|
Other Interesting Stuff...
|
|
Posting a personal Privacy Notice on your Facebook timeline won't save you
The horses are already out of the barn if you are using a Facebook account. No statement you can make will change the fact that you have granted them (or any other site) the right to use the content you post in any way they want. Read More... |
Know the Top 10 Social Media Risks
This quick list from ZeroFox gives a good summary of the types of risks that arise from social media. All business managers should be aware of these.
|
Stay Connected
|
| Something I've been working on... |
I've found a way of creating short, engaging animated video clips that can be used for educating staff.
Have a look at this clip, called "Dave's adventure with a USB drive at work..."
 Click the image to view the video clip. I'd like to hear your comments on it, so I can create more engaging educational clips.- Scott
|
|
 |
|
Greetings!
Welcome to Issue #13 of the Streetwise Security News. It's been another busy month for me, doing more security awareness training programs, and some fun and interesting policy update work. OK, so maybe not everybody finds policy work fun and interesting. I will be speaking at BSides Ottawa on October 2. BSides is a great format for local security conferences, where I'll be doing a fun talk about the Honey Stick Project, past... and maybe some new ideas, too! (No, it's a different kind of fun from policy work...) As for my reading list, I've been getting into a light-hearted look at " How to Fail at Almost Everything and Still Win Big: Kind of the Story of My Life" by Scott Adams - the creator of the Dilbert cartoon. As he warns in his disclaimer, you should always take advice from a cartoonist with a grain of salt. But I'm pretty impressed with his business insights. Scott Adams, in fact, is much more of an entrepreneur than I (and most people) realized.  Among the cartoonist's many notable business insights is something I've also recently come to believe: It's not your passion that is the best indicator of your chances for success; it's your energy level. Keeping your energy level high through healthy mental and physical choices can give you a lot more opportunities to succeed. See the list of clickable topics on the left for a quick view of this issue's stories and content. If you're  not already a subscriber, and would like to sign up, please click HERE. Even if you don't want to subscribe, I'd love to hear your favorite story. It doesn't have to be about security.
Cheers,
|
|
 This guy targeted the wrong company with an email attack...
|
Background
Business Email Compromise (BEC) attacks are a growing form of fraud where an attacker sends an email to an executive of a company, impersonating another executive in the company. The intent is usually to get somebody to authorize a wire transfer of funds to some organization to whom the target company apparently owes money.
Phishing the Attacker
Stu Sjouwerman, CEO of KnowBe4 announced this past week that his company saw an opportunity to fight back that wastoo good to pass up.
KnowBe4 specializes in providing off-the-shelf, web-based security awareness training services, as well as automated tools to test employees with simulated phishing attacks. So, when an attacker tried to use a Business Email Compromise attack on one of their executives, the executive did what she had been trained to do; but they couldn't resist trying to identify the attacker using their own tools. |
| |
BEC attack email received by KnowBe4 executive
|
It worked, and their blog post on the sequence of events makes an amusing read. It's nice to see the bad guy get caught once in a while; and even better when they get tripped up and beat by somebody playing their own game. Stu's team was able to gather enough information from the unsuspecting attacker to turn them in to authorities. Good job! Just to bring home the point about how dangerous these attacks are, a client of mine also had an executive receive a similar email. They almost fell for it, but their executive who received the email noted that the sender didn't use his typical "nickname" at the bottom, it was his formal name. So, he followed up to confirm, and sure enough, it was a scam.
A Note About Vigilante Justice in CyberSpace
I generally don't agree with launching crippling counter-attacks on the Internet.
The basic fact that is that it's extremely hard to determine precisely who an attacker is when they come from the Internet. This makes it risky to fight back by targeting their apparent Internet address. You might end up targeting an innocent malware victim's computer or business.
However, when you can literally get your attacker to reveal key identity information, this issue gets much more interesting and, in my view, the attacker becomes fair game.
Full Disclosure
I have recently partnered with KnowBe4 to resell their phishing assessment services to my clients. I think it's a great fit, since I've been running the Honey Stick Project, as well as my own phishing assessments for a number of customers.
