Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Guest Blog // Selected Security Content Provided By Sophos
What's This?
10/17/2013
10:52 AM
Maxim Weinstein
Maxim Weinstein
Security Insights
50%
50%

With Shared Power Comes Shared Responsibility

Security does not rest entirely on your users' shoulders, so don't make them feel like it does

It's National Cyber Security Awareness Month, and the official theme for the month is "Our Shared Responsibility." A bit trite, perhaps, but it's a message that is all too often lacking when security professionals communicate with users in their organizations. If you've ever felt that IT or the security group is public enemy No. 1 in your workplace, it may be time to rework your trainings, presentations, and email messages to integrate the shared responsibility message.

Suppose, for example, that you're delivering training to users on how to avoid malware. The classic curriculum goes something like this: What is malware? What are the types of malware? Where does malware come from? What should you do to prevent infection?

Now think about this training from the standpoint of the user. Most likely, she has been forced to attend a training for a topic of little interest to her. She then has to sit through a dry presentation about malware, ending with a laundry list of things she's supposed to do to make things better for the company and the IT department. She has gained nothing from the training, and additional responsibility has been placed on her shoulders. No wonder she finds security annoying!

Here's a different approach, which puts shared responsibility front and center, while offering a more compelling experience for the user at the same time. Suppose you structure the talk as a walk=through of a real or simulated malware attack. During or after the walk=through, you briefly explain the things IT is doing to prevent each stage of the attack (e.g., we've installed Web filtering to try to block drive-by downloads) and where you need users to help out by doing their part (e.g., avoiding opening of unknown files).

What is the user's experience this time? Her annoyance with having to attend the training is offset by seeing something new and interesting -- a real-world attack! Instead of feeling lectured to about what is expected of her, she is shown how her actions can help contribute to a broader set of security controls. And she may even find the occasional warning from the Web filtering system less annoying now that she has seen how it can be useful in preventing a type of attack that has been vividly implanted in her mind.

We humans are social animals. It's no wonder that we respond better to "we're all in this together" than "do it because I said so." National Cyber Security Awareness Month ends on Halloween, but "Our Shared Responsibility" should remain a permanent theme in your infosec communication and training strategy.

I recently delivered a Malware 101 webinar to members of the Center for Internet Security. The hour-long presentation, now available on YouTube, is geared toward a nontechnical audience. The presentation walks through a real attack, shows how selected security tools (not brand-specific) can help defend against malware, and explores some reasons that malware still exists despite the best efforts of the security community. Along the way, it defines common terms and explains basic concepts. Feel free to show it to your users (supplemented, of course, by what you're doing to protect them and how they can help) and/or take inspiration from it when creating your own lessons. Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Larry Hoezee
50%
50%
Larry Hoezee,
User Rank: Apprentice
10/9/2014 | 3:14:59 PM
Pending Review
This comment is waiting for review by our moderators.
step933
50%
50%
step933,
User Rank: Apprentice
10/26/2013 | 12:48:12 AM
re: With Shared Power Comes Shared Responsibility
My Uncle Brandon got a
stunning Toyota Tacoma only from working part-time

off a macbook air... go to this web-site w-w-w.P-o-w-6.c-o-m
step933
50%
50%
step933,
User Rank: Apprentice
10/26/2013 | 12:47:43 AM
re: With Shared Power Comes Shared Responsibility
my Aunty Morgan got a
nearly new red Mercedes-Benz SLS AMG GT Coupe

by work using a laptop. Read Full Report w-w-w.P-o-w-6.c-o-m
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
10/22/2013 | 5:02:03 PM
re: With Shared Power Comes Shared Responsibility
I've also heard that making security training personal -- showing users how their personal information could be threatened by malware -- helps bring home the message.
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...