Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Dont Let Lousy Teachers Sink Security Awareness
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/16/2014 | 4:11:50 PM
Re: Excellent Review
It's great that you have such a positive -- and long-term view -- of the issues. It sounds like you are up to the challenge. Thanks for sharing.
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
6/16/2014 | 4:03:49 PM
Re: Excellent Review
Marilyn,

My successes come from a variety of places. In many places, it comes from the fact that I understand learning and culture change is a process. Due to various NDAs as well as privacy agreements, I cannot share the names of the companies.

Many people when they go to implement something that will change culture, they find struggles in changing it because often times, it is expected to happen overnight. As Cory said in his article, change does not happen overnight.

One of the challenges I actually face on a day-to-day basis. We have people in the organization who do not take the security program seriously and tend to either ignore the message we are sending out or they scan it and then toss it aside because they do not believe it applies to them. As part of my job it is to help these individuals see that while it is important and it does apply to them, there's more to it than just rules and regulations; that these are in place for a reason, not just to make their life more difficult.

I do look forward to continuing to grow my security program here at the organization where I am employed as the individuals I work with are fantastic. Perhaps a bit stubborn, but that's to be expected with culture change.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/16/2014 | 3:32:42 PM
Re: Excellent Review
@SecOpsSpecialist Where have you found your successes in creating a security culture? I'd love to hear about your victories -- and also some of your challenges.
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
6/16/2014 | 12:20:34 PM
Excellent Review
Cory -

You have a fabulous article here and I found myself nodding along and agreeing with you. As the Security Awareness person for my organization, I often find myself in this same position. It's a mandate that users lock their workstations before they walk away from them, but there are some, who still forget to do it. We can remind them only so much before we have to show them the error and have them realize what can actually happen because they've left the machine unprotected.


You are absolutely right when you say that security culture cannot change overnight, especially in an organization where there's a mixture of the newer blood and the older blood. I sincerely hope that more people pay attention to this, especially those who are trying to start a security awareness program at their place of employment.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/12/2014 | 9:56:24 AM
PEBCAK & luser
I can't tell you how frustrating it is -- as an end-user -- when the assumption from the technical team is that the problem is a result of operator (luser) error. If the technology worked flawlessly a lot of of IT people would be out of a job! In order to fulfill Security Awareness Tip No. 1: Get users on your team you'll need to treat users as real people (not PEBCAKs) with something between their ears.
dwatson777
100%
0%
dwatson777,
User Rank: Apprentice
6/11/2014 | 6:11:08 PM
Great Article!
Great Article.  I agree.
Randy Naramore
100%
0%
Randy Naramore,
User Rank: Ninja
6/11/2014 | 4:40:27 PM
Re: tips
Good post. Very interesting read.
CoreyNach
100%
0%
CoreyNach,
User Rank: Apprentice
6/11/2014 | 3:54:08 PM
Re: Tough Material
Wow... thanks for your thorough comments. It sounds like you have a lot of practical advice from first hand experience....

On the idea of having consequences to breaking policy part... I think there is a middle ground. First, I agree that you need both training and technical security controls.... That's my point. The best training won't make ppl perfect, so you still need to audit, but the best technical security measures are not infallible... together they reinforce each other. Also, I do agree that your organizations security policy should have some potential teeth... meaning employees should understand that major breaks in policy could result in termination. And the employee should be held accountable, meaning at the end of a training, they should somehow acknowledge that they understand the policies that were communicated to them (signing something)... but that said, I do believe you can communicated these policies in a way that the employees understand what's at stake. Rather than an attitude of, "here's the rules, follow them or else," you can adopt a tone of, "here's some serious problems, and here's how they can cost our business, and all of us, money and heartache... here are some rules that you should follow to avoid these issue, and by the way, if you follow these rules at home, you might avoid issues there as well. We do enforce these rules, and will hold you accountable to them, but they really are in your best interest."

