no time, pressure, it manger, reactive, fire fighting, security awareness, incident response, risk management, honey stick project, metrics

ABOUT US

FORUMS

PARTNERS

PRODUCTS & SERVICES

FREE RESOURCES

JOIN
NOW!

You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

Watch this Blog Notify me by e-mail any time a new post is made to this blog.

"ScottWright"

65% of honey sticks to date have been used in risky ways that could impact business operations. What's a Honey Stick? - Look for the link at the bottom of any article on this page for an explanation.

Customer Service Rep Security Awareness Test
Product ID: 00000002

Find out what your CSR knowledge of security policies and general security best practices is... before your clients do it for you! In the CSR Security Awareness Test, we schedule 5 randomly scheduled inquiries to your phon ... More »

Non-Member Price: ~~$299.00~~ $249.00

July 2009 Posts

The people who need to hear this are busy right now, so please show this to their manager
Fri 24th 2009 @ 4:29 PM
A tool for disabling launch of programs on USB drives
Wed 15th 2009 @ 7:05 AM

The people who need to hear this are busy right now, so please show this to their manager

Friday, July 24th 2009 @ 4:29 PM (not yet rated) post viewed 1175 times

The Honey Stick Project's data measurements now indicate a 65% failure rate in human risk decision-making when it comes to handling technology and sensitive information. This should certainly be a concern to business managers, but I now believe this data reflects a symptom of a rather simple problem. Time is the problem.

The Real Problem (as I see it)

The people who are most often delegated the responsibility for security programs, such as analyzing security awareness and assessing risks, are the IT department. They also happen to have a never-ending battle to keep systems configured properly, to provision new users, react to incidents and generally fight fires. They may have a gut feeling that human decisions are a major security risk, but they simply don't have the time to address, or even identify, this issue in any serious way.

The Logical Solution

If the person resonsible for IT Security can find an outside resource to not only spend the time to properly plan and implement a security awareness measurement and education plan, but to look at the situation objectively, the problem can be solved much more quickly and effectively than if they take on the entire job themselves. They very likely will never find the time to start addressing the problem before a major security incident happens - which will put them even further behind.

I know this data looks pretty self-serving, but those of us in the security field know the problem is very serious, and is not getting any better. That's why I feel compelled to try to help people with the problem of security awareness and risk decisions. My research results are simply another set of data that illustrates why I see this kind of problem as worth working on.

By the way - in case it's not clear - I'm not saying that USB sticks with malicious code are the biggest problem we face. This is just a way of determining that we need to focus on getting people to think about consequences before they act in risky ways with data or technology.

So, please show this to your IT manager's manager. Your organization must help them out by finding somebody with the time and skills to do the job properly and quickly - or it will likely never happen.

CURRENT HONEY STICK STATISTICS:

Devices Deployed: 54

Devices Inserted Into Computers on the Internet and Detected: 35

Total Percentage of People Who Acted in Risky Ways With Found Devices: 65%

Is your security awareness training just a set of old Powerpoint slides that you pull out once a year and present at an all-hands meeting? You can now provide much more effective security awareness training for your staff, for much less cost than you think. Contact me if you'd like to discuss how you can create a culture of security through a variety of live programs, and modern e-Learning techniques.

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

rate this post:

Comments

Blog Entry

A tool for disabling launch of programs on USB drives

Wednesday, July 15th 2009 @ 7:05 AM (not yet rated) post viewed 1038 times

One of the ways that USB drives can be infected with dangerous malware is with something called an Autorun configuration. This means that the device is set up to run a program as soon as it is plugged in - just like how installation programs run when you insert a CD-ROM into a computer. But this feature can be used for evil instead of good, by launching a malicious program as soon as the device is inserted into your computer.

You would think it should be possible to disable this feature. Well, it is possible, but it is not necessarily easy, especially with some versions of Microsoft Windows. I wrote a technical note in the Discussion Forum back in March, 2009 (click HERE), which explains more about the details, and why it doesn't always work as expected.

Now, Panda Security has developed a small utility program that attempts to disable the Autorun feature on whichever version of Windows you are using. Given how hard it is to determine exactly how to disable it, this is a good idea.

My only concern, as of July 2009, is that there were a lot of comments posted to their download site that seem to indicate people had problems with the original version of the utility. They released a new version in June, which seems to be getting better comments. I would still recommend being cautious in relying on this utility for important data and systems. But if you are interested in doing some research on the utility, you can find it by clicking HERE.

I would recommend trying it on an experimental USB drive and an experimental operating system installation. Also, keep an eye on the Panda web page to see if they release any more updates. I suspect they will be diligent in providing good support. But at this point, as with any free program, you can not expect their support to be as responsive as you might like it to be.

Microsoft apparently now has a Fix It Now feature in one of their Knowledge Base articles (click HERE). This will affect a specific Windows computer. The Panda utility can also vaccinate a specific USB device to disable it from attempting to automatically run any programs on ANY computer.