Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
10/17/2013
10:52 AM
Maxim Weinstein
Maxim Weinstein
Security Insights
50%
50%

With Shared Power Comes Shared Responsibility

Security does not rest entirely on your users' shoulders, so don't make them feel like it does

It's National Cyber Security Awareness Month, and the official theme for the month is "Our Shared Responsibility." A bit trite, perhaps, but it's a message that is all too often lacking when security professionals communicate with users in their organizations. If you've ever felt that IT or the security group is public enemy No. 1 in your workplace, it may be time to rework your trainings, presentations, and email messages to integrate the shared responsibility message.

Suppose, for example, that you're delivering training to users on how to avoid malware. The classic curriculum goes something like this: What is malware? What are the types of malware? Where does malware come from? What should you do to prevent infection?

Now think about this training from the standpoint of the user. Most likely, she has been forced to attend a training for a topic of little interest to her. She then has to sit through a dry presentation about malware, ending with a laundry list of things she's supposed to do to make things better for the company and the IT department. She has gained nothing from the training, and additional responsibility has been placed on her shoulders. No wonder she finds security annoying!

Here's a different approach, which puts shared responsibility front and center, while offering a more compelling experience for the user at the same time. Suppose you structure the talk as a walk=through of a real or simulated malware attack. During or after the walk=through, you briefly explain the things IT is doing to prevent each stage of the attack (e.g., we've installed Web filtering to try to block drive-by downloads) and where you need users to help out by doing their part (e.g., avoiding opening of unknown files).

What is the user's experience this time? Her annoyance with having to attend the training is offset by seeing something new and interesting -- a real-world attack! Instead of feeling lectured to about what is expected of her, she is shown how her actions can help contribute to a broader set of security controls. And she may even find the occasional warning from the Web filtering system less annoying now that she has seen how it can be useful in preventing a type of attack that has been vividly implanted in her mind.

We humans are social animals. It's no wonder that we respond better to "we're all in this together" than "do it because I said so." National Cyber Security Awareness Month ends on Halloween, but "Our Shared Responsibility" should remain a permanent theme in your infosec communication and training strategy.

I recently delivered a Malware 101 webinar to members of the Center for Internet Security. The hour-long presentation, now available on YouTube, is geared toward a nontechnical audience. The presentation walks through a real attack, shows how selected security tools (not brand-specific) can help defend against malware, and explores some reasons that malware still exists despite the best efforts of the security community. Along the way, it defines common terms and explains basic concepts. Feel free to show it to your users (supplemented, of course, by what you're doing to protect them and how they can help) and/or take inspiration from it when creating your own lessons. Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Larry Hoezee
50%
50%
Larry Hoezee,
User Rank: Apprentice
10/9/2014 | 3:14:59 PM
Pending Review
This comment is waiting for review by our moderators.
step933
50%
50%
step933,
User Rank: Apprentice
10/26/2013 | 12:48:12 AM
re: With Shared Power Comes Shared Responsibility
My Uncle Brandon got a
stunning Toyota Tacoma only from working part-time

off a macbook air... go to this web-site w-¡w-¡w.P-¡o-¡w-¡6.c-¡o-¡m
step933
50%
50%
step933,
User Rank: Apprentice
10/26/2013 | 12:47:43 AM
re: With Shared Power Comes Shared Responsibility
my Aunty Morgan got a
nearly new red Mercedes-Benz SLS AMG GT Coupe

by work using a laptop. Read Full Report w-¡w-¡w.P-¡o-¡w-¡6.c-¡o-¡m
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
10/22/2013 | 5:02:03 PM
re: With Shared Power Comes Shared Responsibility
I've also heard that making security training personal -- showing users how their personal information could be threatened by malware -- helps bring home the message.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9209
Published: 2015-03-30
Untrusted search path vulnerability in the Clean Utility application in Rockwell Automation FactoryTalk Services Platform before 2.71.00 and FactoryTalk View Studio 8.00.00 and earlier allows local users to gain privileges via a Trojan horse DLL in an unspecified directory.

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.