Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Thinking about Cyber Security Awareness Month in October - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Thinking about Cyber Security Awareness Month in October

As most of our readers know, the past three years we participated in Cyber Security Awareness Month by covering a special topic each day.  We are less than two months away from this year's awareness campaign and we are looking for your ideas on what we should focus on this year.  Here are links to summaries of the past three years so that you can see what we've done:

2007:  http://isc.sans.edu/diary.html?storyid=3597

2008:  http://isc.sans.edu/diary.html?storyid=5279

2009:  http://isc.sans.edu/diary.html?storyid=7504

The handlers were discussing this topic a couple of weeks ago and came up with some ideas.  Here is what we've been noodling as possible topics for 2010:

- Key services that should or should not be running, and how to secure those services that are necessary
- How to secure popular applications in categories like social (Facebook, etc.), desktop (MS Office, etc.), mobile (iPhone apps, etc.), web apps (online banking, etc.) and cloud (Google Docs, etc.)
- How to use security tools like Nessus or Wireshark
- Manipulating Windows registry settings
- Security horror stories

We'd really like to do something that has a lot of meaning for our readership.  So use the comment link below to add your ideas and thoughts, or if you want to share your thoughts privately with us use our contact form.  In the past, we've had a general theme for the entire month then discussed sub-themes each week.  If you look back at the previous years you can see how that theme is carried out.

Marcus H. Sachs
Director, SANS Internet Storm Center

Marcus

301 Posts
ISC Handler
How to survive social engineering to include, but not limited to, phishing, spear phishing, 419 scam, scareware, etc.?
Anonymous
How to share passwords in a secure and easy way internally in an IT department / small organization. Suggestion: Keepass Password Safe http://keepass.info/help/base/multiuser.html

You should always strive towards personal ID's and passwords, but many / most systems also use "master accounts" (example: KVM switches, UPS) that must be set to a secure password.

And these accounts will sometimes need to be used (again the exampe of KVM switch - reset the switch to restore AD / Radius authentication).

Without a good way of sharing this (!) / these password(s) you end up with the classic "well known password(s)". The same password(s) are often used across too many systems - and it/they can't easily be changed when a member leaves the team because you never wrote down where you used it...
dotBATman

63 Posts
Best practices on "priviliged account" management on PC's.

IT will often have a standard account locally on each system ("SWInstall", "Administrator", "root" or similar).

They should regularly change the password, and it should not be the same name / password for all PC's if at all possible to limit worm propogation and put a SMALL obstacle in front of malicious people.

But how do you manage that in an environment with imaging, SW distribution, rotation of IT staff and more?
dotBATman

63 Posts
Are we approaching this from the wrong end ?

Instead of laying all the onus onto the end user, as we have been for years, perhaps we should be working with software writers to produce un-exploitable software, and pressuring government and law enforcement agencies into being significantly more pro-active in fighting cyber crime and punitive to miscreants to the extent of establishing a tangible deterrent.
Karl

14 Posts
Karl,

I like your zeal, but why not do both (more like a defense in depth approach). There is no silver bullet for the security issues we face today. I think educated end users is a positive regardless.

I vote to see "Key services that should or should not be running, and how to secure those services that are necessary".
Karl
1 Posts
Thank you for organizing this initiative. I like the topics that you have listed above, with the possible exception of the last one. In my experience, sharing horror stories is intersting, but doesn't help much to get people doing the right things for security. It can even be counterproductive.

I would much prefer to read success stories that we can learn from, i.e. "our organization had this tough problem and this is what did and didn't work in addressing it".

In addition, I think a discussion of meta topics around security awareness would be very useful. Here are some that particularly interest me. I hope that other readers will submit a few more.

1. How to modify behavior with an awareness project, rather than just training the target audience to answer test questions correctly.

2. What are good ways to measure the effectiveness of an awareness program?

3. Dos and don'ts when targeting awareness program to particular audiences, e.g. executive management, middle management, government officials, various IT employee groups (software developers, system/network/database admins, etc.), factory workers, office workers, ...

