Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
10/17/2013
10:52 AM
Maxim Weinstein
Maxim Weinstein
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

With Shared Power Comes Shared Responsibility

Security does not rest entirely on your users' shoulders, so don't make them feel like it does

It's National Cyber Security Awareness Month, and the official theme for the month is "Our Shared Responsibility." A bit trite, perhaps, but it's a message that is all too often lacking when security professionals communicate with users in their organizations. If you've ever felt that IT or the security group is public enemy No. 1 in your workplace, it may be time to rework your trainings, presentations, and email messages to integrate the shared responsibility message.

Suppose, for example, that you're delivering training to users on how to avoid malware. The classic curriculum goes something like this: What is malware? What are the types of malware? Where does malware come from? What should you do to prevent infection?

Now think about this training from the standpoint of the user. Most likely, she has been forced to attend a training for a topic of little interest to her. She then has to sit through a dry presentation about malware, ending with a laundry list of things she's supposed to do to make things better for the company and the IT department. She has gained nothing from the training, and additional responsibility has been placed on her shoulders. No wonder she finds security annoying!

Here's a different approach, which puts shared responsibility front and center, while offering a more compelling experience for the user at the same time. Suppose you structure the talk as a walk=through of a real or simulated malware attack. During or after the walk=through, you briefly explain the things IT is doing to prevent each stage of the attack (e.g., we've installed Web filtering to try to block drive-by downloads) and where you need users to help out by doing their part (e.g., avoiding opening of unknown files).

What is the user's experience this time? Her annoyance with having to attend the training is offset by seeing something new and interesting -- a real-world attack! Instead of feeling lectured to about what is expected of her, she is shown how her actions can help contribute to a broader set of security controls. And she may even find the occasional warning from the Web filtering system less annoying now that she has seen how it can be useful in preventing a type of attack that has been vividly implanted in her mind.

We humans are social animals. It's no wonder that we respond better to "we're all in this together" than "do it because I said so." National Cyber Security Awareness Month ends on Halloween, but "Our Shared Responsibility" should remain a permanent theme in your infosec communication and training strategy.

I recently delivered a Malware 101 webinar to members of the Center for Internet Security. The hour-long presentation, now available on YouTube, is geared toward a nontechnical audience. The presentation walks through a real attack, shows how selected security tools (not brand-specific) can help defend against malware, and explores some reasons that malware still exists despite the best efforts of the security community. Along the way, it defines common terms and explains basic concepts. Feel free to show it to your users (supplemented, of course, by what you're doing to protect them and how they can help) and/or take inspiration from it when creating your own lessons. Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
step933
50%
50%
step933,
User Rank: Apprentice
10/26/2013 | 12:48:12 AM
re: With Shared Power Comes Shared Responsibility
My Uncle Brandon got a
stunning Toyota Tacoma only from working part-time

off a macbook air... go to this web-site w-w-w.P-o-w-6.c-o-m
step933
50%
50%
step933,
User Rank: Apprentice
10/26/2013 | 12:47:43 AM
re: With Shared Power Comes Shared Responsibility
my Aunty Morgan got a
nearly new red Mercedes-Benz SLS AMG GT Coupe

by work using a laptop. Read Full Report w-w-w.P-o-w-6.c-o-m
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
10/22/2013 | 5:02:03 PM
re: With Shared Power Comes Shared Responsibility
I've also heard that making security training personal -- showing users how their personal information could be threatened by malware -- helps bring home the message.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.