fighting, auditors, compliance, tips, funny, security, performance
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.


  Scott Wright's Security Views
Blog Entry

Don't blindly accept all privileges requested by mobile apps (they often don't need all of them)

Saturday, February 28th 2015 @ 7:28 AM (not yet rated)    post viewed 2597 times

Most of us have probably downloaded at least one app to our mobile devices or phones by now. But have you ever noticed what they are asking for when you download them. Sometimes they don't need access to all the resources on your device that they are requesting.

 

 
I recommend unchecking anything that doesn't seem like it's needed when the security screen appears. If they are asking for access to your contacts or documents, but the app is just a game that shouldn't need access to anything, you should start by unchecking them.

If the app really needs those things to work, it will tell you, either right away, or when you try to run it. This may sound like an inconvenience, but do you really want a game manufacturer to have access to all your contacts? I don't.

It's not always easy to figure out what the permission actually does, or why they need it. But it's easy to get into the habit of just accepting what's requested. I don't think this is a good idea, from a security point of view.

Most iPhones and iPads don't bother asking when you install an app, but the apps may ask for things like Location Services when you try to run them.

Android devices usually tell you what services an app wants permission to access.

My Blackberry also has a number of items that apps can request permission to access when they are downloaded. I uncheck any that don't make sense. Then if I get an error, it usually tells me what needs to be turned on for it to work.

Share

 

Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.

 

Site Meter

 rate this post: very bad poor average good fantastic!
Comments
Blog Entry

How can you tell if your organization is set up to defeat attackers or your auditors?

Friday, February 27th 2015 @ 9:24 PM (not yet rated)    post viewed 2007 times

Sometimes, we get confused about whom the enemy actually is. While businesses should be defending themselves against hackers and phishers, they often just want to get the auditors and regulators off their backs.

How can you tell whether you're fighting the wrong battle? Here are some clues that you might be fighting the people who are supposed to be protecting your organization:

1- Has the top item on your desk for the last 3 months been one or more compliance checklist items?

2- Is your performance bonus based on passing an audit or compliance check?

3- Do people around you at work laugh when you mention security or compliance?

While it may seem like the security and compliance folks in your orgnaization are out to make life difficult for you, that's not really what they are there for. Sure, there are lots of excuses for why people may think your audit or compliance group is out of control, and counterproductive. But the real purpose of audit is to monitor performance indicators, and to provide triggers for management to take action to correct situations that can get the organization into trouble.

Bringing the teams together

What should really be happening in a healthy security culture is that the security experts are not only consulted regularly, but included early on in projects and initiatives, as allies.

If you can't see treating those who should be the good guys as allies, you probably have some major organizational issues that need to be fixed. This may not be news to you, but if the organization is set up in a way that pits internal groups against each other, then it's likely that you need to take it up with management. You can't blame a compliance group for trying to do their job, but you can rise above the politics and try to do the right thing, so you can show people you're all fighting for the same team.

What happens in real life when you're fighting against the auditors and regulators

The tongue-in-cheek self-assessment above was inspired by Brian Krebs' recent article on the Carbanak gang's recent bank fraud in which several hundred million dollars was stolen from dozens of banks around the world through a phishing scheme that targeted bank employees. Brian explains what he thins is one of the root causes of the vulnerabilities within the targeted financial institutions in this case:

"Most organizations — even many financial institutions — aren’t set up to defeat skilled attackers; their network security is built around ease-of-use, compliance, and/or defeating auditors and regulators. Organizations architected around security (particularly banks) are expecting these sorts of attacks, assuming that attackers are going to get in, and focusing their non-compliance efforts on breach response. This “security maturity” graphic nicely illustrates the gap between these two types of organizations."

If you have identified any other tell-tale signs that your organization may be fighting the auditors instead of the bad guys, please let me know about them.

Share

 

Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.

 

Site Meter

 rate this post: very bad poor average good fantastic!
Comments
Blog Entry

When choosing passwords and security questions, spell words and names incorrectly

Monday, February 2nd 2015 @ 7:02 PM (not yet rated)    post viewed 2472 times

Unless you have a mind like Mike Ross on the TV series  "Suits", you probably struggle to come up with good passwords that you can remember. One of the common security guidelines for choosing passwords is to "not use dictionary words or even recognizable names." Unfortunately, however, this can make it hard to remember your new password because you can't just choose words or names that mean something to you.

But one trick I've seen work pretty well for passwords, as well as security questions (the ones they ask you to remember when you register for an account, in case you forget your password) is to misspell a word or name intentionally. By this, I don't mean substituting a $ for the letter "s" or the number "0" for the letter "o", since attackers have dictionaries that automatically try all of these "clever" substitutions. I mean a simple, intentional mistake, like leaving one vowel out of a word, such as "bokkeepper" instead of "bookkeeper"; or repeating the second, third or fourth letter of a word, such as "Maarie" instead of "Marie".

Similarly, for security questions, the answer to the question, "What is your favorite pet's name?" could be: "Pnelope" (rather than Penelope).

There are also other variations on this strategy that can make it even stronger, such as adding (not substituting) a number or special character in the middle of a word (e.g. "Pn%elope"). Then, if you're forced (or decide) to change your password, you can simply shift the number or use a different one. Then all you have to remember is how you are changing that character.

If you use this approach consistently, without telling anyone, then you should be able to base your passwords on things you can remember, but somebody using a dictionary attack will not find it. Even somebody who may be able to guess the names or words you are likely to use will not realize that you spelled it differently in your password.

Just remember to never tell anyone what your "bad spelling" strategy is, or even that you use intentional spelling errors. Of course, it's always better to base your incorrectly spelled words on things or people that nobody else would guess, in case they do find out your strategy. If they know it, they will probably start their attack by guessing variations on people and things they know are meaningful to you, like family members, pets and special dates.

Share

 

Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.

 

Site Meter

 rate this post: very bad poor average good fantastic!
Comments

Copyright 2012. Security Perspectives Inc. All Rights Reserved.