Meet the Bloggers Twitter BTSecureThinking YouTube Channel Blogroll About BT Looking for more?
BTSecureThinking Resources center

SecureThinking > Tags

Posts tagged - NCSAM

Friday, October 28, 2011

Security Awareness Begins…in the Office

By Jill Knesek, Chief Security Officer, BT Global Services

As you all know by now, October is National Cyber Security Awareness Month and we’ve been looking at different ways that companies can ensure the safety and security of their online operations.  One important link in that chain of secure operations that is often overlooked is the employee; making sure employees not only follow procedures but sign-on to the philosophy behind them is critical in creating that first line of defense and often times the last line of defense in your layered security strategy. Simply beating your employees over the head with policy upon policy is probably not going to work – believe me I’ve tried it that way – you need to find a way to educate them so that cyber security awareness becomes part of their ”muscle memory.”  They also need to feel a sense of ownership and responsibility for the assets and data they utilize on a daily basis so they protect those resources with the same level of attention that they would their own.  By empowering your employees with information and holding them accountable for implementing good end-user security you can create an environment that encourages full participation in your security awareness program.

As mobile devices become more prevalent in our workplaces and the hackers more creative in their exploitation methods the need for continuing cyber security education is even greater.  Five years ago our main concerns were whether there was a USB stick introducing viruses into the network or if an iPod was slurping data off the network.  But smart phones and tablets in the hands of a mobile workforce have introduced an entirely different level of trepidation into the CSO’s office and the IT Department!  The erosion of the perimeter has increased the criticality of the role end users play in our security strategy and the best way to utilize them is to keep them up to date and aware of all of the dangers lurking out there in cyber and what they can do individually to protect themselves and the corporate data that they access.

With a little on-going education, I’m convinced that the new era ushered in with the smart phone will not cause the Security or IT Department a bad case of heartburn.  Here are a few of my top suggestions for integrating security into your employees’ mindset:

  • Make education easy and accessible.  Don’t make security training a burden, make it part of their everyday activities.  We use short 2 to 3 minute videos that use humor to focus on a particular topic and then let the video go viral on our network.
  • We refresh the policy training routinely and test their knowledge often to ensure they have the ability to execute our security policy in day-to-day scenarios.
  • Empower the employee and make them an expert in securing their home network and their social media presence.  By making the information relevant to their personal use of mobile devices we can help them practice good security at home and at work which in turn creates that muscle memory I referred to earlier.
  • We utilize different methods to keep security top of mind such as putting out posters and security collateral on a regular basis in our offices, company magazine and internal mail.  We again try to make the information relevant to their personal use so they can take the messages home with them and share with family and friends. This creates a feeling of empowerment and responsibility to practice good security day and night.
  • Finally, we do not rely on FUD (Fear, Uncertainty and Doubt) to scare our employees into good security even if it is Halloween.  We work to make the information factual and provide real world examples of where things went wrong.  By sharing information on what good security looks like and how bad security impacts the brand and reputation of a company we help our employees understand why compliance of our policies is so critical.  No employee wants their company name to be the headline news for being the next victim of data theft.  

These are just some of the ways we implement our Security Awareness Program but I would love to hear what you are doing in your company to meet this challenge.  Share your tips in the comments below.

Posted at 10:46 AM in SecureStrategies | No Comments »
Tags: , , , , ,

Bookmark and Share

Friday, October 22, 2010

National Cyber Security Awareness Month: Giving Employees a Stake in Your Firm’s Online Reputation

By Toby Weir-Jones. Vice President of Product Development, Managed Security Solutions Group, BT Global Services

The rules for motivating behaviors among your employees are pretty familiar to anyone who’s been in a management situation — make the reasons for requesting certain actions transparent, and share the company’s rewards when the behaviors are performed.  Online reputations – so ubiquitous, yet often fragile – are a great modern example of what every employee should aspire to protect.

We’ve all seen email signatures or disclaimers in message board posts where someone reminds us that they don’t speak for their employer.  Setting aside the question of why they would be posting to a public outlet in a personal capacity while using their work credentials, this is pretty naïve thinking. 

Earlier in 2010, an individual claiming to have a professional connection to senior executives of Nissan USA actively posted on an automotive enthusiast message board, in vigorous and often inflammatory terms, about Nissan USA’s response to warranty claims about their GT-R supercar’s transmission.  While initially greeted with skepticism, due to the trolling nature of the posts, it was soon verified that this individual did indeed have a connection to Nissan, and the rest of the community was more than a little surprised at his decision to post in this way.  Needless to say, the posts soon stopped, and attempts to verify if the individual’s employment with Nissan continued would not be confirmed by corporate spokespeople. 

