Some Thoughts on Security Policy Violation and Terminations

There was recently a discussion on one of my forums that I visited about whether or not employees should be terminated if they violate information security policies. 

The discussion was heated by some parties, and the threads grew long and multi-layered. 

I asked Frase.io to summarize that discussion and pull together a relevant set of ideas stemming from it. Here is what the AI tool created:

Following information security policies is crucial for the protection of sensitive data and the overall cybersecurity of a company. Therefore, it is important to discuss whether employees should face consequences for not adhering to these policies.
When employees fail to follow information security policies, it can put the entire organization at risk. The consequences of a data breach can be severe, including financial loss, damage to reputation, and legal implications. Therefore, some argue that firing employees who do not comply with these policies is necessary to maintain a secure work environment.
On the other hand, it is essential to consider the context and severity of the violation before deciding on termination. Employees may unintentionally make mistakes or be unaware of the policies, in which case education and training may be more appropriate than immediate termination.
Implementing a fair and consistent approach to enforcing information security policies is crucial. This includes clear communication of expectations, regular training programs, and providing employees with the necessary tools and resources to comply with policies.
Ultimately, the decision to fire an employee for not following information security policies should be based on a thorough assessment of the situation. It is important to balance the need for security with fairness and understanding, considering the employee’s intentions, previous behavior, and potential for improvement.

After all of the rhetoric and the flames, this seems to be a rational approach to me. I think that stripped of the emotions of the participating infosec practitioners; there is logic here that is useful. 

What do you think about termination for security policy violations? What have you seen that works, and what doesn’t in your experience? Drop me a line on Twitter (@lbhuston) or Mastodon (@lbhuston@mastodon.social) and let me know your opinion.

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

Great explanation of Tor in Less than 2 Minutes

Ever need to explain Tor to a management team? Yeah, us too. That’s why we wanted to share this YouTube video we found. It does a great job of explaining Tor in less than two minutes to non-technical folks.

The video is from Bloomberg Business Week and is located here.

Check it out and circulate it amongst your management team when asked about what this “Tor” thing is and why they should care.

As always, thanks for reading and we hope these free awareness tools help your organization out.

Let’s Get Proactive with End User Security

Where do most of the threats to the security of our IT systems lurk? The Internet, of course! Powerful malicious software apps are all over the Net, like website land mines, just waiting to explode into your computer if you touch them. And how about accessing social networks from your company work station? Do you really think that content on these sites is secured and only available to those you chose to see it? If so, then Im sorry to disillusion you.

So why do most concerns still let their employees casually access and surf the Web from their business systems? Especially in the present when most everyone has a smart phone or pad with them at all times? Businesses should embrace this situation and use it to their advantage. Why not set up an employee wireless network with all the appropriate security measures in place just for Internet access? (This network should be totally separate from business networks and not accessible by business computers). Its not expensive or difficult to administer and maintain a network like this, and employees could access websites to their hearts content (on their off time of course). And for those employees that are without a smart phone (an ever dwindling few), you could stand up a few kiosk computers that they could access using their employee wireless network password.

As for employees that need Internet access to perform their work duties, you should lock their access down tight. The best thing to do is to add needed websites to a white list and only allow those employees with a business need to access only those websites that are necessary and no others. Black listing and web filtering are partially effective, but they dont really work well enough. I cant tell you how often we have seen such filters in place at businesses that we assess that prevent access to gaming and porn sites, but still allow access to traps like known malicious websites in foreign countries! Go figure.

And dont forget to properly segment your business networks. Users should only be allowed access to those network resources that they need for business purposes. Users in workstation space should never be allowed to seeinto server space. Preventing this will go a long way in curtailing attacks from the other big danger the malicious insider. 

Thanks to John Davis for writing this post.

Make Plans Now to Attend Central OH ISSA Security Summit 2014

Brent will be speaking again this year at the ISSA Security Summit in Columbus

This year he has an interesting topic and here is the abstract:

A Guided Tour of the Internet Ghetto :: The Business Value of Tor Hidden Services

Following on the heels of my last set of talks about the underground value chain of crime, this talk will focus on a guided tour of the Internet Ghetto. You may have heard about Tor, the anonymizing network that rides on top of the Internet, but this talk takes you deep inside to visit the slums, brothels & gathering places of today’s online criminals. From porn to crimes against humanity, it is all here.

