One of the challenges security analysts face when enforcing security awareness is the fact that employees often complain about the efforts and implications of extra control measures imposed on them. In reality they have a valid point. The more educated your staff is, the chances are that you are probably better off giving them a 'why' they are doing something rather than simply imposing it. This will; without any doubt; have an effect on their behavior.
As Sissel Thomassen correctly states in one of his articles "Targeted training - security aware users", information security has for too long been focusing on technical solutions and implementation of policies. The weakest link and largest information security risk we have always had are people. Time-driven projects and day-to-day activities prevent us from keeping to Information Security rules.
Here are some very valid tips on how attitude and behaviors can change:
1. Define a good Information Security awareness programme including a clear message from top management level to all users with a request to follow the corporate awareness programme.
2. Engage the users to make them feel responsible for Information Security throughout the organisation
3. Get each departmental manager trained to deliver the awareness training specifically tailored to his departments staff
4. Define a set of 'Golden Rules' or 'Information Security Principles'
5. Define several different groups of users and give them more training within the disciplines of integrity and business ethics
That said, awareness is an essential element of the risk management cycle and requires attention at all levels. Therefore if users are not made aware of the risks associated with their information resources they may not understand the need for and support compliance with polices designed to reduce risk.
Just finished watching the 7th BT Big Thinker's online panel session. Highly recommended viewing if you have an hour to spare. An intelligent discussion of the problems we are now facing as a web-enabled society - issues which are increasingly more human in nature and affect our finances and well being. The panellists are very knowledgeable (they have to be) .. and the host is Bruce Schneier - do I need to say more?
Kevin Beaver and Caleb Sima have posted a short 2 page article outlining how easy it is to fall into the trap of looking at security vulnerabilities out of their context, and making a big deal out of it. I personally enjoyed this text mostly because it mentions a few specific examples - like the assumption that having Microsoft Frontpage directories means that the site is vulnerable to Frontpage attacks. The article puts a lot of weight on perspective and context, which will enable better vulnerability assessment by focusing on the things that matter most.
We noticed that our website was down over the past couple of days and at times not resolving correctly.
Our hosting service provider has not given any reason for these problems however Sans report that they had a DDoS attack.
It was thought that the outage has something to do with the DST issue however this was not the case.
So far the problems seems to be mitigated. You can read more about the DOS attack here as reported on March 12, 2007.
Every business or organisation has valuable assets and resources which need to be accounted for both physically and functionally. In this there is nothing essentially new, however the business of information security is all about risk management. Risks on the other hand are made of threats and vulnerabilities.
Threats --- A threat can be an internal or external circumstance who's impact could have negative or undesirable effects on an organisational asset. The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
Vulnerabilities --- A vulnerability is a loophole or weakness of a safeguard in an asset that makes an threat potentially more harmful or costly more likely to occur on a frequent basis - resulting in a security breach or a violation of the system’s security policy.
Therefore an asset here is some resource that has some value to an organisation and must therefore be protected. Then again, assets can be tangible such computers, data, software, records or intangible such as privacy, access, public image, ethics -- both of of which might have a tangible value (purchase price) or intangible value (competitive advantage).
Security is not all serious - some things can actually be quite funny. Like the life sized trojan horse which made it through various establishments. Or
on Vista's UAC (user account control) feature which apparently everyone and their granny seems to be turning off. Humor just helps lessen the seriousness of such things but all of these have some real life implications of course.
Some websites are dedicated to the amusing side of security. SecurityBullshit is one particular website which picks on things like marketing of security products. On the other hand, StupidSecurity fingers bad security related decisions and the shortcomings of some solutions.
One thing is for sure - security related humor has a tendency to be black humor.
In this article, I aim to provide some generic database security principles whilst addressing some of the more common questions commonly associated. The basic definition of database security can be safely summarized as the process of protecting a database from external threats.
By the term threats we refer to:
1. Theft and fraud
2. Confidentiality - information should not be disclosed to unauthorised users
3. Privacy
4. Integrity - only authorised persons should be allowed to modify data
5. Availability - authorised users should not be denied access
6. Accountability - determining what a user did by means of clipping levels enforcing non repudiation
Twitter
