To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.
Watch this Blog
Notify me by e-mail any time a new post is made to this blog.
Scott Wright's editorials on a variety of security issues for non-technical business managers and home computer users. Please feel free to comment and help spread the word that managers need to think about their information security risks.
February 2015 Posts
My Blackberry also has a number of items that apps can request permission to access when they are downloaded. I uncheck any that don't make sense. Then if I get an error, it usually tells me what needs to be turned on for it to work.
The Streetwise Security Coach
Phone: 1-613-693-0997Email: email@example.com
To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.
Sometimes, we get confused about whom the enemy actually is. While businesses should be defending themselves against hackers and phishers, they often just want to get the auditors and regulators off their backs.How can you tell whether you're fighting the wrong battle? Here are some clues that you might be fighting the people who are supposed to be protecting your organization:
1- Has the top item on your desk for the last 3 months been one or more compliance checklist items?
2- Is your performance bonus based on passing an audit or compliance check?
3- Do people around you at work laugh when you mention security or compliance?
While it may seem like the security and compliance folks in your orgnaization are out to make life difficult for you, that's not really what they are there for. Sure, there are lots of excuses for why people may think your audit or compliance group is out of control, and counterproductive. But the real purpose of audit is to monitor performance indicators, and to provide triggers for management to take action to correct situations that can get the organization into trouble.
Bringing the teams together
What should really be happening in a healthy security culture is that the security experts are not only consulted regularly, but included early on in projects and initiatives, as allies.
If you can't see treating those who should be the good guys as allies, you probably have some major organizational issues that need to be fixed. This may not be news to you, but if the organization is set up in a way that pits internal groups against each other, then it's likely that you need to take it up with management. You can't blame a compliance group for trying to do their job, but you can rise above the politics and try to do the right thing, so you can show people you're all fighting for the same team.
What happens in real life when you're fighting against the auditors and regulators
The tongue-in-cheek self-assessment above was inspired by Brian Krebs' recent article on the Carbanak gang's recent bank fraud in which several hundred million dollars was stolen from dozens of banks around the world through a phishing scheme that targeted bank employees. Brian explains what he thins is one of the root causes of the vulnerabilities within the targeted financial institutions in this case:
"Most organizations — even many financial institutions — aren’t set up to defeat skilled attackers; their network security is built around ease-of-use, compliance, and/or defeating auditors and regulators. Organizations architected around security (particularly banks) are expecting these sorts of attacks, assuming that attackers are going to get in, and focusing their non-compliance efforts on breach response. This “security maturity” graphic nicely illustrates the gap between these two types of organizations."
If you have identified any other tell-tale signs that your organization may be fighting the auditors instead of the bad guys, please let me know about them.
Unless you have a mind like Mike Ross on the TV series "Suits", you probably struggle to come up with good passwords that you can remember. One of the common security guidelines for choosing passwords is to "not use dictionary words or even recognizable names." Unfortunately, however, this can make it hard to remember your new password because you can't just choose words or names that mean something to you.
But one trick I've seen work pretty well for passwords, as well as security questions (the ones they ask you to remember when you register for an account, in case you forget your password) is to misspell a word or name intentionally. By this, I don't mean substituting a $ for the letter "s" or the number "0" for the letter "o", since attackers have dictionaries that automatically try all of these "clever" substitutions. I mean a simple, intentional mistake, like leaving one vowel out of a word, such as "bokkeepper" instead of "bookkeeper"; or repeating the second, third or fourth letter of a word, such as "Maarie" instead of "Marie".
Similarly, for security questions, the answer to the question, "What is your favorite pet's name?" could be: "Pnelope" (rather than Penelope).
There are also other variations on this strategy that can make it even stronger, such as adding (not substituting) a number or special character in the middle of a word (e.g. "Pn%elope"). Then, if you're forced (or decide) to change your password, you can simply shift the number or use a different one. Then all you have to remember is how you are changing that character.
If you use this approach consistently, without telling anyone, then you should be able to base your passwords on things you can remember, but somebody using a dictionary attack will not find it. Even somebody who may be able to guess the names or words you are likely to use will not realize that you spelled it differently in your password.
Just remember to never tell anyone what your "bad spelling" strategy is, or even that you use intentional spelling errors. Of course, it's always better to base your incorrectly spelled words on things or people that nobody else would guess, in case they do find out your strategy. If they know it, they will probably start their attack by guessing variations on people and things they know are meaningful to you, like family members, pets and special dates.