Category Archives: End-user Focused

The iPad as a VPN Client

Posted on by
Reply

Today was my first real chance to try out the iPad as a VPN client in a critical situation. I needed an essential file for a client in a real hurry. We were about 50 miles from the office and a physical return with the file wasn’t possible. Even worse, it was stored on an encrypted vault volume on my personal backup system, so none of my engineers could assist me, since they lack credentials for that box.
Thankfully, I had my iPad with me. I had already set up a VPN connection for my device, but hadn’t yet tested it. The good news is that it worked perfectly! I was able to quickly create a VPN tunnel back to my network and then SSH into my vault. Once there, I could effortlessly arrange for a file transfer to my client in a secure manner. I even piped a VNC connection over the tunnel using iTeleport and could interact with the GUI nearly as easily as on a laptop.
All in all, it was a great save and made an excellent real world use case for the iPad in my work flow. Have you had any other big successes with the iPad in your security work? If so, drop a comment and tell us about it. I look forward to reading about it!

How To Create a Social Media #Security Policy

Posted on by
Reply

Facebook now claims 300 million active users. And Twitter, has 6 million monthly unique visitors. As more employees use mobile devices and their desktops to access social media sites, it poses an increasing security risk both for user and organizations.

And according to a survey recently conducted by IANS, a Boston-based research company that focuses on information security issues, more companies are starting to address concerns by creating a social media policy.

Because social media will not likely disappear (In fact, more are more likely to develop.), an organization needs to create guidelines to help protect their confidential data. Here are a few things to consider when crafting your own policy:

  1. Communicate with employees and emphasize current policy. If it’s not acceptable to discuss new business at a live networking event, then it’s not acceptable to post it on Twitter or Facebook. The social media platform may change, but the principle remains the same. “Loose lips sink ships” isn’t just a quote for the military. You may already have a policy in place regarding sharing information. Include it in a social media policy.
  2. Use social media policies as an additional tool for your employee awareness program. When you develop a policy, and emphasize it with training classes, email reminders, or media – employees remember how important it is to protect the company’s intellectual property. As you explain to employees that social media just gave them a megaphone to broadcast; and with that comes responsibility, more of them will think twice before sharing something that they’ll know is inappropriate.
  3. Work with both the human resource and marketing department. To put a positive spin on usage, it’s good for employees to realize what they can post on their accounts. In fact, your employees can become an in-house public relations firm as they share with their followers the great things about their workplace. Allowing employees to have influence in an organization’s message will give them a sense of ownership in its success.
  4. Have a password vault available for each employee. One of the most common ways a hacker gains access to accounts is by discovering a password and then reusing that password to gain access to a person’s other social media accounts. KeePass is a great, open- source version to help secure passwords. Encourage employees to change passwords often.

Keep policies current to match new developments within the social media industry. Be as specific as possible and have ongoing awareness sessions to ensure everyone is on board. By planning ahead and communicating expectations clearly, a company can significantly decrease their level of vulnerability by an employee’s misuse of social media.

Social Media and Reputational Risk: 3 Ways to Keep It Real – And Safe

Posted on by
Reply

You have employees who are addicted to social media, updating their status, sharing everything from discovering a helpful business link to where they went for lunch. However, they also may be broadcasting information not intended for public consumption.

One of the most difficult tasks for an organization is conveying the importance of discretion for employees who use social media. Not only are organizations at risk from having their networks attacked, but they must protect their reputation and proprietary ideas. What makes these two areas difficult to protect is their mobile nature. Ideas are invisible and have a habit of popping into conversations – and not always with the people who should be hearing them. They can get lost or stolen without anyone knowing they’re even gone. Suddenly, you find your competitor releasing a great product to your market that you thought was yours alone.

If you want to decrease such liabilities, you have a few options. Initiate some guidelines for employees. Send friendly reminders from newsworthy “social-media-gone-bad” stories. The more employees know where an organization stands in regard to safe social media use, the more they can be smart about using it. Here are three basic rules to help them interact safely:

1. Don’t announce interviews, raises, new jobs, or new projects.
Talking about any of these sensitive topics on social networking sites can be damaging. If an employee suddenly announces to the world that they’re working on a new project with XYZ Company, there’s a good chance the news will be seen by a competitor. You may see them in the waiting room of your client on your next visit. One caveat: If you’re hiring, it’s a good thing. Your organization will be seen as successful and growing. However, those types of updates are usually best left to the HR department.