John

13 Posts
I would like to see a few days dedicated to data protection and handling; not just based on US law, but European/Swiss/Chinese/Indian.
Peter P

8 Posts
I would like to see something about searching for rogue access points and rogue wireless devices in a disparate corporate environment.
Peter P
1 Posts
I would like to see some stories or information about successful implementations of CAG20 in mixed operating environments.
Peter P
1 Posts
I like the idea of the key services topic and how to secure popular applications. I would also suggest something focusing on security surrounding mobile devices such as smart phones,laptops,ipads, etc.
Peter P
3 Posts
I would like to see the two areas below covered:

1. Social Engineering Awareness. I think if it was covered in the manner of what methods work best to spread social engineering awareness to non-security staff.

2. Log Management. I think that if this area were approached in a manner of compliance it would be very helpful. Using specific event IDs that should be alerted and reported on in relation to HIPPA, SOX, GLBA, and PCI would be very useful. Also, what free resources are out there and best methods for data retention.
Anonymous
I see a lot of good suggestions above. Some additional themes might include:

-- How to initiate an employee security training program

-- How to ensure that supporting compliance initiatives actually supports security initiatives.

-- Dealing with law enforcement during a security incident across multiple jurisdictions or countries.

-- How to allocate a security budget in a small or mid-sized organization.

These are just a few of the themes might be helpful to a decent percentage of the readership.
Anonymous
I think most all of the above are great topics.

What I would also like to see is how corporations react to and request security sweeps.

Now in the days of corporate espionage using high tech devices, we also have to do the same to protect ourselves. I have a client who makes huge money providing this type of service. Everything from remote analog captures of voice to keystroke capturing even from the sound of the click of the keys themselves is possible now. Audio trapping based upon two distinct voices in a room is also easily done now, so nothing transmits until certain conditions are met. You need to defend against these too.

Video monitoring via planted, remote accessible and long-distance high definition zooms is all not only possible but also being used right now.

How are we reacting to this threat? I think we need to address this now, as it all relates to protecting our data in the long run.

Are we dealing with these threats at all? Not until someone hits the piggy bank, but it should not be that way.

-Al
Al of Your Data Center

80 Posts
Marcus, the second selection is a sound topic. Especially cloud technologies as we're sliding quickly into this space.
Anonymous
I would like to see something for home users being that they are the ones with the least knowledge in information security.

Discussions on: Weak Passwords and Password Strength, Home Router Security/Proper setup and patching firmware, Patching Windows/Apple OS, Social Networking Insecurities, Social Engineering, Patching 3rd Party Applications, P2P Insecurities.
dec0der

7 Posts
I really like the idea of educating the users and could use more ideas along that line. I like to call users here "the lask link in the firewall". Defense in depth is the best way and must include user education and sometimes training because users can trump any security IT can devise.

I also like the comment about home users. Providing them educational information about securing their home systems makes their work systems more secure too.

I would not think of it as putting the onus ond the users, but bringing them on board since they have to be included anyway.
KBR

63 Posts
I'd like to see patching. From Windows, to 3rd party software, this is STILL a major problem.

Also, safe surfing...beyond the "don't click on attachments", etc schpiel we tell everyone. Since even major websites have been "owned" and have had people get infected, how can we minimize the damage?
Gilbert

21 Posts
Don't forget incident handling:

Conducting CIRT training and Tabletop exercises is important. They help educate the departments outside of Security on their roles during an incident.

A post-incident Lessons Learned meeting is sometimes more beneficial than resolving the incident itself.
Gilbert
2 Posts
Don't forget incident handling:

Conducting CIRT training and Tabletop exercises is important. They help educate the departments outside of Security on their roles during an incident.

A post-incident Lessons Learned meeting is sometimes more beneficial than resolving the incident itself.
Gilbert
2 Posts
One week covering cloud computing and visualisation,
One week re end user awareness and tools suited to small business and home users,
One week covering free tools for monitoring networks, log management, finding vulnerabilities and managing incidents,
and a final week covering data protection.
Gilbert
1 Posts

Sign Up for Free or Log In to start participating in the conversation!