Tuesday, November 20, 2012

Counter Cybercrime - Turn insiders(employees) into assets

Security Awareness and Education

Darkreading has a very good article today - Four Ways to Turn Insiders into Assets

In general, I like the idea as I'm a believer of putting more effort on security awareness and education.

Robert Lemos, the author of the article had listed down 4 ways:
(NOTE: Text in Italic are excerpt from the original article. Comments are added by me)

1. Focus on changing user behavior
When it comes to training users, about 70 to 80 percent of companies are driven by compliance requirements and just want to get the box checked for training their employees, says Aaron Cohen, a managing partner at MAD Security, a security training firm.  

Securityisfun: This is so true. I have seen this quite a lot. Most companies do it because the law or audit results said so. Ask yourself a question. Why do you send your kids to school? Is it because the government or law requires it? No, we send the children to school for we want them become an educated person and learn how to behave correctly starting from young. So, we all understand that education or awareness is the key. It shouldn't be any different when come to information security. We have to educate all the employees.

2. Test and retest
Videos may work for some employees, but testing their reaction to an actual test can give a company an idea of what might happen, while giving the worker valuable experience in what to expect in the future. Security training company PhishMe, for example, allows companies to send their employee phishing e-mails. Anyone who clicks on the e-mail link will be brought to a special site to educate them.  

Have a fun information security story to share?

Information Security folks,

I'm sure you have some fun stories to tell as well. Why don't you share them? If you like, I can put it on my blog as well. Of course, all credits go to you :)

Think about it ;) . Just drop me a message on my Google plus or Facebook page.

Wednesday, November 14, 2012

How secure your SMS token/mTAN/TAC code is really up to you

Users will always click on an URL sent to them right? I bet any information security pros out there must have heard or said this before.

Here is a news reporting that some people in Germany got their bank account swipe out after a Trojan "intercepted/diverted" their mTAN (SMS based one time password).

Excerpt from the news by Thelocal.de:

Berlin state police warned on Tuesday that "bank customers using the SMS-TAN/mTAN process have become victim of fraudulent money withdrawals." Several people have reportedly had their bank accounts emptied in the past few weeks, the police said in a statement.

"In all cases, the SMS containing the mTAN for the online banking system was caught or diverted," the statement said. "Up until now, those affected have been customers using a Smartphone with an Android operating system."

Friday, November 2, 2012

Counter cybercrime - avoiding cyber espionage attacks

I have come across this article today - 4 factors for avoiding cyber espionage attacks. Good points... but I do have a few comments.

1. Data Policy
Yes. Define your data policy and its classification. Most of the time, the Business is the one accountable to set it, and (unsurprisingly) most of the time they failed to do so. Hence, it is our job as a information security professional to do due diligence to help them set one.  

2. Bring Your Own Device (BYOD)

Need me say more? I had written a few pieces about the risks of BYOD. Go check it out :)

3. Protect your critical infrastructure
Separation of network with the intellectual property from the rest of the network is like security 101. However, to do so, you'll need to know what you want to protect first. So the question is - how do you know? See point number 1. It's all starting with data classification - I will say it is security 100. Do a risk assessment on your data, then you'll know what to do with the risk. To mitigate or to accept.    

4. Monitor for unexpected behavior
Right. Not an easy one. You'll need to know what to look for. One might say Data Leakage Prevention (DLP) is the answer but I have yet to see a real return of investment on DLP solution. It's a pain in the XXX to get it implemented. Too many false alarms. Need full time resources to monitor etc.....

Monitoring is only effective if you know what you want to monitor. Perhaps, you'll need a holistic and overarching (my auditor friends love this sentence, like it is crafted in their gene or super-glued to their head. Stuck there forever, like a BFF ) monitoring in place (See the tongue in my cheek?). In a lay man term, that would mean having the right people, process and technology in place...

Before I keep my fingers off the keyboard. I have another point to add:

5. Awareness

Educate you employees (not just those IT folks, but all employees, including your cleaners) on how to spot someone potentially casting a cyber-espionage spell or charm on them. Educate them how to react, what to do not, who to report the suspicion to etc.... The people is always the weakest link. 

Acknowledgement - photo taken from http://en.wikipedia.org/wiki/Spy_vs._Spy