Security Awareness Training

Paul Ducklin at Sophos has published a very nice review article discussing why web applications which use SSL (encrypted) connections for login processing should use SSL throughout the application, and shouldn’t revert to unencrypted connections once the user has been logged in.

Perhaps the key point that he raises is that – in most cases – there’s really no reason NOT to use SSL. A few years ago, the computational overhead in SSL encryption was a problem but, with seemingly ever-increasing processing power available for relatively low cost, that’s not the case any more. This is something we’ve always believed at Cosaint, and all of our training portals use SSL throughout.

You can find the blog post here. If you’re involved in web application development in any way, it’s worth a few minutes of your time to read it.

You don’t store any confidential information or account numbers or your Social Security number on your phone – you just use it for calling, text messaging, and sending and receiving emails. You don’t even browse the Internet, and you certainly don’t use it for anything like online banking. So why do you need a strong password? Here’s one reason that you might.

Let’s assume you lose your phone and it falls into the hands of someone who’s less than honest – let’s just call him Steve for now. You haven’t protected your phone with a password, or it’s only a weak password. But you’re not unduly worried – even if Steve gets access to your phone, there’s nothing sensitive for him to find. But …

Steve waits until an email comes in, and he now knows your email address. Then, he browses to bank websites and requests a password reset. After a few attempts, he finds where you bank. The security question isn’t too difficult to figure out – you probably posted enough information to Facebook and/or LinkedIn for him to guess the answer – and the bank sends a password reset email to the address it has in its database … which is picked up on the phone. Before you know it, Steve’s flying off to Hawaii on a ticket paid for with your life savings.

All because you had a weak (or no) password on your cell phone.

People keep falling for this one, so it’s worth reminding them – there isn’t a way to see who’s viewed your profile on Facebook, and any application that offers to do this for you is a scam. In fact, Facebook has a statement on their website that confirms this.

But this can be useful to you if you’re trying to illustrate social engineering techniques to your staff.

Curiosity is one of the human character traits that social engineers will try to use to their advantage. And, since many of your staff are likely to be using Facebook from their work PC, at home, or using their cellphone (see my recent post for some statistics on this), this should be something that they can immediately relate to.

Further, as we mentioned in our list of Best Practices for Security Awareness Training, it’s a good idea to discuss the importance of security to life outside of work since that encourages your staff to make good security second nature.

So use this as an example in your training class, or work it into the monthly reminders that you send out by email.

Thanks to Graham Cluley at Sophos for reminding me (in his blog post) to remind you!

The Herald Sun of Durham, NC is reporting that Professor Bonnie Yankaskas, a professor in the Department of Radiology and principal investigator of the Carolina Mammography Registry, has been demoted from full professor to associate professor, and her salary has been reduced by nearly half. The reason – a server used by the research program was hacked in 2007. The server contained personal data (including Social Security numbers) of more than 100,000 women.

The case is notable in that a senior manager – not the IT or security staff – is being held ultimately responsible, and a very significant penalty is being imposed. Perhaps a case like this can be used to highlight the importance of information security to your own executive staff and managers?

Read the full article on the Herald Sun website.