|
Botnets Vs US Government
by Ben Chai |
|
This was the title of my last post on the SecurityVibes website and relates to the July 4th cyber attacks on the US government that allegedly brought down several US government departments for days. There were several lessons to be learned from this attack but the one I want to focus on is the one that most organisations either don’t do or pay lip service to.
It isn’t technologically sexy, it doesn’t need to be costly, it vastly reduces the attack vector for botnets but if done badly can result in it being a total waste of everyone’s time. What is it?
On-going user security awareness education.
You see I’ve lost you now. Just because I didn’t talk about how easy it is to subvert SSL or the latest incarnation of Koobface or how the current Microsoft Directshow vulnerability is leading to more systems being compromised. Security Awareness Training is not sexy but it is vital and if it is not done correctly ends up being boring to the users and soon forgotten as a memory of something that wasted their work time.
However it is so absolutely crucial that organisations begin to understand its importance for their security posture that ENISA (the European Network and Information Security Agency) made it a top priority to get this message across to their member states in protecting Europe from Cyberwarfare, offering them free awareness videos and posters if that’s what it will take to help organisations put together a security awareness programme. At their conference in London, they brought in senior executives from international organisations to talk about what worked for them which resulted in a plethora of articles on top tips for organisations to implement a workable programme.
If you want to see what is possible in communicating simple messages to users then just think about how many times we tell users not to share or give away their passwords…yet they still do. Now have a look at how Barclays Bank have done it in this one and half minute video.
Because this aspect is so crucial to reducing the internal threat, cybercrime, the impact of employee related theft from the recession and system infections, I’ve listed some references below to free articles we’ve recently produced on this subject. Please do think about your security awareness posture. It is vital to yours and everyone else’s organisational and national security.
References
SecurityVibes Article: Security Awareness Initiatives: Top Lessons Learned from CISOs 1
http://bit.ly/XFghk
SecurityVibes Podcast: James Gay, CISO for Travelex on User Education
http://bit.ly/ngJkC
SecurityVibes Article: Going for a coffee? Lock Your Desktop First
http://bit.ly/27upN
Tags: Cyber Warfare, cybercrime, ENISA
This entry was posted on Friday, July 10th, 2009 at 8:53 AM and is filed under Community Manager, Guest Bloggers, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Comments
-
Rob says: The software security industry seems to accept the idea that it is in an arms race, and that it always will be in an arms race. Companies rig ad hoc setups to satisfy momentary blips in the riddled networks around the world. Coupled to that are the turgid operating systems that make checking assaults tedious and often critical. If we can plan on getting back to the moon, why can’t we conjure up a notion of secure packets moving across networks, and politically dominated backbones, with a realistic assessment - read recent accusations against Korea and Russia notwithstanding - of what is at stake. Is that dialog even on anyone’s radar?
Like or Dislike:
0 
0
|
| Our New Offices... Our offices recently underwent a redesign of its own. Here are some photos of our new digs.... How To Find Your Next Job Using Social Media I'm attending the next WebGuild Event on an interesting topic about yet another means for tapping into your social network: How To Find Your Next Job Using Social Media. The event is on Tuesday, August 17, 2010 from 6-9:00 PM... POLL: Treatment of Link Tips Versus Standard Links We've been working on better differentiating on our site standard hyperlinks from link tips which render a popup callout bubble. What's your vote? QUESTION 1: Option 1: Do you prefer the 'help' cursor onmouseover for link tips? Option 2: Or... |
|
| PayPal UK Launch Security Key - Guest Posting from PayPal I am happy to say they are using VeriSign Identity Protection to deliver this, which means that PayPal Customers will be able to use their token at other sites who join the VIP network. PayPal are the first UK members of the network, but there are around 30 other members in different countries around the world so you can expect to see more places where you can use your token in the UK appearing shortly. Facebook scam - Part 2 This just in from the BBC web site, Symantec have identified a virus that steals user names and passwords, nothing new there. But, if I understand this right, it is delivered through a Facebook invitation from someone you don't know and delivers malware which can then steal user names / passwords and also keylog credit card info. Survey finds passwords are not secure - well d'uh! I don't think the vendor community has been crying wolf about the problems that stronger authentication solves, more like highlighting that this problem is here and growing. Well the discussion I have had recently with many different organisations across many different industries are now resulting in more and more consumer projects in this area |
|
| Cloud Identity, Trust and the Liability Elephant. I have been involved with a couple similar initiatives around certification for identity and thought it would be interesting to explain the logic behind these efforts. The first initiative is led by the Open Identity Exchange and is based on... Greek Heroes, Facebook and Trust When Achilles was a baby, the oracle predicted that he would die in battle from an arrow. Thetis, Achilles' mother who did not want her son to die decided to dip Achilles' body into the water of a river that... PCI for the Cloud For most enterprise and security vendors, the cloud is fascinating both as a technology and a business disruptor. In fact, SAAS CEOs such as Successfactor, SalesForce and NetSuite are hot shots in Silicon Valley these days. Yet, most of us... |
|