KnowBe4's tools make it very easy for me to design and run periodic tests for my clients, who like the idea of combining delivery of security awareness education with the metrics available from a phishing assessment. However, IT security managers often do not have the time to plan, execute and follow up on these assessments. So, my partnership with KnowBe4 makes a lot of sense for bringing value to my business clients.
|
Terminology - "Security by Oscurity"
| |
Security by Oscurity - Any form of "hiding" or "obscuring" sensitive data or information that is relatively ineffective against an average attacker.
People often save their passwords in an unencrypted text file on their computer's desktop, or rename important files to have uninteresting names. It's equivalent to hiding the key to your house under your front door mat.
There are many businesses that don't do enough to secure their clients' data. They may think they are being extra sneaky by using their own "special" form of encryption or scrambling of data. But time and time again, it has been proven that "home-made" security solutions don't work as well as safeguards that have been designed by experts and tested with real attacker tools.
You can find more information security terms and their definitions in the Streetwise Security Zone's Glossary. If you want to suggest a term to be added to the glossary or published in a future SSN issue, please send me a note at the coordinates below.
| |
|
|
From Scott's Blog
|
Here's a not-so-recent extract from my blog. I believe it still applies, 7 years later...
A year or two ago I was attending a session presented by a businessman who grew up in South Africa. He drew an interesting parallel between the wild baboons from his native land and the counter-productive habits of many businesses today.
It just so happens that the South African baboons have taken a liking to the corn that local farmers grow there. Apparently, they organize raids on the cornfields on a frequent basis. The farmers obviously aren't too pleased with this. Moreover, the baboons don't manage their situation very intelligently.
|
Shared Security
|
Top 10 Implantable Wearables Soon To Be In Your Body
As the Internet of Things evolves, we are now seeing "things" being embedded into human bodies. Some are for daily convenience, and some are for medical monitoring and/or treatment.
This is a story we cover in Episode 45 of the Shared Security podcast. I co-host a podcast program called Shared Security. Tom Eston and I discuss security and privacy risks and tips related to the people, apps and technology you trust. This program is available on iTunes, and via email subscription at the bottom of the post. We also have a Twitter account at @sharedsec and a Facebook page.
|
Pinterest Pic of the Month
|
This is a very long infographic with lots of good info about what social media sites can gather from you and your actions.
|
A Cyber Security Challenge Question
|
 Which of the following is the best situation in which you could safely use "Security by Obscurity" to protect something you want to keep secret?:
a) When you want to protect your online banking password
b) When you choose a wifi security access code
c) When you want to hide a birthday gift for your 8 year-old child
d) When you want to leave a key to your house for the maid under the door mat
Answer:
See the bottom of this newsletter for the answer. (or click HERE)
|
Streetwise Security Tip - Use an automated, secure backup facility to protect your important documents against accidental loss
|
|
We've all heard stories, and most of us have probably had bad luck at the worst possible time, when it comes to losing important data or documents on your personal computers. Most businesses have automated backup systems that run on a daily basis to make sure that, if a hard disk crashes, or a file is accidentally deleted, the damage will at least be limited to one day's work. 
However, for most of us who use personal computers for our family's documents or run
home based businesses, it's a good idea to put your own "automated" backup system in place.
These days, it's pretty easy to do. I use a web-based service called Carbonite. This service goes into action every time I save a document to my computer's hard drive, by encrypting the document and sending it to their cloud-based, secure web archive. For most people, this is a great solution. Of course, there are many such services available now, so you should shop around and choose one that meets your needs. I can't count the number of times I've been able to rescue a potentially catastrophic situation by restoring my data from the online backups. It costs about $60 per year for a computer, and has usually paid for itself on an annual basis.
So, when I set up a new computer that will contain any documents that we don't want to lose (e.g. kids' laptops with homework assignments, etc.) I set up a new backup plan for it, and then sleep better knowing that lost documents due to a lack of backups won't be a problem.
|
A Data breach story: "They Burned Down the House" - An interview with the Sony Pictures CEO
|
What's the worst thing you could imagine happening to your business's sensitive information?
It happened to Sony Pictures Entertainment...
