Working in IT, one of my biggest challenges has been to convince end-users that it is worthwhile to forego a convenience in the name of security. Regardless of whether it’s requiring the use of multi-factor authentication or forcing a computer to auto-lock after a certain amount of idle time, it often boils down to the end-user facing some sort of hinderance to their productivity. I completely understand their frustrations. I’ve managed Active Directory networks that served around 15,000 people and still managed to lock out my account. Was I annoyed? Absolutely, but I understood the need for the control. If you take the time to explain security to the end-user, they’ll be more likely to understand your decisions.

Here are some tips I’ve found to be helpful when convincing an end-user to implement a security control:

1. Remind – Remind them that you’re not making this change just for fun. It’s being completed to reduce the likelihood that your organization’s systems will be compromised by an attacker.
2. Example – Give an example of a high-profile breach that could have been prevented by implementing this control. It’s likely that they’ve had their personal information exposed as a result of a breach within the last few years. Even if they (somehow) haven’t personally been affected by a data breach, they have a friend or family member who has. Using an example of something that has affected them personally will go a long way to helping them understand why it is worthwhile to implement a security control that could have an adverse affect on their productivity.
3. Analogy – Still having trouble rationalizing why you’re implementing a new security system? Try to use an analogy to describe how the new control will help prevent an issue. For example, if they are upset that they can’t reuse a password across multiple systems, remind them that the key to their Ford vehicle won’t work on ALL Ford vehicles.
4. Describe –  Take some time to describe why you’re implementing the new security control. It’s important to make the effort to explain the task in terms that the end-user will understand. Don’t use the complexity of the topic as an excuse. If you can’t explain the issue to a non-technical employee, chances are, you don’t understand it yourself.

A distributed denial of service attack is a malicious attempt to make machines, applications or other network services unavailable to legitimate users. There are many types of DDoS attacks including SYN and UDP floods, reflected attacks, application attacks and multi-vector attacks that employ several types of attacks in combination. In the past, it was typical for businesses to accept the risk of DDoS attacks since they were relatively rare and small scale. But that has all changed in recent years; both the number and scale of DDoS attacks have increased dramatically. Because of this trend many savvy businesses have changed their philosophies and taken steps to mitigate DDoS attacks. Unfortunately, this trend is far from universal. Many businesses remain complacent and have done little or nothing to prepare for DDoS attacks. Is your business one of these and if so, what should you do about it?

The first step I recommend taking is to perform a basic risk and impact study on the subject: how likely is it that my business will be attacked, and if it is, how badly will it hurt us? If the answer to either of these questions is unacceptable, then you should certainly move on to step two and start the process of incorporating DDoS into the incident response plan. In a nutshell – develop the policy language, include likely DDoS attack indicators and attack scenarios in the plan, develop specific strategies to counter these attacks, assign responsibilities to specific individuals and practice the plan. Sounds easy, but how do we go about doing that you may ask. Here are some basic tips:

• Contact your ISP. Get their advice, find out about their experience and capabilities with DDoS attacks, find out about any anti-DDoS tools they might have available and their cost, etc. If you don’t do anything else, at least take this step. You probably won’t be able to do much at all to counter a DDoS attack without your ISP’s help.

• Ensure that your team is fully aware of all the capabilities your present equipment and infrastructure has for handling DDoS attacks.

• Ensure that your IR and IT teams are aware that DDoS attacks are sometimes persistent and can last for days, weeks or more. Make plans for keeping your reactions strong and timely.

• Employ centralized logging and ensure that proper monitoring procedures are in place and reviewed.

• Make sure you maintain a whitelist of source IPs and protocols, major customers, critical service providers and partners that must be allowed access during attacks.

• If you are at high risk and impact levels for DDoS attacks, consider improving your infrastructure and/or employing specialized DDoS services or products. Cloud based servers, for example, have great capabilities for fighting DDoS.

• Ensure that applications, networks and operating systems that may be targeted in DDoS attacks are fully hardened.

Here’s hoping that no one out there targets your business with a major DDoS campaign. But if you think the possibility is high, better take a tip from the Boy Scouts and be prepared!

The news just came out that the OPM data breach was even more serious than was first announced. The toll has risen from 4.2 million to the present total of 22.1 million people – nearly seven percent of the US population. They are now saying that nearly 2 million of these aren’t even people who have applied for security clearances themselves, but are spouses and other people close to applicants. What a wealth of information for cyber-criminals!

One of the things that make this such a bad hack is the kinds of information that may have been revealed. Background checks, depending on the level of clearance that is being applied for, can delve into an individual’s past quite extensively. Information such as all your past addresses, who you associated with, who your teachers were, the periodicals you read, your medical history, your arrest records, the organizations you associate with, etc., etc. Just the sort of juicy information that Spear Phishers dream of! But worse than that, this is the sort of information that can be used to blackmail people.

Blackmailing is probably the most dastardly type of social engineering there is. Here you are; nice family, good job, couple of kids, respected in the community – life is sweet! Then all of a sudden, someone contacts you and threatens to release some scurrilous information to the public if you don’t do as they say. Maybe you were arrested for something embarrassing such as being caught as a Peeping Tom. Maybe it lists a past relationship that you were not candid about with your spouse. Maybe it’s an embarrassing medical condition such a venereal disease. Or maybe it’s some really bad dirt concerning your spouse or another family member. Whatever it may be, suddenly you are faced with the choice of cooperating with criminals and breaking the law or abject ignominy – what would you do?

It’s amazing how many people will actually cooperate with their blackmailers and do their bidding. Even if it means jail time! Either alternative seems so bad to the blackmailed that they just can’t face either. So they go along in the desperate hope that nobody will find out and the whole mess will just go away. Good luck!

The way to deal with this problem, in my opinion, is to give them a third choice. Agencies and organizations should set up programs that offer forgiveness and help for these individuals if they come forward. Make sure that your personnel are aware of the possibility of blackmail, explain the forgiveness program to them, and make them understand that no matter what, they are better off reporting the incident than submitting to intimidation.

If you want to be in direct command of a U.S. aircraft carrier you must be a pilot or navigator. There is a very good reason for this. Despite the fact that there are thousands of personnel on these ships, many with very responsible jobs indeed, what really counts are the aircraft and the pilots that man them – and the Navy knows it. They also know that if they want the mission to be carried out successfully they need an individual in charge with all the right knowledge and perspective to support these most valuable assets. Not a captain that made his rank by being a wiz at logistics!
Some of this same wisdom should be applied to leaders of government agencies and businesses that store and process private information. Do we really want people running our organizations who are not well versed in computers and information security? After all, these machines are not only vital components of our business practices; they hold the keys to the kingdom as well!
Take the recent Office of Personnel Management (OPM) debacle as an example. This agency had been warned repeatedly about the lack of security in their systems, but little or nothing was done about it. Result: four million personnel files compromised. That’s one out of every 80 people in the country! And the reason for this failure seems to be simple ignorance and inexperience on the part of staff.
One lesson that has become brutally apparent from my risk assessment experience is that if upper-level management isn’t behind the effort, the risk assessment is doomed to fail. I’m sure this is true of general information security programs as well; if upper-level management isn’t knowledgeable and interested then the information security program is doomed to fail – and the bigger and more entrenched the bureaucracy the more this is true.
Now, I’m not saying that I think all CEOs should be recruited from the ranks of IT security. What do most of us know about running a big organization? What I am saying is that I think a certain level of expertise in matters computer and security should be a requirement of any job that oversees the processing and storage of our private information. Especially since computer systems are going to become increasingly vital parts of our everyday lives as time goes on.