2. Don’t badmouth current or previous employers.
It’s good to remember what mom used to say, “If you don’t have anything positive to say, then say nothing at all.” The Internet never forgets. When an employee rants about either their past employer, or worse – their current one, it can poison a customer’s view of the organization. Nothing can kill the possibility of a new sale than hearing an employee broadcast sour grapes. If this is a common occurrence, it can give the image of a badly managed company. This isn’t the message to send to either customers or future employees.

3. Stay professional. Represent the organization’s values well.
Employees are often tempted to mix their personal and work information together when using social media. Although many times, such information can be benign, you don’t want to hear about an employee’s wild night at the local strip club. There are mixed opinions among experts whether an employee should establish a personal account, separate from their work life.

Emphasize your organization’s values and mission. Ask employees to TBP (Think Before Posting). Social media can be a good experience as long as its done responsibly.

Is IE Still on the Desktop at Your Organization?

Posted on by
Reply

I know that the IE infection is hard to kick. The most common argument I hear, many sites just don’t work with anything but Internet Explorer.

Is this a true issue, or merely an excuse for inaction? I know a few organizations that have installed alternative browsers (OK, Firefox, in all cases), and blocked all external access to IE users. They then take the help desk calls, check the sites that the users say won’t work with anything but IE, make sure they meet a business need, and then one by one add them into the proxy to be allowed out with IE.

Sure, this is a lot of work on the front end. Here’s the rub, though. 30 days out, the work drops like a hot stone in the hands of a yeti. Basically, the ongoing need to add sites become so infrequent as to be non-existant and handled with a one-off approval process. In terms of risk, the few who have taken this approach claim such a huge reduction in spyware cleanup, infections and basic break/fix calls that they say the longer term savings paid for the work of the 30 day period in less than 3 months. Thats a 90 day, 100% ROI for a 120 day project!!!! In business terms, this is a NO BRAINER.

Given the oddity of Aurora, the history of IE vulnerabilities and the ease at which new users of Firefox, Opera, Chrome, Safari, et all become proficient, the deck begins to stack in favor of replacing IE for Internet-bound traffic in all but a limited set of cases. Sure, use IE for that odd website, for those internal legacy apps where code-rewrite is not feasible. Heck, in this case, maybe even allow IE 6 to live on for internal use only (pray for no internal malware or xss attacks). We all know the real attack surface for IE is overwhelmingly the Internet.

Maybe this approach will work for you. Consider it. It works even better when combined with proper egress filtering, enclaving and role-based access controls.

Let me know what you think!

Creative Uses of Video for Quick and Easy Awareness

Posted on by
Reply

Are you looking for an effective mechanism to help your staff stay alert against laptop theft during the holidays and such? Here is a quick suggestion.

Take an iPhone, iPod or other video and shoot a quick 30 second piece about a laptop getting stolen. Have your own team star in it. Keep it quick, light and humorous. Maybe show your CEO in a panic when she realizes her laptop is missing, or a shot of your IT manager in a hoodie grabbing a laptop from the lunchroom and running. Make it over the top and funny, then close with a serious message about how quickly laptops can be stolen, how you should never leave them in a car or such without locking them in the trunk and other stuff you want the users to know.

Close with how they should tell you if they have lost a laptop and who they should call.

That’s it. Keep it home video looking, don’t worry about production quality or any of that. Quick and dirty videos are the way of the new web, so think more YouTube than MGM.

Now, send your video out, or a link to it, and let your employees make suggestions for future episodes. Everyone who submits a suggestion gets entered into a drawing for movie tickets. Easy, affordable and effective.

Who knows, you may not get an Oscar, but you might just save yourself from a data breach. Either way, it will be fun and educational.

Enjoy and don’t hesitate to call us if you need help with the video, ideas or need more information about laptop encryption or other security measures. We are here to help and can get you through most laptop security issues with ease!

Some Laptop Theft Info

Posted on by
Reply

As a part of security awareness month, I have mentioned that we really need to focus any preventative mention awareness on laptop theft. As a part of that, I have been working on some interesting research around this threat. There is a ton of information out there on laptop theft. This wikipedia article has a lot of good information. It is a great place to start if you want to build some quick materials. I love the cost estimate of $89,000 on average per lost laptop. This aggregates the work it takes to recover from the loss, the hardware cost, the aggregate average of fines and regulatory losses, etc. That number is a real eye opener for many people who tend to only think about the hardware replacement costs, which is especially true for end users. Also, in my experience, we have timed some of our security engineer ninjas on how long it takes to break a car window, snatch a laptop and bolt. One of our quickest ninjas takes under 12 seconds to get 100′ from the vehicle. Even rounded up to an even 20 seconds, that is not very likely to matter. Timing how long it takes people to go into a convenience store to pay for gas or grab a soda is almost always in the 3-5 minute range. That’s a lot of time for 20 second intervals to occur.

