Phishing and Training

The article titled “Technology can’t stop phishing perhaps common sense can” available at: http://www.techrepublic.com/blog/it-security/technology-cant-stop-phishing-perhaps-common-sense-can/ brings to light some of the topics we covered this past week in my CIS 608 course.  The article demonstrates that no matter how hard we try to implement security to prevent phishing security breaches the only true method is user training.  One of the topics we covered this week was establishing performance targets.  Because of the nature of phishing the real performance target would be to ensure that all of a company’s users are trained in how to recognize and what to do when they receive a phishing email.

The training is the only way to effectively stop phishing.  As stated in the article when an email is received with video links or other attachments the user must take a step back and think about what the email contains.  It is always safer to reach out to get the data yourself rather than using the data contained within the email itself.  This was highlighted once again after the Target department store breaches.  People out there realized the magnitude of the issue and started to create their own emails to discuss and phish the target breach itself.  The training that should be put out there for the users is that there is no security out there that will equal the security the person can provide if they just think about it for a second.  The user should not click anything in the email but instead should go to the vendor themselves via web or phone to get the information they require as opposed to using the email.  Training should be continually modified to use current examples and effective prevention techniques.  Even with proper training this will not completely stop the effectiveness of phishing emails but could minimize the occurrences.

Training and a big cyber Target

A few weeks ago it was released that Target had been a victim of a cybercrime that had stolen millions of credit card numbers and other information from consumers from November to December.  Now it seems, according to the article on the Chicago Tribune http://www.chicagotribune.com/business/sns-rt-us-target-databreach-20140117,0,965866.story, that Target isn’t the only victim of the same style of attack.  According to the cyber security firm IntelCrawler they have uncovered at least 6 other retailers that are infected with the same malicious software as what was used in the cyber-attacks on Target.  The same article mentions that Neiman Marcus was also a victim.  

The virus that is being used is called BlackPOS which is memory parsing software that allows cyber criminals to grab the encrypted information when it travels through the systems RAM and is unencrypted.  It is believed that this type of virus is being used to get the encrypted data since companies in the past few years have been enabling tighter security and making it tougher for the data to be stolen.  The RAM parsing viruses have been around since 2005 and maybe as early as 2003.  So the fact that cyber criminals are finding it more difficult to get into company networks is a positive sign that companies are training and implementing security best practices but the fact that massive amounts of data have been stolen means that they still have a long way to go.

Besides having tight security, companies need to invest in educating their employees at all levels.  All personnel should be trained in IT security at a level that is appropriate to their position in the company.  A IT security person should be sent to seminars to learn the latest risks and receive training with regularity.  The office admins should also be trained but it would be at a different level.  I found this article to reflect both good and bad news for IT security.  The fact that it is more difficult than ever before to steal data is a good sign but the fact that massive amounts of data can be taken without notice is disturbing.

Acceptable Use Policies

In the spirit of this week’s CIS608 topic I thought I would blog about acceptable use policy or AUP.  AUPs are a written agreement that all personnel that uses a particular computer or groups of computers agree to as how the systems will be used according to Bradley Mitchell in the following summary: http://compnetworking.about.com/od/filetransferprotocol/a/aup_use_policy.htm.   Most places of employment have an AUP that they present to employee’s early on prior to the employee being allowed to utilize the companies computers.  The policy usually defines what the computers and internet can be used for, how much they can be used and even define the etiquette required for proper communications.  Really the AUP is good for not only the company but also the employee.  Because it is a written agreement, the employee will know what they can and cannot do while on the company’s computer and network.   Additionally, corporate AUPs also protect the company’s proprietary data.

An AUP should clearly define the consequences of violating one of the agreed upon uses for the devices.  An effective AUP should remove any mystery to an employee of the company as to what they can and cannot do while on the network.  Beyond AUPs for companies there are also AUPs for schools, libraries and virtually anywhere else someone could connect to a network.  I know that my oldest son recently started junior high school where he was given the school’s AUP that both of us had to read and sign to return to the school.  The nature of his AUP was slightly different than the ones that I have been given in the past for my work.  The AUP for school was focused primarily around not cheating, hacking or looking at graphic or pornographic materials.  Additionally he is to report any accidental access to such material immediately as well as to report someone else if he witnesses it.  Overall these policies are good for all interested parties to ensure that the network remains in good health and readily available to all parties.