Simply banning stuff (such as using social media at work) through management edict or policy can be counterproductive for security if employees react by circumventing the ban. I argue that effective security awareness using motivation and persuasion is a far more effective technique. Read more →
55 posts categorized "Insider Risk"
29 November 2011
Applying Newton's third law to information security
Posted by Gary Hinson on 29 November 2011 at 05:01 PM in Cybersecurity Training, Ethics, Insider Risk, Risk | Permalink
|
Comments (1)
21 September 2011
The APT Attack Surface
According to the FAS Project on Government Secrecy, using data tabulated in the report, 4,266,091 people held security clearances in the US for access to classified information. Read more →
Posted by David Harley on 21 September 2011 at 08:49 AM in Cybersecurity Training, Insider Risk, Malware | Permalink
|
Comments (0)
24 January 2011
Pragmatic ethics
Is it ethically acceptable for workers to pinch the odd pencil or Post-It note from work, or is this just the thin end of the wedge that leads to fraud, theft, corruption, Enron and Global Economic Meltdown? It's a tricky issue when you factor in the difficulties of writing and enforcing corporate policies on ethics, the effects these have on the workforce, and the prospect of tacitly or even formally endorsing unethical and perhaps illegal behaviours through weak policies and lax attitudes towards compliance. It's also a cultural issue, which makes it fuzzy and complex both to characterise and even... Read more →
Posted by Gary Hinson on 24 January 2011 at 05:20 PM in Ethics, Insider Risk, Legal, Risk | Permalink
|
Comments (2)
23 June 2010
New SSL Inspection Solutions: Are they helping us or not?
I saw some presentations and papers about a new technology that is able to decrypts SSL traffic and sends it to existing security and network appliances on high speed networks. This technology enables existing IPS solutions to identify risks normally hidden by SSL such as regulatory compliance violations, viruses, malware, data loss, intrusion attempts, etc. This is a very good approach to detect/block those attacks (there are reports showing a increase on attacks using SSL traffic) but I see some risks related. If someone uses this technology to decrypt the traffic and get the info? What are the mitigation actions... Read more →
Posted by Alexandre Cezar on 23 June 2010 at 05:07 PM in Insider Risk, IT Security, Network Security | Permalink
|
Comments (1)
02 February 2010
Know thyself
Psychological profile of what makes a good defender in the infosec world. Read more →
Posted by Rob Slade on 02 February 2010 at 06:07 PM in Cybersecurity Training, Insider Risk | Permalink
|
Comments (0)
08 December 2009
The Risks of Bad Communication
I have been thinking about whether there are are any risks unique to remote facilities when it comes to a company's IT security design. This could be locations in different cities, near-shoring, off-shoring, etc. From the article Bad Communication Can Create Risk, the author lists four risks mitigated by effective communication: Increased employee resignations Decreased employee productivity Overt employee subversion Inability to achieve company goals From an IT security perspective, I will add: Back doors Data leakage Malicious behavior (unintentional or otherwise) The knowledge of being observed is itself a deterrent to bad behavior. There is the Observer (or Hawthorne)... Read more →
Posted by Don Franke on 08 December 2009 at 01:11 PM in Insider Risk, Network Security, Operations Security | Permalink
|
Comments (1)
|
TrackBack (0)
16 November 2009
Pig hackers
Amusing video from the BBC. A report on pigs managing to figure out how to get more food from an automated control system. If even pigs can (accidentally) figure out how to defeat access controls, what do you have to do to prevent determined attackers? (Actually, pigs are pretty clever critters ...) Read more →
Posted by Rob Slade on 16 November 2009 at 09:45 PM in Cybersecurity Training, Insider Risk, IT Security, Operations Security | Permalink
|
Comments (1)
|
TrackBack (0)
25 September 2009
DoD IA Policy Chart
For your information, the Defense-wide Information Assurance Program (DIAP) has just released the IA Policy Chart via the IATAC web site at http://iac.dtic.mil/iatac/ia_policychart.html. The chart, plus background notes can be found at that site. In addition, the IA Policy Chart will be included as a centerfold in the January 2010 edition of the IATAC’s IAnewsletter. The goal of the IA Policy Chart is to capture the tremendous breadth of applicable policies, some of which many IA practitioners may not even be aware, in a helpful organizational scheme. The use of color, hatching, fonts and hyperlinks are all designed to provide... Read more →
Posted by John Dittmer on 25 September 2009 at 12:49 AM in Cybersecurity Certifications, Cybersecurity Training, Insider Risk, IT Security, Legal, Malware, Network Security, Operations Security, Privacy, Risk, Software Development | Permalink
|
Comments (0)
|
TrackBack (0)
10 August 2009
Add "human factors"? No.