Just something for you to give end users to think about…

Three Ideas to Encourage Employee Net-Cops

Posted on by
Reply

Here are three quick ideas about how to encourage your employees to be better “net cops”:

1. Make sure they know who to report suspicious behaviors to and never, ever punish anyone for doing so. Make sure you give them a place to drop anonymous notes too, if that is appropriate for your program. Teach them how to report suspicious emails, calls and information requests. Create an ongoing program reminding them about how to do so.

2. Incent them to report suspicious behaviors. Create an email forward box for spam, phishing and other types of suspicious email. Enter the first people to report each sample into a monthly or quarterly drawing for movie tickets or some small prize. Not only will you get people interested and get more insight into your security posture, you just might learn more quickly when a spam or trojan attack is under way.

3. Hold a security day where you have games and such that back up these ideas. Focus on teaching your people how to recognize social engineering and such and how to report it. Use the opportunity to remind them about the other ideas above. Have some swag made for them that talks about how each of them is a “security agent” or “on the front lines” “investigating threats against your customer’s data” or the like. Get marketing and HR involved to create something memorable.

What ideas do you think might get people focused on noticing when bad things are happening? How does your organization encourage your staff to be better detectives?

Why I Think Your Awarness Program is Broken…

Posted on by
Reply

Security awareness. I know, I know… This is one of the worst parts of being an infosec person. We all seem to have problems with it. Not so much because the content creation is hard, but because effective content creation is nearly impossible.

For almost 20 years, we in the infosec business have been harping at you about awareness. The story often goes something along the lines of “If only we could teach the users to be more careful and attentive, then we protect them better.” The truth of the matter is though, that the average user either doesn’t care about information security (until it’s too late) or they simply don’t have enough technology skills to protect themselves in a meaningful way. But, and I promise you THIS – the answer is absolutely NOT another poster in the lunch room about not clicking on the dancing gnome or opening emails from people you don’t know…..

I think we are going about this in the wrong way. In fact, I believe that the only prevention focused message you should be sending to your staff on a repeated basis is about laptop theft. I think if you focus all of your prevention awareness on laptop theft, you might accomplish a little bit more, since laptop theft is a pretty personal crime. So, if you must print up some posters – make it about not leaving your laptop in the back of your car, or skip the posters all together!

What do I propose instead? What then will we do with all of that awareness budget???

I propose this. I suggest that you skip prevention awareness and instead focus your staff on being better “net cops”. Yep, you heard me, NET COPS. Why the heck would you do that, you might be saying? Well, the main reason is, according to recent data that profiled data compromises, your team members (as in humans) are twice as likely to notice strange attacker behaviors, security issues and other anomalies versus automated systems like IDS and log monitoring. Plus, people already love to play net cop. Your customer service people love it, your sales people love it and face it, most infosec people love it too. There is a reason why there are so many crime shows on TV. Since people love the idea of being a net cop, let’s focus on teaching them, giving them incentives and helping them help us protect our data more effectively.

This month, as you may know, is security awareness month. As such, throughout the month, we, like other blogs and security companies will be talking a lot about awareness. BUT, on this blog and at MSI, we are going to talk more about teaching your users to be detectives. We think new focus on from “what not to do” to “help us patrol the network” just might work! We’ll never know, unless we try!

Give it some thought and as the month goes on, don’t be shy. Let us know what you think about the idea. Thanks for reading!

Pandemic Planning Update: Consider 10 Day Minimums for Sick Time

Posted on by
Reply

Having just read this article, and participated in several discussions around Pandemic Planning, I am of the belief that folks might want to consider mandatory 10 day sick times/work from home times for H1N1 infected employees.

Research shows that infected folks may be contagious for up to 10 days from the onset of their symptoms, even after they “feel better”. The problem with this is that as they “feel better” they may return to work or school, thus exposing others to the virus, albeit, inadvertently. Many people simply think that if they “feel better”, then they must be over the infection and not contagious anymore.

So, as you consider your pandemic plans, please think about the idea of a 10 day work from home program or the like for folks that are symptomatic. Explanation and education of folks carrying the virus can only help, so take the time to explain this cycle to your team.

Thanks for reading and please let us know if you have any questions about pandemic planning or remote working issues. My team and I have been doing quite a bit of consulting lately reviewing pandemic plans and helping organizations make sure that they are prepared and that their remote access systems are robust enough to handle the load and secure enough to be trusted. If we can be of any help to your organization along these lines, please do not hesitate to call or drop us a line!