Surely this doesn’t matter, though, to all the other Nissan USA employees.  Or does it?  How will the next person to post – be it officially or not – be treated as a result of this prior experience?  What if someone is quietly looking for another job — will this history become a discussion point during interviews?  Does Nissan want to be a punch-line, or worse, a meme, whenever discussions arise of how not to share corporate information online?  Obviously not, yet now there is a small incremental burden to be overcome for any such programs in the future. 

There are lots of appropriate ways to reward employees for respecting policy and being smart when they’re online.  For example:

  • If you don’t want them to use company workstations for personal internet access, expand your corporate site license so that the same AV or anti-malware tools can be used for free on a personal machine at home.
  • If you don’t want them to identify their employer in any kind of online profile, conduct spot checks and ensure that compliance is part of their annual performance reviews.
  • If synchronizing endpoint security policies over the corporate VPN should be done daily, don’t make it difficult to submit broadband connection expenses for reimbursement. 

At a higher level, consider defining metrics for how much positive – and negative – exposure is provided for the company’s key brands.  Make it clear that any individual employee’s careless actions could potentially have a big impact on the negative score, and that it takes broad acceptance and consistent performance across most of the online employees to get the positive score above the target level.  If you don’t know how to define such a program, reach out to your IT services partners for their input on setting up such a program.  Moreover, couple success with individual bonuses, or some other kind of incentive program. 

Online reputations are tremendously delicate – they can take years to build, and yet may be destroyed practically overnight.  And they have a huge trickle-down effect on consumer confidence in the brands.  There are already plenty of examples of such negative punch lines, and even if the path to total financial performance from those experiences is difficult to measure directly, it still adds to the workload of your corporate communications team, your IT team, and possibly your HR team as well.  Those are all indirect costs to the business which impact the bottom line, so if you can mitigate them via the enthusiasm and support of your workforce, make a conscious effort to share the benefits with them as well.

 

Posted at 2:44 PM in SecureStrategies | No Comments »
Tags: , , , , , , , ,

Bookmark and Share

Monday, October 26, 2009

National Cybersecurity Awareness Month Tip 4: Testing Your IDS/IPS

Tom Le, Director Research and Development, Managed Security Solutions Group, BT Global Services

Do you perform any testing on your IDS/IPS?   What are your test procedures when applying a signature update, deploying a policy change, or enabling some new analysis module?  After all, you wouldn’t consider releasing production software without adequate testing, so shouldn’t the same apply to the IDS/IPS deployment process in a production network environment?

The reality is that few organizations perform much, if any, testing on their IDS/IPS infrastructure.  Many consider IDS/IPS as part of the networking infrastructure, where most changes are considered operational tasks that do not go through a development life cycle that would include testing in a lab environment prior to a production rollout.  The big problem with this approach is that while most changes to a router or firewall can be validated immediately, IDS/IPS changes typically have no immediately measurable impact.

Without having an explicit list of measurable test objectives, you have to rely on empirical testing.  This is actually simple to do with an IDS/IPS because you have an abundance of empirical data available, i.e., your existing network traffic.  To empirically test the impact of IDS/IPS changes, a simple procedure would include:

  1. Capturing a good sample size of existing network traffic, such as 24-hours of network traffic.
  2. Replaying the captured network traffic against the current and new IDS/IPS configuration using a tool such as the open source tcpreplay.
  3. Compare the alerts generated by the IDS/IPS in both replay runs to determine any impact of the new configuration.

This same traffic payload is now kept as a baseline and used for automated testing before every future IDS/IPS update.  Another feature of tcpreplay is that you can replay a lot of captured network traffic in a short period of time, which allows for testing many hours worth of network traffic in a few minutes and for load testing your IDS/IPS.

The current version of tcpreplay is 3.4.3 and is available at http://sourceforge.net/projects/tcpreplay.

Posted at 9:50 PM in SecureStrategies | No Comments »
Tags: , , , , ,

Bookmark and Share

Monday, October 12, 2009

NCSAM Tip #2 — Compliance Best Practices – Using a framework to ensure regulatory compliance

Ben Rothke, Senior Security Consultant, BT Global Services, CISSP, PCI QSA

This week’s tip for National Cybersecurity Awareness Month discusses what an overall best practices framework to ensure regulatory compliance might look.  So, whether you’re tasked with meeting PCI, HIPAA, SOX, or any of the other myriad industry and government regulations, Ben’s tips will be applicable.

Ben writes:

Sarbanes-Oxley, HIPAA, HITECH, PCI DSS – the list of standards and regulations is growing by the month.  In the past, companies often created task forces to deal with each mandate.  Unfortunately, that approach does not work for many reasons, least of which is it cannot accommodate the scale of regulatory requirements businesses face.

