In my last blog posting I discussed the Encrypting File System (EFS) that is built into every Windows operating system since Windows 2000 and how EFS works. Although EFS is effective as a security control against data security breach-related risks, a major limitation is that it does not provide whole disk encryption, making it susceptible to certain kinds of attacks. A perpetrator who has local access to the same hard drive on which Windows resides can, for example, boot a non-Windows operating system to access EFS-encrypted files and directories or copy the entire encrypted contents of a lost or stolen PC’s hard drive to a completely different computer to view the information in clear text. Windows BitLocker encryption, which is available in Vista (see footnote below) and Windows Server 2008, addresses this limitation nicely by encrypting the entire contents of a Windows volume, thereby protecting all the data therein from a wider variety of attacks. Read more…
By LOLITA C. BALDOR, Associated Press Writer Lolita C. Baldor, Associated Press Writer
WASHINGTON – The powerful attack that overwhelmed computers at U.S. and South Korean government agencies for days was even broader than initially realized, also targeting the White House, the Pentagon and the New York Stock Exchange.
Other targets of the attack included the National Security Agency, Homeland Security Department, State Department, the Nasdaq stock market and The Washington Post, according to an early analysis of the malicious software used in the attacks. Many of the organizations appeared to successfully blunt the sustained computer assaults.
The Associated Press obtained the target list from security experts analyzing the attacks. It was not immediately clear who might be responsible or what their motives were. South Korean intelligence officials believe the attacks were carried out by North Korea or pro-Pyongyang forces. Read more…
By LOLITA C. BALDOR, Associated Press Writer Lolita C. Baldor, Associated Press Writer – Wed Jul 8, 12:45 am ET
WASHINGTON – A widespread and unusually resilient computer attack that began July 4 knocked out the Web sites of several government agencies, including some that are responsible for fighting cyber crime, The Associated Press has learned.
The Treasury Department, Secret Service, Federal Trade Commission and Transportation Department Web sites were all down at varying points over the holiday weekend and into this week, according to officials inside and outside the government. Some of the sites were still experiencing problems Tuesday evening. Cyber attacks on South Korea government and private sites also may be linked, officials there said. Read more…
OK, OK, security awareness training and awareness for senior management is an almost impossible endeavor, but that does not mean that the same obstacles are present in security training and awareness for the rest of an organization. As I have said before, I’ve had my share of experience with security training and awareness, and have accumulated several important “lessons learned” concerning successes and failures, including:
- Successfully conveying perceived purpose to the target audience is all important. Making whatever skills to be taught or message to be presented relevant to this audience is the difference between being able to engage and motivate them to learn or not being able to do so. Conveying perceived purpose is difficult, however, because many users use computers purely out of necessity and do not necessarily think that being unable to use their computers temporarily because of a security-related problem is such a bad thing. This is where HR can help considerably. If compliance with information security policy, standards and procedures is included among employee performance review criteria, employees are much more likely to realize that information security is important and thus are likely to be more open and receptive to security training and awareness efforts.
- Training and awareness must be tailored to different groups within an organization. “One size fits all” definitely does not apply to security training and awareness. Training and awareness for casual PC users needs to be radically different from training and awareness for system administrators; the same principle applies to expert system administrators versus novice system administrators. Tailoring security awareness and training to different groups is truly one of the greatest challenges for information security professionals, especially considering that training and awareness budgets are usually rather limited.
- Those who are trained must be held accountable. I am confident that in and of itself having a group of people come into a room and hear a presentation on information security does little good. At a minimum, requiring attendees to take a test afterwards or show hands-on that they have learned to follow a mandatory security procedure is necessary. Those who do not pass the test or practicum need to receive more training before they once again attempt to pass.
- Skip the theory and get down to the practical. Too often information security training and awareness consists of communicating many security platitudes, but nobody but these professionals really care about these platitudes. Those who receive security training and awareness need to learn practical things such as how to create a strong password, why it is important to avoid opening attachments and how to disconnect a network cable from a network interface card if there is reason to believe that a computer has been compromised.
- Training must be recurrent. We often require that all employees and contractors receive security training once every year, but psychologists say most concepts that we learn are forgotten within the matter of hours (sometime minutes) after we are exposed to them. Following up, say with a brief individual distance learning session, two or three weeks after a group training session is imperative.
These prescriptions are by no means any kind of “silver bullet.” At the same time, however, paying attention to them could very well make your security training and awareness effort go much better than ever before.