Security Awareness Training

Most of us are familiar with URL shortening websites such as bit.ly, tinyurl.com, and is.gd. It’s one of the technologies that’s fuelling the explosive growth of social networks such as Twitter – after all, 140 characters isn’t a lot of space to fit a message if most of it is taken up with a URL!

But the use of URL shortening can be a major headache since a shortened URL could obscure the real target address and, as a result, it could be used to redirect the viewer to an unexpected site such as a phishing website, or a website infected with malware.

Continue reading →

Following my post about McAfee’s 12 Scams of Christmas, here’s some safe shopping advice from the FBI. Good source material for a seasonal security awareness message to your staff.

Along the same lines as my recent post on photocopiers and information security, a friend of mine tells me that, in his organization:

… we have a major issue with people leaving scanned expenses on a shared drive. It’s great technology, but easy to forget the obvious.

Again, we have messages for two audiences:

1. For All Staff – Be aware that scanners attached to PCs may well store copies of scanned documents on a local or networked hard drive, and those copies may be accessible to other people using the same computer. This is especially important to remember if you ever use a scanner outside your organization’s office e.g. at a Fedex/Kinkos, at a client site, at home, in a library …
    
2. For IT Staff – As far as possible, try to ensure that copies of scanned documents aren’t stored in public disk space. If that’s not possible and you handle sensitive documents, designate certain PCs+scanners as acceptable for sensitive documents and restrict access to those PCs.
    

As my friend says, the obvious is easy to forget.

An article in a recent issue of Business Week highlighted security issues with software produced by Adobe – especially Adobe Reader which is widely used in small and large organizations. The article quotes Kapersky researcher Roel Schouwenberg saying “Adobe at the moment, is the main target.” And the article goes on to suggest that “Adobe” (presumably meaning Acrobat Reader) has replaced “Microsoft” (presumably meaning Windows) as the primary attack vector for hackers.

Continue reading →

The Washington Post talks about a recent FBI warning that hackers are increasingly attacking law firms and PR companies using spear-phishing emails. These emails – previously used against military and defense targets – contain hyperlinks or file attachments which launch a malicious payload that can allow hackers to access the target’s network. Once they’re in, the hackers look for sensitive data – often linked to large corporate clients doing business overseas.

Sometimes, we focus so much on security issues relating to personal information (Social Security numbers, health information, addresses), financial transactions (credit card numbers, bank account details) and state security (military and defense secrets) that we forget other information can be extremely valuable to criminals.

You can find further news and warnings on the FBI Cyber Investigations Program website.

Plenty of people are blogging, tweeting and quoting this article from McAfee posted on CNET, and justifiably so – it’s well-timed and contains pertinent information.

If you’re involved in an ongoing process of security awareness training, consider including these topics in your materials – whether it’s a presentation during your November/December staff meetings, or your November/December monthly email messages to your staff, or a set of posters for the staff canteen.

Continue reading →

Are you covering the security risks of photocopiers (and multi-function machines) in your security awareness training?

A recent news report from WINK-TV in Fort Myers, FL, has reminded us that the humble photocopier can be a security threat. Or perhaps I should say the ‘not-so-humble’ photocopier since many copiers and multi-function machines now include sophisticated electronics and disk drives, and they’re frequently connected to office computer networks.

Continue reading →

The Washington Post is reporting that the American Realty company lost $195,000 when an employee clicked on a link in an email that purported to be from the IRS. The link then installed a Trojan Horse which stole passwords that enabled hackers to make payroll payments to a number of money mules.

So far, American Realty has recovered about $45,000 of the stolen cash, but there’s no indication of how much it has cost them to deal with the incident.

More data for you to use when justifying spending on security awareness training!

Call centers routinely record calls for quality control and training purposes. In a recent survey by Veritape reported in The Register, 95% of the call centers surveyed were found to be storing credit card data such as the three-digit verification numbers from the back of the cards in recordings of calls. But only 39% of the 133 call center managers interviewed realized that they shouldn’t be doing this. Even worse, only 3% of the 133 (that’s 4 people, by my calculation) actually wiped credit card information from the recordings.

As the PCI Data Security Standard (DSS) says:

Sensitive authentication data must not be stored after authorization (even if encrypted).

PCI DSS Requirements and Security Assessment Procedures, v1.2.1 – July 2009. Footnote 2 on page 5.

It’s easy to concentrate on computer and network security – after all, that’s what we hear about all the time – but it seems that we might have a failure to educate critical staff on security that applies to other areas of business.

When we talk to end users about security, we usually focus on the confidentiality part of the CIA triad – probably because it’s the most visible part of information security. But, every now and then, there’s a news item that reminds us about integrity and availability. And today was one of those days.

The Washington Post is reporting that a server failure over the weekend has wiped out the master copies of data accumulated by Sidekick smartphone users. This includes address books, calendars, to-do lists and photos.

Continue reading →