OK, Gary has asked if the CISSP CBK should be expanded to cover "human factors" in security? And I answer "No." With that kind of beginning, you could be forgiven for thinking that I disagree with Gary about the importance of human factors in security. Nothing could be further from the truth. I agree with everything he has said about the fundamental significance of human factors in information security, as well as the difficulty of dealing with them, and will defend to the death his right to say it. What I disagree with is the question. The CBK already addresses... Read more →
Posted by Rob Slade on 10 August 2009 at 10:04 PM in Cybersecurity Certifications, Cybersecurity Training, Ethics, Insider Risk, IT Security, Legal, Malware, Operations Security, Privacy, Risk | Permalink
|
Comments (2)
|
TrackBack (0)
18 July 2009
Moral code experiments
A very interesting presentation and intriguing research into moral behaviour. The culminating point is that we need to test and experiment with morality, since we seem to have many incorrect notions about it. Read more →
Posted by Rob Slade on 18 July 2009 at 05:43 PM in Cybersecurity Training, Ethics, Insider Risk, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
11 July 2009
Are policies mandatory and guidelines optional?
Although this is often expressed, I fundamentally disagree that policies are mandatory whereas guidelines are optional. This to me is a rather naïve assessment, and is distinctly unhelpful, misleading even. Let me explain. For a start, do you truly understand the distinction between "mandatory" and "optional"? Are they really (as some claim) as different as binary and analogue? I beg to differ. In my world, they are both analogue concepts. They are both a matter of degree. Occasionally by "mandatory" the information security manager or CISO probably does mean an absolute hard-and-fast rule with no exemptions (authorized non-compliance) or exceptions... Read more →
Posted by Gary Hinson on 11 July 2009 at 05:47 PM in Ethics, Insider Risk, Legal | Permalink
|
Comments (1)
|
TrackBack (0)
25 June 2009
Passwords are dead - long live passwords
Over on CISSPforum, a zombie topic about passwords has risen from the dead yet again. This time, someone suggested making it a "condition of employment" that "If you cannot remember a username and password, find employment elsewhere." Well yeah but no but. A username and A password, even a reasonably strong one, would be just fine for most people. Unfortunately, we need loads. As information security pros, isn't it part of our rôles and responsibilities to make information security as low-impact as possible on the organization (including its 'most valuable assets', the people) without unduly compromising the level of security?... Read more →
Posted by Gary Hinson on 25 June 2009 at 07:36 PM in Cybersecurity Training, Insider Risk | Permalink
|
TrackBack (0)
23 June 2009
A Hidden Danger in Cloud Computing
Back in the days when I was happily spending time on the operations floor in computing centers, we always observed that the greatest security threats to our systems were well-intended operators who make simple mistakes. No hacker or criminal ever brought down a network like the bored network guy on the late shift who decided to upload a new version of the Cisco IOS on all the routers of a global ISP without testing first. A bug in the IOS release caused every router go down, one-by-one. I remember being called into work to fix the problem (had to send... Read more →
Posted by Tim Bass on 23 June 2009 at 03:00 PM in Cloud Security, Insider Risk, IT Security, Operations Security | Permalink
|
Comments (0)
18 June 2009
The folly of annual "awareness training"
Hord Tipton is quoted in a rather curt piece on GovInfoSecurity referring to the "Need to provide federal employees awareness training more often than once a year because of the ever-changing challenges IT security presents". Right-on Hord! I realise I'm quoting a small extract from a short piece about a press interview, but still there's much more to it than Hord's statement implies. I hope you'll forgive me a short but passionate rant ... 1. It's not just federal employees who need more than once-a-year training. The same applies to everyone, including employees (staff, managers, IT professionals, temps, contractors, consultants,... Read more →
Posted by Gary Hinson on 18 June 2009 at 06:05 AM in Cybersecurity Training, Insider Risk, IT Security | Permalink
|
Comments (0)
|
TrackBack (0)
09 June 2009
US Cybercrime site
US Department of Justice Computer Crime and Intellectual Property site with news stories, related (US) laws, and some documents related to digital evidence, investigation, and prosecution. Read more →
Posted by Rob Slade on 09 June 2009 at 04:57 PM in Cybersecurity Training, Digital Forensics, Insider Risk, Legal | Permalink
|
Comments (0)
|
TrackBack (0)
03 May 2009
The Missing Vials
Last month, it was reported that "three small vials of Venezuelan equine encephalitis virus were determined to have been unaccounted for last year." While it has been concluded that this was not the result of misconduct, it does raise questions about the risk of mishandling sensitive materials. An act of theft was not detected; the absence of things inferred theft. So this demonstrates an administrative type of risk, where alarms are sounded and must be responded to due to proper inventory controls not being used, or used improperly. An article in Wired magazine sums it up nicely: "Biological material can... Read more →
Posted by Don Franke on 03 May 2009 at 10:48 PM in Insider Risk, Operations Security | Permalink
|
Comments (0)
|
TrackBack (0)
01 March 2009
You Oughta Know Better!
