Cyber Security Awareness – Week 4
And finally … Week 4 (or the last 10 days of October) of the Cyber Security Awareness month. Continuing the theme of bosses to start, and then moving on to co-workers. It has been an interesting month of articles and I have seen a higher-than-usual interest in the posts as well as some additional retweeting going on. It’s nice to know the posts are being well received – thanks!
Day 22 – Security of removable media
The two main risks of removable media are virus infection and losing it somewhere.
To protect against these, it is recommended to disable auto-run (this stops any viruses that may be present auto-installing when you insert the device or disk), use an anti-virus program which traps other possible infections, and, where possible, use write-protected media. The latter stops infection in the first place.
If you use encryption on the removable media, you have some assurance that if you lose the media the data on it will be secure.
Day 23 – Importance of compliance
I used to work in QA (Quality Assurance). It was my first job and I even went on to become a trained software capability maturity model (SW-CMM) auditor, so I got to know a lot about compliance and much of the author’s discussion about the frenzy of activity just before a compliance audit is so true – a hurried patching activity to make sure everything is in order and everything documented according to the procedures you are supposed to be compliant with. Sadly, this even extended to the QA team that I was a junior in when they were externally audited
I digress … the article discusses the benefits of compliance in managing security. The main things compliance provides are:
- Ensure processes are documented
- Provide information to those that need it, when they need it
- Provide guidance to resolve issues
- Ensure basic security processes are done regularly and consistently. e.g. user review, risk assessments, projects, etc.
- Provide metrics that demonstrate things are secure
- Help the organisation reduce costs e.g. reduce merchant fees. streamline processes,
- Stop you having to solve the same issue over and over again
- Improve Security’s profile in the organisation
They won’t necessarily make you more secure, but will help you become and stay secure.
Day 24 – Using work computers at home
Quite a lengthy article this one. It looks at the different demands/requirements on the use of the work computer when used at home, including:
- Governing Bodies (for example tax implications)
- The User
- The Boss
- Admin/Security Team
The main point is that you should always remember to use it as a work computer as if you were at work. Just because you are away from the work environment doesn’t mean you should misuse the machine for purposes other than it was intended. I touched on this aspect of what a machine should be used for in my recent post on “confessions of a mobile worker” where I discussed the use of multiple machines.
Day 25 – Using home computers for work
The author talks about his own experience with using a virtual machine on the home computer to effectively partition the work and home files, and so provide effective protection between the two. Naturally, he quotes IANAL and you should check any legal implications if you want to go down this route.
Day 26 – Sharing office files
This post talks about the 4 scenarios for sharing files:
- Within the company (e.g. file servers)
- Via external third-party shares (e.g. virtual file servers)
- Using removable media
- Receiving them from outside the company (via email)
The usual security measures apply in most cases – anti-virus, firewall, disable auto-run, etc. But we add “trust” into the equation for internal files – ie that only trusted people can have access to the files on the servers.
Day 27 – Use of social media in the office
This is a long post on suggested use of social media in the office. It doesn’t dictate as this is up to each individual organisation, but does suggest that use should be managed through compliance (policies) and training. The latter is important as there are so many threats spreading via social media sites and we need to manage the risk to the organisation if people are using these sites from the office.
Day 28 – Role of the employee
The employee’s role (that of a user within the organisation and their relation to security) essentially boils down to three questions:
- “What data have I produced?”
- “How do I get this data back, so I may continue, when all else fails?”
- “What data, other than my own, am I ultimately responsible for today?”
Day 29 – Role of the office geek
Grammatically not a great post, but essentially dealing with how we manage the office geek.
This is a person who loves technology and is often self-motivated to explore alternatives and possibilities presented by the use of technology. I know this person as I was him, much to the equal chagrin and delight of my superiors.
A typical scenario is where the geek goes on a course and comes back with a head full of new ideas. Seeing an opportunity to potentially automate part of the routine daily grind, s/he prototypes an application or database which can help significantly. This evolves into becoming part of the division or company’s core processes – often unknown to anybody outside of the geek or his/her team. At some future time, this now-essential component of business protocol emerges into the rest of the corporate culture – and the questions of security, compliance, etc are all asked, and often fail because none have been applied.
This is a double-edge sword because if you discourage the geek, you’ll get a substandard response (or they will leave to go be where they can be geeky), but if you encourage them you will also incur an overhead managing their output as some (much?) of it may not be required.
In my case there were two main examples of my early geekdom – both involving process automation. I liked to tinker with technology (still do) and was promoted to lead a team of 7 developing part of the control systems software. This team was one of 10 in the division working on the project, and there was an endless paper trail needed for compliance and sign-off on every new build of the system. This paperwork took an age to complete by hand, and I saw an opportunity to automate the process given that most of the data already existed in the configuration management tools we used. However, I mentioned it to the Utilities team (the gurus who developed new divisional tools) and got a polite “not interested”. Over the period of a couple of weeks – an hour here and an hour there – I produced a working version of a tool which automated the paperwork entirely. We used it regularly within the team and it saved 3-4 man hours per day.
After about a month, the tool got the attention of the higher-ups and I was summoned to discuss it. I got the double-edge grilling of “why did you do it without authorisation?”, “we don’t have a budget for this”, etc, etc. My response was that I needed my team to concentrate on the intellectual work of producing the code – which is what they were hired for – and not bore them senseless with endless paperwork which can be left to the machine. We continued to use it, and about a week later I was asked to document it fully and it was rolled out across the division. The savings were enormous. But I flagged any new prototype as I thought about it and managed to secure a relative carte-blanche for looking at alternatives. The division rewarded my geekyness but also made sure it became part of managed business.
The second example had a more direct saving when I managed to automate a job I took over and reduced the man hours required to do it from approx 70 per week to 7. It caused a bit of friction internally, but saved the division a bundle of cash in the long run.
Update: Luis Solis of Imaginatik has a tool to help the “renegades” as he calls them (the 10% of corporate geeks) leverage corporate crowd-sourcing to develop their innovations beyond the invisible barriers that exist.
Better get back on with the rest of this post really …
Day 30 – Role of the network team
The Network Team is usually responsible for the network infrastructure and may need to evaluate, recommend, maintain and deploy security products on the perimeter and corporate network.
Some of the requirements might include:
- Implementing, supporting and maintaining security and network infrastructure
- Solid understanding of enterprise architecture
- Have a broad knowledge of networking technologies and a sound understanding of TCP/IP
- Ensure a reliable service for all corporate users
- Identify and develop scalable network designs, solutions and policy recommendations
Day 31 – Tying it all together
This is a summary post with links to all of the SANS ISC Cyber Security Awareness posts in October.
I hope you enjoyed the summaries provided here, and the few anecdotes sprinkled in between.