Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
10/17/2013
10:52 AM
Maxim Weinstein
Maxim Weinstein
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

With Shared Power Comes Shared Responsibility

Security does not rest entirely on your users' shoulders, so don't make them feel like it does

It's National Cyber Security Awareness Month, and the official theme for the month is "Our Shared Responsibility." A bit trite, perhaps, but it's a message that is all too often lacking when security professionals communicate with users in their organizations. If you've ever felt that IT or the security group is public enemy No. 1 in your workplace, it may be time to rework your trainings, presentations, and email messages to integrate the shared responsibility message.

Suppose, for example, that you're delivering training to users on how to avoid malware. The classic curriculum goes something like this: What is malware? What are the types of malware? Where does malware come from? What should you do to prevent infection?

Now think about this training from the standpoint of the user. Most likely, she has been forced to attend a training for a topic of little interest to her. She then has to sit through a dry presentation about malware, ending with a laundry list of things she's supposed to do to make things better for the company and the IT department. She has gained nothing from the training, and additional responsibility has been placed on her shoulders. No wonder she finds security annoying!

Here's a different approach, which puts shared responsibility front and center, while offering a more compelling experience for the user at the same time. Suppose you structure the talk as a walk=through of a real or simulated malware attack. During or after the walk=through, you briefly explain the things IT is doing to prevent each stage of the attack (e.g., we've installed Web filtering to try to block drive-by downloads) and where you need users to help out by doing their part (e.g., avoiding opening of unknown files).

What is the user's experience this time? Her annoyance with having to attend the training is offset by seeing something new and interesting -- a real-world attack! Instead of feeling lectured to about what is expected of her, she is shown how her actions can help contribute to a broader set of security controls. And she may even find the occasional warning from the Web filtering system less annoying now that she has seen how it can be useful in preventing a type of attack that has been vividly implanted in her mind.

We humans are social animals. It's no wonder that we respond better to "we're all in this together" than "do it because I said so." National Cyber Security Awareness Month ends on Halloween, but "Our Shared Responsibility" should remain a permanent theme in your infosec communication and training strategy.

I recently delivered a Malware 101 webinar to members of the Center for Internet Security. The hour-long presentation, now available on YouTube, is geared toward a nontechnical audience. The presentation walks through a real attack, shows how selected security tools (not brand-specific) can help defend against malware, and explores some reasons that malware still exists despite the best efforts of the security community. Along the way, it defines common terms and explains basic concepts. Feel free to show it to your users (supplemented, of course, by what you're doing to protect them and how they can help) and/or take inspiration from it when creating your own lessons. Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
step933
50%
50%
step933,
User Rank: Apprentice
10/26/2013 | 12:48:12 AM
re: With Shared Power Comes Shared Responsibility
My Uncle Brandon got a
stunning Toyota Tacoma only from working part-time

off a macbook air... go to this web-site w-w-w.P-o-w-6.c-o-m
step933
50%
50%
step933,
User Rank: Apprentice
10/26/2013 | 12:47:43 AM
re: With Shared Power Comes Shared Responsibility
my Aunty Morgan got a
nearly new red Mercedes-Benz SLS AMG GT Coupe

by work using a laptop. Read Full Report w-w-w.P-o-w-6.c-o-m
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
10/22/2013 | 5:02:03 PM
re: With Shared Power Comes Shared Responsibility
I've also heard that making security training personal -- showing users how their personal information could be threatened by malware -- helps bring home the message.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.