This story first broke in November, 2014. A hacker group called the "Guardians of Peace" (GOP) broke into Sony Pictures Entertainment's network and stole virtually everything. Not only did they take copies of everything they could find, and made them public, but they then wiped out most of the company's software systems. They literally had to rebuild their networks from scratch, while also dealing with the fall-out from corporate data, as well as personal emails and sensitive information, being leaked. This article in the Harvard Business Review has a great interview with Michael Lynton, their CEO. While I was expecting that the company might still be struggling to survive this devastating attack 10 months later, his story seems to be a positive one, from which every executive can learn important lessons. Culture Matters a Lot During a CrisisLynton admits that they had some ineffective security measures in place that made the attack more damaging. But he gave a great deal of credit for the quick recovery to his team's attitude and their corporate culture. He made himself available every day during the breach recovery period by eating his lunch in the cafeteria, where people could approach him with questions and concerns about the breach. This kind of approach by Lynton built a lot of trust within the workforce. He also says he used to be a strong delegator, but had to get very hands on to see what was happening. His attitude was apparently not to assign blame, but to look for the best way forward. A Wake-Up Call for BusinessesAs Lynton points out, this is really just the beginning of a new business environment, where the question is not "Will you be attacked?", but "When will you be attacked?" You have to know what to expect, and how you're going to deal with it when it happens. Please take a few minutes to read about the important lessons he has learned in this HBR article. Most organizations that have gone through a breach will not likely be as open and candid about what it's like.
|
|
Answer to the Cyber Security Challenge Question (from above)
|
Which of the following is the best situation in which you could safely use "Security by Obscurity" to protect something you want to keep secret?:
Answer: c) When you want to hide a birthday gift for your 8 year-old child
Any relatively smart attacker knows that people tend to think they are being clever by obscuring what they are trying to hide or protect. A realtor's lockbox is a much better way to leave a key for a maid than putting it under a flower pot.
|
Thanks for Reading!
If you found this newsletter to be useful, I invite you to share it with one or two other associates or friends. If you have any comments, or even suggestions for stories you'd like to see in the next issue, please send me a note. In particular, I'd love to hear which stories you enjoyed the most, and what you'd like to see more of. Sincerely, Scott Wright
The Streetwise Security Coach Security Perspectives Inc.
|
Scott's Blatant Advertising
|
|
|
For those of you who are interested in learning more about my products and services for business, here's some additional information for you.
Security Awareness Education and Assessment
-
 Live Training Sessions -
I provide live on-site training, as well as webinars, for businesses who want to quickly engage staff. This often occurs in environments where it's important to get feedback from staff during the sessions. A workshop setup can result in some immediate actionable insights that will improve the effectiveness of your security program, since staff are more invested in the safeguards selected.
-
 Comptuer-Based Training (CBT's) -
Websites can be created that lead employees through the key security topics on which your business wants people to focus. Engaging images and animations can be included to make the content more relevant and interesting. You can also include self-assessment and auditable quizzes.I've created these kinds of tailored Intranet-based web applications for general security awareness, as well as specific compliance initiatives and even records management policy awareness.
-
 Periodic phishing assessments - I'm extremely happy to have recently become a KnowBe4 reseller, which means I can now help customers plan and implement very efficient and effective automated phishing assessments. I can offer a free baseline phishing assessment trial that will illustrate how vulnerable your organization is to phishing attacks.
- Social Media Risk Management -
The use of social media for personal communications, as well as for marketing, HR and publicity, is a whole new risk area for businesses. There are new tools available for monitoring and alerting management to threats and reacting to them. I can help you navigate through this uncharted territory.
-
 Games and Quizzes -
Gamification is a great way to engage employees and prospects. I have a framework for a "trivia-game" style application that can be used in trade show booths and kiosks. It is totally customizable, so you can use any category names, with any questions and any multiple-choice answer options.
- Subscription-based security awareness content updates -
An effective way to keep people eng  aged with current security threats is to provide them with periodic updates that include case studies, tips and snap quizzes. These can even be made auditable, and form part of a Perforamance Objectives system within your business
-
|
| | Demo Example: Dave's adventure with a USB drive from work... |
Streetwise Security Awareness Animated Clips -
Another effective way of engaging people is with animations. I can create short, narrated animations (up to 2 minutes) that can be put on internal websites or used for public consumption on sites like Youtube. I am also building a library of inexpensive security animations you can purchase and use in your own programs. Click HERE to or on the image above to watch a short animated video clip called "Dave's adventure with a USB drive from work...".
You can inquire about any of these products or services by emailing me at: scott@streetwise-security-zone.com
|
|
|
|