In a report today from MSNBC titled, Report: Obama helicopter security breached, the blueprints and other information relating to Marine One, the Presidential helicopter, were found linked to an Iranian IP address. The report states that a defense contractor downloaded a peer-to-peer (P2P) application the "SAME SYSTEM" that contained the information regarding Marine One. We all make mistakes, but this one is a big one. We all oughta know that you treat systems with sensitive information as systems with sensitive information. This means that you do not install P2P applications from the Internet on a classified system or you do... Read more →
Posted by Lester Nichols on 01 March 2009 at 11:47 PM in Ethics, Insider Risk, IT Security, Malware, Network Security, Operations Security, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
27 February 2009
Revising Enterprise Telework and Remote Access
NIST (National Institute of Standards and Technology) recently updated their guidance for Enterprise Telework and Remote Access Security, DRAFT NIST SP800-46 Rev.1. As many are aware, security professionals are constantly considering the security ramifications of employees accessing the corporate network from home and other insecure locations. This includes the use of home systems to connect to the network, corporate laptops from remote locations and the potential of infected mass storage device. This special publication is and update from the previous special publication - SP800-46, Security for Telecommuting and Broadband Communications intended to help organizations understand and mitigate the risks of... Read more →
Posted by Lester Nichols on 27 February 2009 at 07:24 PM in Ethics, Insider Risk, IT Security, Malware, Network Security, Operations Security, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
02 February 2009
Google's Self-Inflicted Denial-of-Service Attack
Over the years most of us who have "been around the block" in IT operations have always said, based on experience, that one of the biggest looming threats to IT operations is always a well intended employee who makes an honest mistake. I can recall discussing this topic almost daily with my honorable USAF colleagues, including Col. (R) Glenn Watt, Col. (R) David Gruber, and Maj. Gen. (R) Bill Donahue, all experts in IT operations and IT operational risk. Even before those memorable days consulting for the USAF, I can recall one of my first UNIX projects with General Electric... Read more →
Posted by Tim Bass on 02 February 2009 at 04:51 AM in Insider Risk, Malware, Network Security, Operations Security, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
21 January 2009
Using SIEM tools for Fraud Detection
Some time ago I was assigned for a project in a Telecom in South America to design, build and deploy a SOC Infrastructure. The customer objective was to monitor the network against attacks (vulnerable devices, brute force attacks, etc) and correlate events in order to identify hidden treats (DDOS, scanning, worms) and to identify business and operational frauds. I meet the audit team and then I got able to understand where their main frauds happen, some examples were: ADSL and Dial users sharing username/password; ADSL Subscribers connecting with higher speeds than they had hired; Operators accessing the system outside of... Read more →
Posted by Alexandre Cezar on 21 January 2009 at 10:38 AM in Insider Risk, IT Security | Permalink
|
Comments (1)
|
TrackBack (0)
Search
Categories
- (ISC)² Chapters (22)
- (ISC)² Events (152)
- Center for Cyber Safety and Education (52)
- Cloud Security (128)
- Cybersecurity Certifications (373)
- Cybersecurity Training (305)
- Cybersecurity Workforce (232)
- Digital Forensics (28)
- Ethics (51)
- Government (112)
- Insider Risk (55)
- IT Security (362)
- Legal (43)
- Malware (107)
- Network Security (166)
- Operations Security (133)
- Privacy (108)
- Ransomware (75)
- Risk (188)
- Software Development (44)
- Spotlight (70)