will make a security manager’s job much easier on a daily basis. Together with the right feedback mechanism, this can be sustained as people become aware that their “best practices” are making a difference. Then individuals will have more confidence in where they need to be (in terms of prioritizing risks), and we will all get much closer to where we should be (in terms of total security posture or exposure to risk).
If you have any ideas on how this model might already be working for security awareness, please let me know. If not, please read “The Tipping Point” and then send me your comments.
NOTE: When you do a Google search on “Tipping Point” together with “Security”, you will find many hits on a company by the same name that sells computer network security equipment (I believe they were acquired by 3M not long ago). It’s not hard to imagine an eager Product Marketing Manager thinking “Wouldn’t it be a great name for a solution which, once it reaches a threshold of deployment, could spread everywhere and save the world?” Yes, it would be. Sadly, however, the answers to the questions we are asking do not seem to be coming out of technology, but they may be found in sociology (if we’re lucky).
Originally posted - February 11, 2007
It seems that Voice-Over-IP (VOIP) is a technology that will inevitably spread to every corner of the space-time continuum. Things like this don’t spread unless there is a real economic value to somebody. So, what does this mean for enterprises? Are employees installing VOIP phone software like SKYPE on your organization’s computers? Are they loaded with spyware? It’s probably not as bad as it might sound, but there are VOIP security issues that impact the enterprise, regardless of whether it is a sanctioned practice or not.Once again, the Security Round Table podcasts are a great source of background to get us up to speed on the issues. I believe it’s in Episode #5 of the 2006 series of SRT podcasts where guest expert Dan York, of the BlueBox Podcast helps unravel some of the panel’s probing questions.
The main things I think are important to note for Security Managers are:
So, aside from the basic problem with having staff installing software on machines connected to a network, VOIP technologies probably don’t pose as many security risks as one might imagine. The benefits of more cost-effective voice communications are clearly being realized. However, it’s a newish and evolving technology that must be monitored if you plan to allow it, or even deploy it, within an organization.
Originally posted - February 7, 2007
Mike Rothman, the Pragmatic CSO, feels that McAfee is making a big Hullabaloo (my paraphrasing - with the obligatory apologies to any Hullabaloonians in the crowd) about Mobile Security Risk Management that nobody is likely to buy. I agree that there’s probably nobody to sell the idea to right now who has the money to do anything about it except the carrier networks. But as I understand it, once SPAM, SPLOG and SPIT become somewhat less easy to exploit (isn’t VISTA supposed to help there?), the perps will move on to the next easily exploitable medium. Just like war-dialers, what’s to stop them from sending SMS messages to all known or likely cell phone number ranges?
I expect to be getting a lot more of these annoying messages any day now. The carriers are the ones who are going to have to deal with the fallout before anything gets done to stop it. The latest SuperBowl ad from Rogers (Canadian carrier) touts “Fewer dropped calls”. Soon it may be “Fewer Mobile Spam (MoSPAM?) messages”.
Why won’t it happen? Let me know.
The bottom line is that an employee can bring down some organizations' operational information systems these days with a single innocent click - sometimes with greater ease than if they were actually trying.
Firewalls and anti-virus technologies are quickly becomine insufficient because of things like "Drive-By Downloads" and "Zero Day Threats" launched through phishing email attacks. You really need to balance technology and human safeguards like awareness.
I've been working on creating materials that can be used to help promote security awareness initiatives.
In the File Sharing area of The Streetwise Security Zone, I have uploaded a PowerPoint slide deck that explains why technology safeguards are not enough when it comes to protecting enterprise information from attackers.
Members of The Streetwise Security Zone can find it by clicking HERE.
