Video Screencast Help
Cyber Security Group

Time to take the gloves off!!!

Created: 08 Apr 2013 • 3 comments
Joseph.Rogalski's picture
0 0 Votes
Login to vote

Recently, there have been a string of high profile compromises attacking both could based services, a cloud based note taking site, a fast food companies Twitter account, as well as corporations and individuals.  A well known technology writer had his digital life taken over, abused and somewhat deleted add to this the hacking of cloud company’s’ CEO personal and business accounts.  This led me to think how can we as a security community do a better job?    When I was a CISO a good portion of the end user awareness training was focused on life outside the office, my theory was being safe at home leads to be safe in the office but now thinking about this now leads me to ask myself a question.   Does our end-user education go far enough or reach deeply enough into out users digital lives?  I think the answer to that question is an overwhelming NO and it’s time to take the gloves off!
We live in a time where work and personal lives are intermingled; to attract the best talent we must allow access to social networks from corporate devices and access to corporate information from personal devices. Allowing users to have the freedom to work as they see necessary.  I am not only speaking about the millennials we all hear about who work differently but also management and executive management who now have their own online personas.  They are being encouraged to develop these personas where they are now part of the company brand with very little oversight.
When discussing end-user awareness training with companies I always encourage them to take the next step and test their employees using email phishing campaigns and as well as other social engineering techniques.  Web based training and lectures don’t work well enogh.  Companies need to send targeted phishing attacks to their employees that provide immediate feedback.
When testing users we shouldn’t stop at just their corporate accounts we must phishing their personal accounts too this includes Facebook, Twitter, Gmail etc. the attackers have crossed that line we as responsible corporate citizens must as well.  This is a two way street if users want access to these services utilizing corporate or shared resources they must consent.  Don’t be the next hamburger chain to lose control of their twitter account.

Comments 3 CommentsJump to latest comment

hforman's picture

Joseph, I understand where you are coming from but many companies and agencies will disagree with you.  Where I work (government) we don't allow intermingling of our personal and employee lives.  We don't allow employees to access any social networking sites.  Why not?  Because, while you might entice the best 'talent' as you say by offering these things, in the fiscal times we live in most companies cannot afford to have their employees take a good part of their day chatting with friends or looking at cat videos.  We have to look very carefully at security because we are a government agency.  Think of all of the government agencies and government contractors that are responsible to the governments and the people behind them.  If employees are not being productive, we get written up in national newspapers or investigative journalism.  We hundreds of thousands of employees.  Many of them have menial jobs that don't require Internet access.  We also have jobs not requiring access to a computer.  Your experience may vary.  The only reason that I'm in your blog entry right now is this is part of my job as a security professional in law enforcement

Compaies/agencies are concerned with two things:  Employee productivity/misuse of time and data security.  Companies that have an online presence usually have specific employees that work in web pages and social engineering.  They have the access to do their jobs.  In data security, we are entrusted by the public to make sure that information they give us to provide services stays under strict controls to avoid any leakage.  And, yet, people are people and things happen.  When it does, we have to notify every person that might have had their information exposed and provide credit monitoring.  On top of that, we have to pay huge fines to the U.S. government (HIPAA, CJIS, PCI-DSS).  We cannot allow people to put data on a laptop and carry it out of the building any more than put data on a jump drive, CD or even a floppy disk.  The data does NOT belong to the employee nor the company/agency.  It belongs to the person who is the data owner.  Would you feel safe if you knew that, somewhere, there is some person walking around with your information including social security number, driver's license number, credit card information down to the expiration date and security codes?  I don't think you would and yet there is a whole generation of people that think this is not only OK, but if they lose or have that data stolen, their attitude is "so what?!".

If you tell an employee they can work from home only if they do not put data on their personal system or even a company-supplied system in case it should be lost in a break-in are they going to do what is right or are they going to do what is convenient?  We are talking about a situation where a missing laptop prompts a visit from both the FBI and various parts of the Department of Homeland security.  And yet some companies are more interested in entertaining their employees rather than burdening them with security measures.

It is a matter of protecting your customers and/or clientele and the image of what your company is all about.


Login to vote
Robert Shaker's picture

Great reply Mr. Forman but we find that many customers aren't as concerned about data security and in some cultures with productivity/Internet misuse as you'd think. Look at the news over the last few years and you'll see both public and private sectors having data breaches because regardless of the legal, compliance or internal rules, people need to access data to work with it and if we impede them we slow down the work and no one is happy.
Either way, you and Joe, are right and making users aware of security and their role never gets old and is always useful. Putting a program that provides a near constant reminder of being secure will provide better results than a once a year online test. Until we can guarantee the controls, users will always be the weakest link and its our job to make sure they are educated to make good decisions to protect us all.
Thanks again for the reply!

Bob is a Senior Leader on the Symantec Managed Incident Response Service team. He can be found online at LinkedIn or Twitter

Login to vote
hforman's picture

This may sound strange, but I think we need to impede a lot of work that people are doing.  One government fine relating to governance should be enough to convince any employer to put an end to mobile employee access where the data just "walks out the door".  I know that, if I found my SSN and name/address or credit card information out on the internet through a Google search, I won't call Google first; I'd call my lawyer.  What will happen when lawyers keep their data out on the Internet and the case they are working on involves a celebrity?  What if crime scene photos start popping up all over the web because some bored employee at a public cloud provider discovered them?

If technologies provide ease of use and convenience but put privacy at legal risk (meaning, lawsuits and fines) what good will that do?  Who pays for that?  The consumer, ultimately? What are people going to do when their photograph appears in an advertisement on the web when they were walking past a store and someone happens to be wearing Google Glass?

I know that some companies have received huge fines over privacy issues but many of these have been able to afford those fines as the cost of doing business.  This is really serious stuff and no ease-of-use application is ever going to surmount privacy and the lawsuits and fines that follow.  Just IMHO.

Login to vote