Dissect all of the security and privacy laws and regulations and the majority of requirements are the same, the key activity is about securing data – be it patient information or financial data.

Rather than chasing every regulation, organizations should focus on the following:

  • Research various security and IT frameworks to determine which works best for the organization.  Frameworks such as ISO 17799, IT Infrastructure Library (ITIL) and the Standard of Good Practice for Information Security are needed now more than ever because today’s enterprise security projects are likely to be more complex than those of years past.
  • Develop a formal information security program around the chosen framework.
  • Ensure that all users, developers and system administrators are trained to comply with the security framework.

By standardizing on a common framework, organizations are able to follow a strict hierarchy of controls that lead them to compliance within the specific regulations.  Using this top-down framework approach, it becomes much easier to address regulatory requirements as they come into play.

http://www.iso.org/iso/support/faqs/faqs_widely_used_standards/widely_used_standards_other/information_security.htm

http://www.itil-officialsite.com/home/home.asp

https://www.isfsecuritystandard.com/SOGP07/index.htm

Posted at 9:29 PM in SecureStrategies | No Comments »
Tags: , , , , , , , , , , , ,

Bookmark and Share

Thursday, October 1, 2009

National Cybersecurity Awareness Month

Toby Weir-Jones, VP of Product Development, Managed Security Solutions Group, BT Global Services

BT is a proud supporter of National Cybersecurity Awareness Month (NCSAM) and encourages its customers and employees, and their colleagues and families, to take a moment to think critically about how they use online resources. The National Cyber Security Alliance offers a great general-purpose resource at http://www.staysafeonline.info/ but it’s targeted more at consumers, families with children and small businesses. We’d like to explore some of the themes raised by NCASM and how they apply in an Enterprise model.

The first tip – “Know who you’re dealing with online” – isn’t just about buying things over Craigslist and indiscriminately feeding your credit card number into phishing sites. Traditionally, most e-commerce apps have welcomed all comers, because you never know where the next customer will be. BT has seen first-hand the damage that can be done when outsiders have unrestricted and unmonitored access to your web apps and any databases they may use. So the Enterprise version of this tip could probably say, “Know where your customers come from and what their normal activities look like.” If you’re selling widgets which have to be shipped and delivered in your own country, do you really have to allow every country’s IP space into your app? If a typical purchaser spends three minutes on each page and traverses five pages during a normal transaction, should you really accept somebody hitting 30 pages a minute for 90 minutes at a time?

Another good tip – “Use security software tools as your first line of defense” – touches on a key message we encounter with enterprise customers every day. The presence of IPS, or WAF, or any of these other specialized tools does not excuse neglect! These tools are complex, and the threats they are intended to mitigate are a fast-moving target. You need to stay on top of how the tools are deployed, how they are configured, and (most important of all) what your teams do with the information the tools produce. You need to ensure that your security tools are policy-compatible with your business drivers; for example, if you activate a throttling policy on a firewall or IPS, you need to tell your production application people about it and ensure they don’t have (legitimate) peak periods which might trigger the Block.

Finally, “Learn what to do if something goes wrong” illustrates perhaps the most common weakness in most Incident Response policies among large and complex organizations. The natural instinct is to look for who caused the failure, and penalize them immediately. What is more important at the time of the attack, however, is whether you’re dealing with an isolated incident or a more organized campaign. You need to understand the scope and make immediate decisions about whether you terminate the session(s), allow them to proceed under surveillance, or even take your target offline entirely. With appropriate log retention and incident classification techniques, you can be reasonably certain you’ll be able to go back later and reconstruct how the fault arose in your production apps. But if possible, you want to try and learn as much as you can about the precise vulnerability being exploited. Otherwise you will spend huge amounts of time and money after the fact, and may never be certain you figured it out.

Cybersecurity preparedness is about a lot more than filing a policy away in a dusty binder. A bit of planning, coupled with some clear guidelines on remediation authority, will move you a lot closer to having a reasonable security posture than just throwing technology at the network. As always, feel free to reach out to us if you’d like to discuss your situation in more detail.

Bookmark and Share

www.dhs.gov/files/programs/gc_1158611596104.shtm

www.staysafeonline.info/

globalservices.bt.com/LeafAction.do?Record=Managed_Intrusion_Prevention_Services_products_gbl_en-gb&chapterKey=4

www.owasp.org/index.php/Web_Application_Firewall

bt.counterpane.com/ds-msm.pdf

Posted at 8:43 PM in SecureStrategies | No Comments »
Tags: , , , , ,

Bookmark and Share