SWSZP Episode 2 - December 20, 2008 - Governance by GraffitiSaturday, December 20th 2008 @ 8:15 AM (not yet rated)
In the audio podcast that goes with this post, I cover a lot of content that illustrates the interesting and important security issues that you should be staying in tune with. I hope you'll find good value in it. So, I'd appreciate any feedback you have on the audio content, structure or length. (To download the entire audio file now to your computer, instead of listening from this page, click the "down-arrow" in the audio control bar above.)
The following notes correspond to the content in this episode of The Streetwise Security Zone Podcast.
Note that the times identified below represent absolute times on the timeline, not durations.
Introduction - 0:00
The introduction gives a brief run through the topics covered in this podcast. The podcast is primarily oriented toward security training and education to empower employees to protect their information from social engineering, hackers, phishing attacks and other risks on the Internet.
Live Netcasts Announcement for Tuesday December 23rd, 2008 - 1:45
The first Live Netcast in The Streetwise Security Zone is set for December 23rd, 2008 at noon eastern time. You will have the chance to participate via live Text Chat to ask me questions and direct the focus of the session. You’ll need to join The Streetwise Security Zone as a Full Member (currently free, as of December 2008, but will eventually require a paid membership). Click HERE to get to the Netcast page.
Overview of "Governance by Graffiti" model - 4:40
Although Governance by Graffiti was a vague notion in my mind for the past year, it's only been recently that I've been able to articulate it in terms of a simple model. The general idea is that we need a way to empower people to exercise good information security and risk management at the personal level, in their jobs and at home. Policies will never be able to address what people should do in every situation they will encounter. At some point, we have to trust them to make good risk decisions. But they need tools to stay current with threats in a way that keeps them engaged and in a way that builds momentum among co-workers and business partners.
The concepts include Contingency, Trusted Connections, Personal Context, Input and Output Controls and Collaboration. Structured in this way, the model can be easily taught and used, and provides a "self-perpetuating" aspect that allows for empowerment from the ground up.
Security News - 9:15
1) Google Browser Security Handbook for Web application developers.
Click HERE for more information.
2) Phishing Emails and Spam (observations from Scott) - 10:10
3) Ponemon Survey of Risky Internet Application Use in the Enterprise - 12:20
The report is available for download by clicking HERE. But you will have to register at the site to download the report.
However, I recommend first reading the post in The Streetwise Security Zone forums under "Risks in the News"
available by clicking HERE.
4) The Honey Stick Project - 14:05.
Is your organization one click away from having its information systems griding to a halt due to risky decisions by your staff?
Check out the latest notes and results at http://www.honeystickproject.com
Risks in the News - 16:15
1) I'd like to thank Natasha Woods for posting an article by GFI's David Keller about the risks of using social networking in the enterprise. I hope to get Dave into a podcast discussion, but didn't have sufficient time in this episode to put it into the audio this week. But please check out the article by clicking HERE. Stay tuned for more in a future episode.
2) Microsoft recently announced a large surge in attacks on the Internet Explorer browser and has published a set of guidelines for protecting yourself. Click HERE for an overview article.
The critical patch is still worth downloading, even if you have Microsoft Update turned on. You'll need to find your version at the Microsoft link below:
I also recommend switching to the firefox browser at http://www.firefox.com and use the NoScript plug-in, also available at the Firefox site. Let me know if you have trouble finding them.
Product Research - 21:30
Just a mention here that I plan to cover some of the interesting security solutions available for mobile data security, specifically USB Flash Drive security solutions. So, stay tuned for more focus on these topics in future podcasts.
Q&A Feedback - 22:15
"Are you a parcel mule?", contributed by Andrew Codrington. Don't be duped into helping criminals just because you could use a few bucks. You can view his post in the forum by clicking HERE.
The Lighter Side of Security - 24:35
This isn't really that funny, but it does seem a bit comical. McCain and Palin's campaign staff auctioned off Blackberry phones with all the data still on them. This, and other tidbits I found entertaining, are available by clicking HERE.
Also, the famed "Stop Shooting, I'm Just the Security Guy" coffee mug is now available. Learn more by clicking HERE.
Reading Recommendations - 26:45
Tribes: We Need You to Lead Us , by Seth Godin, is a great read for anyone who is not happy with the Status Quo for anything important to you. With the tools available now, it is very easy. But it does require some thought and planning.
Into the Breach, by Michael Santarcangelo, is a must read for executives and security professionals. Michael's work is the inspiration for much of my thinking. This book complements the Governance by Graffiti model very well.
Empowerment Tips - 31:30
Start taking note of the kinds of information assets you work with on a daily basis, and try to understand their importance to you and your organization.
Consider Joining Toastmasters - 33:00
If you really want to make a difference, and become the go-to person for security awareness or any subject that you are passionate about, it's important to be able to communicate verbally. Toastmasters is not just the "after-dinner speech" club. There are a lot of good things about this organization that can help you to not just overcome a fear of speaking, but to become a professional communicator and leader.
If you’re not already a member, please join The Streetwise Security Zone by clicking HERE. You'll find discussion forums, articles and tools to provide personal and job-level security training ranging from social engineering to contingency planning, to help protect your information assets against today's threats.
You can subscribe to this podcast on iTunes by clicking HERE.
Thanks for listening!
(If you'd rather see written transcripts of my audio podcasts, please let me know.)
If you enjoyed this audio program, please consider clicking HERE to subscribe via iTunes, and click on the "Write a Review" link at the bottom of the cover page.