Tag Archives: Rochester Institute of Technology

  • 1

Developing a Security Mindset

Category:Higher Education,Information Security,Infosec Communicator,Risk,Uncategorized Tags : 

In my Cyber Self Defense course at the Rochester Institute of Technology, I teach a module on Developing a Security Mindset. Based on a class exercise by Tadayoshi Kohno at the University of Washington (mentioned in a blog posting by Bruce Schneier), the goal of the module is to reorient students’ thinking from the features of a product and how those features are supposed to be used to thinking about how someone might “hack” the product. In other words, develop a security mindset.

I ask the students to determine product assets and vulnerabilities and identify how someone might attackĀ  the product. The students are told that they do not have resources to counter every possible threat.

I also have the students create a risk map that depicts the likelihood of a particular attack and the potential impact of that attack. Placing specific threats on a risk map helps students understand that since not all threats bear the same weight they need to choose what is most important to defend against.

The twist to the exercise is that students may not conduct an analysis of a computer-related product. For example, subjects presented by my students this quarter included Water Purification, Bicycle Safety, Running a Pizza Business, etc. As the students presented, we discussed their risk maps and the choices they made.

Group one risk map for a water purification plant

Although we may not agree with the students’ risk map, the exercise stretches IT students to think “outside the box.”

Enhanced by Zemanta

  • 1

Having Fun with Security Awareness–Phishing

Category:Higher Education,Information Security,Infosec Communicator,Social Networking,Uncategorized Tags : 

Phishy

Phishy and Ritchie at RIT

The task of creating a culture of information security awareness in higher education can be a daunting one. You may feel as though your efforts are unnoticed and unrewarded. However, one of the really cool things about working in higher ed is that universities and colleges are often willing to share their best practices and even the materials they’ve created. This can ease the burden of coming up with new ideas to to help increase user awareness of information security threats.

Over the last couple of years, higher education has seen an increase in phishing attempts known in the industry as “spear phishing.” Spear phishing targets a specific group of individuals by crafting emails or other “bait” that appear to come from a known and trusted source, such as a school’s Information Technology department. In 2009, RIT saw a string of phishing attempts that had, from our view, a success rate that was unacceptable. (Much as we’d like to block all phishing attempts and train our community to recognize and not respond to password requests, someone will always fall for a well-crafted phish.)

Unsure of how to best combat the threat, we formed a team of our best information technology and information thinkers to address the issue. We chose a multi-pronged approach with both technology and people initiatives. We increased our email alerts and advisories to inform the community of the problem. Our Information Technology Services organization began prepending a warning message to all incoming emails that contained the word “password” in the text. However, we knew that this wouldn’t be enough to solve the problem.

One of our coop students had worked the previous summer at Yale University and showed us phishing awareness posters that they had created. We received permission from Yale to modify the posters for our own use and began a poster campaign on campus. We decided to go a step beyond.

What better way to draw attention to phishing than having a giant “phish” walk around campus! Phishy was an instant hit. Phishy visited offices around campus and greeted students with cards that reminded them to NEVER respond to requests for their passwords. Phishy hung around RIT for a week twice during 2009.

Gil Phish

Gil Phish at Yale

This fall, Yale leveraged our Phishy idea. They bought a fish costume and greeted new students at orientation. (They also created a Gil Phish Facebook page with pictures of Gil engaged in behavior that could only be described as sub-crustacean…

Building off of each others successes has enabled both universities to create innovative security awareness programs.

Enhanced by Zemanta

  • 2

Writing the Next Chapter

Category:Infosec Communicator,Leadchange,STC,STC Rochester,Uncategorized Tags : 

Change is necessary but change is uncomfortable.

We should ignore the past. We should value the past. We should just do it. We should learn from past efforts. Do we dash forward, make our mistakes and sort things out as we go? Do we assess the path forward and move carefully down it? How strong should our sense of urgency be? How fast can and should we move forward? How do we mold individual desires into a shared vision?

We need to attract new members. We want to retain existing members. We have many senior members who have contributed faithfully to STC Rochester. We have new members who may not know our past but who are willing to pour themselves into redefining our organization and positioning ourselves for the future.

These are some of the issues we face as the council charged with stewarding the Rochester Chapter of the Society for Technical Communication. We are a chapter with a long history of excellence. It’s time to write the next chapter.

I’m trying to find a path that allows us to retain theĀ  distinctiveness of what has made us STC Rochester while moving to a model that is sustainable and will foster growth. Part of this path forward includes implementing a marketing strategy. We’ve received our marketing plan from Neil Hair’s RIT Marketing Concepts class. The plan identifies key opportunities and strategies for growth. We’ve set up a subgroup to study the plan and bring forward recommendations to our October council meeting.

Our kickoff meeting is September 21st. We’re inviting prospective members and want to be sure we can articulate why they should join STC. There is a good bit of angst surrounding this.

We need to remember to have fun.

Enhanced by Zemanta

Categories