Category Archives: Risk

  • 0

Secure Mobile-an Oxymoron? (Redux)

Category:EDUCAUSE,Higher Education,Information Security,Infosec Communicator,mobile device,Privacy,Risk,Uncategorized Tags : 

Responses to the #1 topic on IdeaScale, “Consumers dictate device usage, not IT,” indicate that MANY of you believe consumers will drive smartphone adoption in Higher Education, while the sentiment around the topic, “Get rid of the walls around your enterprise data,” indicates that quite a few of you believe that core university data should be accessible to smartphone users.

However, yesterday’s polls have shown that not even all of the attendees of yesterday’s webinar use PINS or swipe patterns on their smartphones. The inherent difficulties in entering a complex password on a smartphone increase the likelihood that users will rely on simple passwords, if any, to access their devices. At the same time, users are expecting access to more and more university resources through their smartphones, increasing the risk of a data breach.

Where does security fit into this picture?

In Thursday’s webinar, “Smartphone Privacy & Security, What Should We Teach Our Users?“, the speaker, Norman Sadeh, indicated that mobile users are three times more likely to fall for phishing attempts. That statistic implies that spear phishing against university communities, which already demonstrates more success than we’re comfortable with, will be even more effective against smartphone users. As we find ourselves more and more hurried, making quick decisions just to handle the ever-increasing stream of information flowing at us, we’re more prone to fall for these attacks.

I would guess that many of us who own smartphones are using them to access our university e-mail, if not other university resources. Most of us don’t have any control over whether someone may e-mail us private or confidential information. If our smartphones become the weakest link in protecting data, they will be targeted.

How many of us have misplaced our smartphones or left them sitting on our desk in an unsecured office? Have you left your smartphone in a taxi or on a shuttle bus?

Increased access to university data is a desirable convenience. Will we be able to get the right combination of security controls, user training, and policies in place to allow smartphone access without it leading to a security breach resulting in a notification event or embarrassment to the university? What kinds of security controls are you using to prevent this? What security apps do you recommend to your users?

Lots of troublesome questions. Where are the answers?

Ben Woelk
Co-chair, Awareness and Training Working Group
EDUCAUSE/Internet2 Higher Education Information Security Council

Policy and Awareness Analyst
Rochester Institute of Technology

ben.woelk@rit.edu
https://security.rit.edu/dsd.html
Become a fan of RIT Information Security at https://rit.facebook.com/profile.php?id=6017464645
Follow me on Twitter: https://twitter.com/bwoelk
Follow my Infosec Communicator blog at https://benwoelk.wordpress.com

This blog entry is part of the EDUCAUSE Mobile Computing Sprint and is cross-posted at https://www.educause.edu/blog/bwoelk/SecureMobileanOxymoron/227983


  • 0

Irony

Category:Information Security,Infosec Communicator,Risk,Uncategorized Tags : 

I received the following notification today:

DHS Announces the Release of New Training Course Workplace Security Awareness No-Cost Critical Infrastructure Workplace Security Training

The Department of Homeland Security announces the availability of IS-906, Workplace Security Awareness, a no-cost training course developed by the Office of Infrastructure Protection Sector-Specific Agency Executive Management Office.

Access IS-906 on the Federal Emergency Management Agency Emergency Management Institute Web site: https://training.fema.gov/EMIWeb/IS/IS906.asp

The online training provides guidance to individuals and organizations on how to improve security in the workplace.  The course is self-paced and takes about an hour to complete. This comprehensive cross-sector training is appropriate for a broad audience regardless of knowledge and skill level.  The course promotes workplace security practices applicable across all 18 critical infrastructure sectors.   The training uses innovative multimedia scenarios and modules to illustrate potential security threats.  …

A certificate is given to participants who complete the entire course.

Sounds reasonable, right?

Ironically, the course asks you to provide your SSN.

