This is cache of http://securityrenaissance.com/2007/11/09/cutting-through-the-white-noise/. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
Cutting through the White Noise
2007-11-09 16:07:55 by Perry Carpenter in Security Renaissance
 

Ok — so I’ve been feeling ‘guilty’ about not blogging for some time…   How sick and egotistic is that?  But anyway, an ultra-hectic professional and home life has kept me busier than the proverbial “one legged man in a butt-kickin’ contest” for the past few months. 

Over those months, I’ve had several things that I *wanted* to blog about; but just never made the time.  One of the reasons is that, for the most part, there has been little to be truly excited about in the industry as a whole.  “Nothing new under the sun;” and all of that…  At least that’s what it seemed like to me.  But now things are starting to settle down and I’m having/making time again to get plugged back in.

So today I was reading Martin’s show notes and came across the SalesForce.com data breach story.  And, behold, I felt the urge to write again.  As I’ve been reading the news over the past few months, I have been thinking to myself that we have a problem…  Breach notifications are being reported so often now that they seem to be just creating a constant “white noise” drone.  Sure, there are the standouts like TJX — but really, most are just more of the same.  To the extent that I fear the public will just end up being numb to the notifications, and ambivalent to the poor practices that are the cause.  Each new notification just being another drop in the ever-deepening ocean of lost records.

But the SalseForce.com story is different due to the “spear-phishing” aspect.  And it highlights multiple security problems.  Two in particular are of note.  1:)  Users are still susceptible to phishing.  Yeah, I realize that this was a highly-targeted “spear-phish” — but the “don’t click the link” (or at least verify the link) adage should still hold; and 2:)  data breaches, even those which do not contain what we would consider PII, are dangerous.  Here, the data is reportedly being used to create additional phishing emails (some intended to drop malware such as keystroke loggers, etc…), bogus invoices, and so on.  In other words, the SalesForce.com breach wholly revolves around social engineering.

I think that it is notable that these issues revolve around end-users and, outside of any emails intended to dropped malware, cannot be addressed solely through technical means.  So, we again come back to end-user training and awareness.  It is imperative that we, as an industry, get a handle on how to better address this in our organizations.  It’s clear that what most companies are doing is just plain broken.

Here are my thoughts:

Engage employees in ways that are relevant to their life as a whole.  Address the “What’s in it for me?” question.

Explain the “WHY” behind seemingly obscure security policies or procedures.  As is made clear by the SalesForce.com incident, we can’t simply expect technology or process to address all potential security issues.  Instead, we need our front line defenses to act as living firewalls.  Thinking on their feet and able to apply an informed mindset across multiple situations.

Let employees know that it is part of their job – just as much as any other duty that they do.  (Yeah – I realize that mentality must be driven from the top down).  Make it part of the performance evaluation; so that they are aware that the will professionally advance or stagnate based on how seriously they take their duty to protect information.

Make it fun.  Find ways to reward the folks who are doing it right.  Let that encourage others to improve.

 
Tags: data, data breach story, drop malware, story, drop, engage employees, highlights multiple security, salesforce, life
 
 
 
 
 
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia