Botnets Vs US Government

This was the title of my last post on the SecurityVibes website and relates to the July 4th cyber attacks on the US government that allegedly brought down several US government departments for days. There were several lessons to be learned from this attack but the one I want to focus on is the one that most organisations either don’t do or pay lip service to.

It isn’t technologically sexy, it doesn’t need to be costly, it vastly reduces the attack vector for botnets but if done badly can result in it being a total waste of everyone’s time. What is it?

On-going user security awareness education.

You see I’ve lost you now. Just because I didn’t talk about how easy it is to subvert SSL or the latest incarnation of Koobface or how the current Microsoft Directshow vulnerability is leading to more systems being compromised. Security Awareness Training is not sexy but it is vital and if it is not done correctly ends up being boring to the users and soon forgotten as a memory of something that wasted their work time.

However it is so absolutely crucial that organisations begin to understand its importance for their security posture that ENISA (the European Network and Information Security Agency) made it a top priority to get this message across to their member states in protecting Europe from Cyberwarfare, offering them free awareness videos and posters if that’s what it will take to help organisations put together a security awareness programme. At their conference in London, they brought in senior executives from international organisations to talk about what worked for them which resulted in a plethora of articles on top tips for organisations to implement a workable programme.

If you want to see what is possible in communicating simple messages to users then just think about how many times we tell users not to share or give away their passwords…yet they still do. Now have a look at how Barclays Bank have done it in this one and half minute video.

Because this aspect is so crucial to reducing the internal threat, cybercrime, the impact of employee related theft from the recession and system infections, I’ve listed some references below to free articles we’ve recently produced on this subject. Please do think about your security awareness posture. It is vital to yours and everyone else’s organisational and national security.

References

SecurityVibes Article: Security Awareness Initiatives: Top Lessons Learned from CISOs 1
http://bit.ly/XFghk
SecurityVibes Podcast: James Gay, CISO for Travelex on User Education
http://bit.ly/ngJkC
SecurityVibes Article: Going for a coffee? Lock Your Desktop First
http://bit.ly/27upN

Ben Chai

About Ben Chai

Ben Chai is a founding director of Incoming Thought Limited a company which specialises in whitepapers and education for corporations in the area of security. Incoming Thought has worked with several organisations such as the Forum of Incident Response and Security Teams, Security Vibes and The Corporate Executive Program. Ben has also been technically involved in several major deployments of Windows technologies (Active Directory, Microsoft SMS, Windows NT, Microsoft Exchange) to blue chip corporations such as Royal Bank of Scotland, Citibank, Total Oil and worked with several businesses in the capacity as a security consultant, helping them with hardening their systems and security processes. Further articles on security matters from Ben Chai can be found in Computer Weekly, ITproportal, Infosecurity from Elsevier and the Incoming Thought Twitter account.

, ,

One Response to Botnets Vs US Government

  1. Hawk
    Rob July 12, 2009 at 5:22 pm #

    The software security industry seems to accept the idea that it is in an arms race, and that it always will be in an arms race. Companies rig ad hoc setups to satisfy momentary blips in the riddled networks around the world. Coupled to that are the turgid operating systems that make checking assaults tedious and often critical. If we can plan on getting back to the moon, why can’t we conjure up a notion of secure packets moving across networks, and politically dominated backbones, with a realistic assessment – read recent accusations against Korea and Russia notwithstanding – of what is at stake. Is that dialog even on anyone’s radar?

Leave a Reply


*