This talk will discuss Tor hidden services, help the audience understand what they are, how they operate, and most importantly, how to get business and information security value from them. If you think you know the dark side of the net, think again! Not for the feint of heart, we will explain some of the ways that smart companies are using hidden services to their benefit and some of the ways that playing with the dark side can come back to bite you.

Take aways include an understanding of Tor, knowledge of how to access and locate hidden services and underground content, methods for using the data to better focus your business and how to keep an eye on your kids to make sure they aren’t straying into the layers of the onion.

 Come out and see us at the Summit and bring your friends. It’s always interesting and a great event to catch up with peers and learn some amazing new stuff. See ya there!

International Cyber Intelligence & Situational Awareness (SA)…Operation Middle Kingdom

Good day Folks;

Here is an extensive list of the recent International Cyber Intelligence & Situational Awareness (SA) you should be cognizant of…something cyber for everyone including the People’s Republic of H@cking, HUAWEI, Pakistan ~ People’s Republic of China relations and much, much more cybernia related…and coming soon to a computer and networked system near you OP Middle Kingdom…

Innovation and Disruption, & Why the People’s Republic of China Needs the Latter

http://www.techinasia.com/difference-innovation-disruption-important/

A Breakdown of the People’s Republic of China’s New Visa Rules
http://www.haohaoreport.com/l/43604
A New Anti-American Axis? People’s Republic of China & Russia…

http://www.nytimes.com/2013/07/07/opinion/sunday/a-new-anti-american-axis.html?

People’s Republic of China’s Huawei Zambia to invest $500,000 in brand promotion | Times of Zambia
http://www.times.co.zm/?p=22996
People’s Republic of China, Pakistan Build Communication, Transportation Links

http://www.ibtimes.com/china-pakistan-agree-communications-transport-links-huawei-board-fiber-optic-project-1335227?ft=w18y0

PM urges People’s Republic of China’s Huawei to set up research centre in Pakistan

http://www.pakistantoday.com.pk/2013/07/07/news/profit/pm-urges-huawei-to-set-up-research-centre-in-pakistan/

People’s Republic of China’s Huawei-Imperial plan renews Chinese cyber-security fears

http://theconversation.com/huawei-imperial-plan-renews-chinese-cyber-security-fears-15788

People’s Republic of China’s Huawei deploys high speed 4G on Mount Everest

http://www.theinquirer.net/inquirer/news/2279724/huawei-deploys-high-speed-4g-on-mount-everest

People’s Republic of China’s Huawei to build China-Pakistan link

http://www.defence.pk/forums/economy-development/262482-huawei-build-china-pakistan-link.html

People’s Republic of China’s Huawei Ready to Outspend Ericsson in R&D Race to Woo Clients

http://www.bloomberg.com/news/2013-07-02/huawei-woos-carriers-with-research-boost-beyond-me-too-networks.html

People’s Republic of China’s Huawei supports Asia Pacific hospitals

http://www.itwire.com/it-industry-news/market/60579-huawei-supports-asia-pacific-hospitals

People’s Republic of China’s Huawei boosts spending on research

http://www.scmp.com/business/companies/article/1275572/huawei-boosts-spending-research

People’s Republic of China, Switzerland sign free trade agreement
Switerland is latest OP MIddle Kingom acquistion by the People’s Republic of China…

http://www.reuters.com/article/2013/07/06/us-china-trade-idUSBRE96503E20130706

Studies: Cyberspying Targeted SKorea, US Military

http://abcnews.go.com/International/wireStory/studies-cyberspying-targeted-skorea-us-military-19602444

Turkish Agent Hacked US Air Force Culture & Language Center Website | Cyberwarzone
Didn’t the USAF tell the US Senate they were lead DoD on Cyber & were going to protect US Critical INfrastructure againsts hackers?
Hell, they cannot even protect themselves….
USAF CYBER ….MASSIVE FAIL….


http://cyberwarzone.com/turkish-agent-hacked-us-air-force-culture-language-center-website

Taiwanese Military to stage computer-aided war game later this month: MND
“tested the armed forces ability to fend off a simulated invasion by Chinese forces.”


http://www.chinapost.com.tw/taiwan/national/national-news/2013/07/03/382727/Military-to.htm

EU and People’s Republic of China close in on solar panel deal

http://www.reuters.com/article/2013/07/05/us-china-solar-idUSBRE9640L720130705

Pakistan, China set sights on Arabian Sea link |

http://www.ksl.com/?nid=235&sid=25866836&title=pakistan-china-set-sights-on-arabian-sea-link

Is People’s Republic of China’s Huawei Becoming Less Chinese?

http://blogs.wsj.com/digits/2013/07/04/is-huawei-becoming-less-chinese/?