Sigh…


  • 1

Developing a Security Mindset

Category:Higher Education,Information Security,Infosec Communicator,Risk,Uncategorized Tags : 

In my Cyber Self Defense course at the Rochester Institute of Technology, I teach a module on Developing a Security Mindset. Based on a class exercise by Tadayoshi Kohno at the University of Washington (mentioned in a blog posting by Bruce Schneier), the goal of the module is to reorient students’ thinking from the features of a product and how those features are supposed to be used to thinking about how someone might “hack” the product. In other words, develop a security mindset.

I ask the students to determine product assets and vulnerabilities and identify how someone might attack  the product. The students are told that they do not have resources to counter every possible threat.

I also have the students create a risk map that depicts the likelihood of a particular attack and the potential impact of that attack. Placing specific threats on a risk map helps students understand that since not all threats bear the same weight they need to choose what is most important to defend against.

The twist to the exercise is that students may not conduct an analysis of a computer-related product. For example, subjects presented by my students this quarter included Water Purification, Bicycle Safety, Running a Pizza Business, etc. As the students presented, we discussed their risk maps and the choices they made.

Group one risk map for a water purification plant

Although we may not agree with the students’ risk map, the exercise stretches IT students to think “outside the box.”

Enhanced by Zemanta

  • 0

Covert Affairs Gets It (mostly) Right

Category:Information Security,Infosec Communicator,Risk Tags : 
Artist's conception of a WGS satellite in orbit
Image via Wikipedia

When television and movies use information security as their storyline, they typically pass up accuracy for the sake of drama. I was pleasantly surprised when a recent episode of Covert Affairs actually got the information security content mostly right.

In the episode in question, the character Natasha plays a freelance hacker who was employed by Russian organized crime to develop malware. Natasha demonstrates a successful hack that immobilizes a communications satellite and most computer-controlled infrastructure such as phones, television, traffic lights, etc. Although the ability to create a hack that could accomplish all of these goals is a bit of a stretch, Covert Affairs got some things right.

Organized crime and freelance hackers

When I first began working in information security several years ago I was told by a co-worker that organized crime was responsible for much of the malware developed today. I was very surprised as I had not thought about how malware attacks might be funded. Organized crime does hire freelance hackers to develop malware, although the most common purpose is to aid in identity theft. Although the hack demonstrated in the episode is something you might expect to see in a cyber attack and is not as common as that developed for identity theft, there have been computer attacks on infrastructure in Estonia and Georgia, and the United States certainly attempted to paralyze the infrastructure of Iraq before Desert Storm. In 2010, the United States Cyber Command was announced.

Using computer code in a way that it’s possible to identify the author

Security experts do examine some hacks to try to determine its author, especially if its a severe attack. Check out this article in Wired Magazine “Pentagon Searches for ‘Digital DNA’ to Identify Hackers” (https://www.wired.com)

Kudos to Covert Affairs for making an effort to get the technical details correct.

Enhanced by Zemanta

  • 1

Private Information and Portable Devices

Category:Information Security,Infosec Communicator,Internet Safety,mobile device,Privacy,Risk,Uncategorized Tags : 
The entrance of the School of Medicine and Den...
Image via Wikipedia

Today, I had the privilege of being interviewed by our local YNN cable news about the challenges presented by placing private information on portable devices. A surgeon at the University of Rochester Medical Center had lost a flash drive containing the medical details of around 800 of his patients. The reporter, Anne Lithiluxa, asked me how loss of data could be prevented.

Generally, if you’re going to place private information on a portable device, either the device or the information needs to be encrypted The likelihood of exposure of private information through the loss of portable devices has increased tremendously lately due to the proliferation of smartphones and their use in accessing corporate email accounts. Good information security practice is always a combination of safe handling practices and technical protections.

However, the bottom line is that people are always the weakest link. Technical protections can always be defeated by poor practices.

Enhanced by Zemanta

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 2,235 other subscribers

Categories

Support Introverted Leadership on Patreon

Blubrry affiliate banner