Security Awareness Fundamentals
By: Russ Horn (CISA, CISSP, CRISC)
Publication: The Kansas Banker, November 2013
My daughter started basketball season this week. During the parent and coaches meeting, the coaches talked about how they plan to focus on the fundamentals of basketball with our kids. Michael Jordan was quoted as saying; "When I was young, I had to learn the fundamentals of basketball. You can have all the physical ability in the world, but you still have to know the fundamentals." Even he knew the importance of knowing the fundamentals.
Just like in basketball, to be successful with an information security program, we need to make sure our employees know and understand information security fundamentals. Without our people knowing and practicing these fundamentals, we cannot expect to succeed in providing a safe and secure computing environment.
Security Awareness Training; do you cringe a little when you hear the term? You may not want to rely on a bare minimum program, but sometimes it may be the only option as you deal with time constraints, employee availability, and lack of interest. Training can be a frustrating situation for both the trainer and the trainee. Employees can be the most powerful security layer in your information security program, and by the same measure, the greatest weakness. Their ability to "sense" when something's not right is what can make them your most effective security control.
On April 8, 2014, Microsoft will cease support for Windows XP, a flagship desktop operating system for Microsoft since 2001. This endgame should not come as a surprise to IT managers because the Windows XP end of support date has been well publicized for years. That said, over the past several months I have visited a number of companies that still have Windows XP machines and have not created action plans for migrating off this popular platform. According to Net Applications, as of July 2013, Windows XP still holds just over 37% of the desktop operating system market share, with only a 4% drop since September 2012. These numbers roughly agree with what I am seeing out in the field.
DDoS or distributed-denial-of-service attacks seem to be the focus of everyone's attention right now, and rightly so - it has seen huge increases this year. There are different ways to carry out a denial-of-service attack, but the term generally includes attacks that are meant to interrupt or suspend services connected to the Internet (for a period of hours to days). One example is to flood a bank's website with incoming messages that essentially overload the site and prevent customers from accessing it. This is a big concern to financial institutions because this type of attack is often used as a distraction to prevent institutions from identifying some type of fraudulent activity occurring during the service interruption. Protecting your payment systems during DDoS attacks should be your primary focus. Here are a few things your bank can do to protect you and your customers from DDoS attackers:
Information security is a significant business risk that demands our attention. But too many times, the personnel tasked to oversee information security don't have the time, resources or knowledge to do the job right. Although this article cannot provide the time or knowledge needed to make a true evaluation, it can help get the internal conversation stared. Answering the following 21 questions can help you measure your overall information security posture.
Phishing is defined as the act of sending email that falsely claims to be from a legitimate organization with the intent on gaining information. A phishing campaign is typically generic in nature and is used to target multiple organizations across many different industries. The term "phishing" derives from the underlying metaphor, comparing the act to that of fishing. Standard phishing is like fishing with a large net. You are not targeting a specific fish, you are just throwing out your net in an attempt to catch something worthwhile.
"The Cloud" is a recently coined and hot term that makes the technology seem like it's been recently developed. However, service offerings that would meet today's definition of cloud-based computing have been around since the 1950s, according to Wikipedia. Amazon.com was one of the first companies to offer elastic computing, a precursor term for "The Cloud", so they are sometimes credited with developing the concept of cloud computing. In reality, it is unclear who came up with the term "The Cloud."
Bring Your Own Device (BYOD) is a hot topic in businesses today. I think every security and technology conference I have attended over the past few months has had a session over BYOD. One of the recent ones I went to labeled their session "BYOD, Bring Your own Device or Disaster?" In the session, like many others, the presenter discussed some of the issues related to introducing personal devices into a business. I think the issue escalates even more within the financial sector as confidentiality and security are more important. By allowing employees to use their personal devices for bank-related activities (e.g. email, access to the network, bank applications, etc.), the bank must deal with security issues, which can conflict with employees' personal expectations.
"I want to use my iPad in the cloud. Can you make that work?"
Many of us have seen this message: "3 Billion Devices Run Java: Computers, Printers, Routers, Cell Phones, Blackberry, Kindle, Parking Meters, Public Transportation Passes, ATMs, Credit Cards, Home Security Systems, Cable Boxes, TVs…"