People’s Republic of China’s Huawei to overtake Ericsson in R&D spending

http://www.intomobile.com/2013/07/05/huawei-overtake-ericsson-rd-spending/?

Papua New Guinea’s fixed line incumbent Telikom recruits People’s Republic of China’s Huawei for NBN project

http://www.telegeography.com/products/commsupdate/articles/2013/07/05/telikom-recruits-huawei-for-nbn-project/?

FCC approves deals between Japan’s Softbank, Sprint, Clearwire
Softbank signs huge deal with Huawei….backdoor to United States critical infrastructure now wide open for Huawei courtesy of Japan…


http://www.washingtonpost.com/business/technology/fcc-approves-deals-between-softbank-sprint-clearwire/2013/07/05/f48c88d8-e5ad-11e2-a11e-c2ea876a8f30_story.html

People’s Republic of China’s Huawei, Imperial College, London announce big data joint venture |

http://www.zdnet.com/huawei-imperial-college-announce-big-data-joint-venture-7000017582/

Chinese Web giant Tencent faces obstacles in its goal to expand in global IM market

http://www.washingtonpost.com/business/economy/chinese-web-giant-tencent-faces-obstacles-in-its-goal-for-a-global-im-market/2013/07/05/6ee4016c-cff4-11e2-8845-d970ccb04497_story.html?

People’s Republic of China Says Private Banks Possible

http://www.npr.org/templates/story/story.php?storyId=198990603

Emerging market giants quick to grab Australian foothold
Chinese banks, among the world’s largest, are busy in Australia


http://www.brisbanetimes.com.au/business/emerging-market-giants-quick-to-grab-australian-foothold-20130705-2phh7.html

NJRAT ESPIONAGE MALWARE TARGETS MIDDLE EASTERN GOVERNMENTS, TELECOMS AND ENERGY

http://threatpost.com/njrat-espionage-malware-targets-middle-eastern-governments-telecoms-and-energy/

Current cybercrime market is all about Cybercrime-as-a-Service |
http://www.net-security.org/secworld.php?id=15173
TARGETED ESPIONAGE ATTACK BORROWING FROM CYBERCRIMINALS

http://threatpost.com/targeted-espionage-attack-borrowing-from-cybercriminals/

Traitorous Snowden Says the NSA and Israel Wrote Stuxnet Malware Together

http://news.softpedia.com/news/Snowden-Says-the-NSA-and-Israel-Wrote-Stuxnet-Malware-Together-366371.shtml?

EU adopts stricter penalties for cyber criminals
http://www.net-security.org/secworld.php?id=15183
EU Parliament to launch inquiry into US surveillance programs
http://www.net-security.org/secworld.php?id=15181
Piratin Nocun über den Überwachungsskandal…Cyberwar governments against their citizens

http://www.sueddeutsche.de/digital/ueberwachungsskandal-cyberwar-der-regierungen-gegen-ihre-buerger-1.1713200

Iran to hold nationwide cyber maneuver

http://www.presstv.ir/detail/2013/07/06/312582/iran-to-hold-nationwide-cyber-maneuver/

United Kingdom Cyber War ‘At Its Gunpowder Moment’

http://www.huffingtonpost.co.uk/2013/07/05/cyber-war-gunpowder-moment_n_3549048.html

Beware the Internet and the danger of cyberattacks

http://www.dallasnews.com/opinion/sunday-commentary/20130705-robert-j.-samuelson-beware-the-internet-and-the-danger-of-cyberattacks.ece
U.S. military realm extends to cyberspace

http://www.upi.com/Science_News/Technology/2013/07/02/US-military-realm-extends-to-cyberspace/UPI-85321372770741/