 

Anyway, sounds like we both agree, but I think you can deliver these sorts of policies in a way that comes down less harsh, and will still result is as much adoption of whatever practice you are teaching...
CoreyNach
50%
50%
CoreyNach,
User Rank: Apprentice
6/11/2014 | 3:44:13 PM
Re: tips
Thanks... I was recently reminded what it is like to be new to a subject that has it's own language. I started a new hobby, and joined a forum that talked about (aerial videography with multicopters), and the forum members had a ton of acryonms and terms of their own. I could not understand half the posts until I figured out a ton of new acronyms... So this experience really drove that tip home for me. ^_^
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
6/11/2014 | 2:54:00 PM
Tough Material
@Corey Nachreiner

First, kudos on a thorough article.  It's a fine collection of tips.  I'd like to add a few notes of my own.  I've been in IT, specifically build/release management, for 15+ years, and security has always been the secret passion.  Because of that, it is always part of my auditing documentation.  Also, I write howtos and other documentation for staff, so I have a special interest in training, but also methods for ensuring retention of information. 

Argument No. 1:  One or more bad eggs can and do cause significant damage.  This is why a two-pronged approach to security is needed:  1)  Build the technical infrastructure needed to prevent internal and external security risk, accompanied by the right organizational processes (checks and balances), and 2) train users thoroughly both in terms of "best practices", common mistakes, and so forth, but ALSO remind them the seriousness of aiding in security abuse, knowingly or otherwise.  I think that right there is one major shortcoming in user training:  Put the fear of legal response and termination into everyone; sounds harsh but you know that Snowden's example has set in motion process and technology audits like nothing seen in that department in years.  This is serious stuff. 

Argument No. 2:  To my notes above, the average person WILL care about security once they realize they can be held accountable, and that abuse of security protocols is punishable in no small way. 

Argument No. 3:  Surprise!  Those archaic references are now becoming obsolete with more average users becoming tech savvy, partly because the population of users is younger and tech has been at their fingertips since childhood.  My daughter isn't interested in tech as a profession, but at 7 years-old she has her own Debian GNU/Linux computer, uses LibreOffice regularly and pointed out technical work-arounds in TuxPaint I hadn't thought of.  Any IT staff that are dumbing down or not trying to educate based upon assumptions on the end user are going to have a very unsuccessful career ahead of them. 

Tip No. 1:  Based upon my previous comments, you can guess I'm half on the fence here.  I do believe in the draconian rules, to some extent.  Fear of legal punishment is what put me on a straight and narrow path when I was a young man.  But at the same time, I believe that personalizing the benefits of security are key, too.  Billions of dollars are taken from innocent people through cyber crime and in the end, we _are_ here to make life better for the average person.   

Tip No. 2:  Absolutely agree.  And do it with simple graphics in a brief presentation or video.  YouTube is king when it comes to training! 

Tip No. 3:  And the same holds true with documentation.  Always explode the acronym first, before switching to it in later parts; i.e. "Open Web Application Security Project" (OWASP) has a MeetUp.  Join the OWASP MeetUp today." 

Tip No. 4:  I find tying your example to cyber crime news that makes network news works really well.  Heartbleed was good for that because it was all over CNN, MSNBC, CSPAN, and major networks.  Snowden (how he did it, not why) is also a good example.  Use recognizable examples - saves you time to recreate the hack yourself. 

Tip No. 5:  Say no more. I have kids!  On a serious note, though, you need to also remind folks that they are their colleague's keeper when it comes to security.  Incentives for whistle blowers, while it may leave a bad taste in the mouth, might be necessary.  Taking the game from a friendly group competition that is visible to an internal game where bad behaviour is recognized and privately reported for gain is sometimes what it takes to keep employees from joining together to commit crime, or from ignoring signs of criminal behavior they witness.   

Tip No. 6:  Every company is different and ultimately, you may have to choose between a visible security team and an invisible one.  When folks forget there are security personnel onsite, auditing traffic and observing video sessions, they slip and make mistakes.  Someone who is intent on committing a crime is going to do it, but only when they feel safe to do so.  The initial training and fear of reprisal is a necessity, but at what point do you decide that the fun and games approach to security needs to go out the window and maintaining a quiet, efficient and hard-hitting security audit team makes more sense?
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15570
PUBLISHED: 2020-07-06
The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 mishandles memory allocation failures, which allows an attacker to cause a denial of service via a malformed crash file.
CVE-2020-15569
PUBLISHED: 2020-07-06
PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor.
CVE-2020-7690
PUBLISHED: 2020-07-06
It's possible to inject JavaScript code via the html method.
CVE-2020-7691
PUBLISHED: 2020-07-06
It's possible to use <<script>script> in order to go over the filtering regex.
CVE-2020-15562
PUBLISHED: 2020-07-06
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.