The cyber-intelligence complex and its useful idiots
“Those who tell us to trust the US’s secret, privatised surveillance schemes should recall the criminality of J Edgar Hoover’s FBI”

http://www.guardian.co.uk/commentisfree/2013/jul/01/cyber-intelligence-complex-useful-idiots
Cyberwar: Angriffe auf Industrieanlagen wachsen…Cyberwar: Attacks on industrial plants grow

http://business.chip.de/news/Cyberwar-Angriffe-auf-Industrieanlagen-wachsen_62848164.html

Blind Fear Of Cyberwar Drives Columnist To Call For Elimination Of The Internet |

https://www.techdirt.com/articles/20130701/10561323680/blind-fear-cyberwar-drives-columnist-to-call-elimination-internet.shtml

Cyberwar ist kein Kalter Krieg
http://www.dradio.de/dkultur/sendungen/interview/2162803/
Brazil was target of U.S. signals spying, Globo newspaper says
http://www.reuters.com/article/2013/07/07/brazil-espionage-snowden-idUSL1N0FD05120130707

Enjoy –

Semper Fi –

謝謝紅龍

Go Phish :: How To Self Test with MSI SimplePhish

Depending on who you listen to, phishing (especially spear phishing), is either on the increase or the decrease. While the pundits continue to spin marketing hype, MSI will tell you that phishing and spearphishing are involved in 99% of all of the incidents that we work. Make no mistake, it is the attack of choice for getting malware into networks and environments.

That said, about a year ago or more, MSI introduced a free tool called MSI SimplePhish, which acts as a simplified “catch” for phishing campaigns. The application, which is available for Windows and can run on workstations or even old machines, makes it quite easy to stand up a site to do your own free phishing tests to help users stay aware of this threat.

To conduct such a campaign, follow these steps:

PreCursor: Obtain permission from your security management to perform these activities and to do phishing testing. Make sure your management team supports this testing BEFORE you engage in it.

1.  Obtain the MSI SimplePhish application by clicking here.

2. Unzip the file on a the Windows system and review the README.TXT file for additional information.

3. Execute application and note the IP address of the machine you are using. The application will open a listening web server on port 8080/TCP. Remember to allow that port through any host-based firewalls or the like.

4. The application should now be ready to catch phishing attempts and log activity when the following URL structure is clicked on: http://<ip address of the windows system>:8080/ and when that URL is accessed, a generic login screen should be displayed.

5. Create an email message (or SMS, voice mail, etc.) that you intend to deliver to your victims. This message should attempt to get them to visit the site and enter their login information. An example:

Dear Bob,

This message is to inform you that an update to your W-2 tax form is required by human resources. Given the approaching tax deadline, entering this information will help us to determine if an error was made on your 2012 W-2. To access the application and complete the update process, please visit the online application by clicking here. (You would then link the clicking here text to your target URL obtained in step 4.)

6. Deliver the messages to your intended targets.

7. Watch and review the log file MSISimplePhishLog.txt (located in the same directory as the binary). Users who actually input a login and password will get written to the log as “caught”, including their IP address, the login name and **the first 3 characters** of the password they used.  Users who visit the page, but do not login, will be recorded as a “bite”, including their IP address.

** Note that only the first 3 characters of the password are logged. This is enough to prove useful in discussions with users and to prove their use, but not enough to be useful in further attacks. The purpose of this tool is to test, assess and educate users, not to commit fraud or gather real phishing data. For this reason, and for the risks it would present to the organization, full password capture is not available in the tool and is not logged. **

8. Let the exercise run for several days, in order to catch stragglers. Once complete, analyze the logs and report the information to the security stakeholders in your organization. Don’t forget to approach the users who use successfully phished and give them some tips and information about how they should have detected this type of attack and what they should do to better manage such threats in the future.

That’s it – lather, rinse and repeat as you like!

If you would like to do more advanced phishing testing and social engineering exercises, please get in touch with an MSI account executive who can help put together a proposal and a work plan for performing deep penetration testing and/or ongoing persistent penetration testing using this and other common attack methods. As always, thanks for reading and until next time, stay safe out there!

Tales From a Non-Security Professional, An End-User’s View

I’ve been working in the information security business for two years and have been amazed by what I’ve learned during this time. I remember when I thought, “Information security? Sure. A bunch of geeks patrolling their networks.” I had seen the movie Hackers, after all.

But I had no idea of the breadth and depth of information security. Basically, if you’re using technology, your data is at risk. Any piece of technology that you use that has sensitive data stored can be stolen. It is up to an individual to be proactive when it comes to information security instead of assuming “The IT Team” will take care of it.

Case in point: This morning I read an article from Dark Reading about Intel’s workers thwarting a malicious email virus. Pretty cool. Those workers took the initiative. They didn’t say to themselves, “Hmm. this email looks a little dicey, but I’m sure IT has it covered..”

Instead, each worker who recognized the malicious email immediately contacted the IT department. Because of such quick action, the IT department was able to contain the potential risk and take care of it. This type of response doesn’t happen overnight (And hopefully won’t take two years, either.) but was the result of consistent education.

For me, I’ve tightened up my own personal security posture as a result of hearing what happens when you don’t pay attention. Here are a few precautions I’ve taken:

1) Never leave a laptop in the front seat of your car.

      This may seem basic, but many workers who have a company-owned laptop will often put it on the passenger’s side of the car, or on the floor. It is easy to assume that when you stop to get gas and take a quick detour into the convenience store to grab a drink, that no one will bother your car. Don’t bet on it.

According to a CSI/FBI Computer Crime and Security Survey

      , data loss from laptop theft came in third and fourth behind virus attacks and unauthorized access. Make a habit of placing your laptop in your trunk, away from prying eyes. And if you really want to protect it, carry it around with you. I’ve been known to carry my laptop inside a CVS, and restaurants. I usually say to myself, “How inconvenient/annoying/scary would it be if this laptop was stolen?” Yep. It’s going with me.

2) Passwords, smashwords! We all belong to probably way too many websites that require a password to access it. That’s not even counting the passwords we need to remember for our work email, database, or access to the intranet. We’re also told by our friendly IT team that we need to change those passwords on a regular basis. If you have trouble remembering what you had to eat for breakfast yesterday, much less trying to remember a password you created three months ago, I have the solution: a password vault. I can’t tell you how much this has alleviated the stress of remembering and revising passwords. I use KeePassX, an open-source password vault application.

Whenever I change my password, I immediately open the app and update my entry. Whenever I join a new site that requires a password, I’ll add a new entry. It’s simple and quick, and will protect me from some joker trying to hack into my sites. Once you get into a habit of changing your passwords, it becomes easier. Believe me, this is a heckuva lot easier than scratching out various passwords and usernames on a scrap piece of paper, throwing it into your desk drawer and then trying to find it three months later.

3) Delete stupid emails. This goes back to the “Here You Have” virus that the Intel employees avoided opening. They immediately saw the risk and reported it. Don’t open emails from people or groups that you don’t recognize. In fact, I created a spam folder and just move those types of emails into it if the regular spam filter doesn’t catch them. I empty the folder on a regular basis. No matter how enticing an email header is, if you don’t recognize the sender, trash it. For those who are detail-oriented, you really don’t have to open every email you receive. Really. You probably didn’t win that lottery, anyway.

4) Be suspicious. This one is probably the most difficult for me. I’m a friendly person. I like people. I was raised by two very outgoing parents and hence, I have a soft spot for striking up conversations with perfect strangers. I find I’m a magnet for some of them, too. When you’re in your office, this can be used against you by a clever attacker. If you’re an IT staff person, you may get a call from someone who is in some type of a bad spot and needs access to “their” data at work and gosh, could we just skip the authentication process? Because most of us are wired to help others (thank you very much, customer service training), we obviously try to be of assistance. Meanwhile, the attacker is counting on this and will press an employee to give them information without checking their credentials. If anyone calls me and starts asking a bunch of nosy questions, I’ll start asking mine right back: “What company do you represent? What is your name? What is your phone number? Why do you need to know this information?”

Sometimes asking such questions may feel awkward, but remember, we’re protecting our company’s data. We’re on the front line and a little discomfort can go a long way in winning the battle of security.

These are a few things I’ve learned over time. Information security isn’t only the IT department’s job or the CISO/CTO/CIO’s. It’s a job that belongs to everyone. If I could sum it up, I’d say this: Be aware. Be aware of your surroundings, aware of your technology, aware of access points. Keeping your eyes and ears open will not only save you a bunch of headaches (and perhaps your job) but will save your company money. And in today’s economy, that is a very, very good thing.