IT Security Blog

In the past few postings we have covered why you should seriously consider implementing a Security Awareness Program, what the goals of a successful program are, and some of the challenges that many face when putting this program in place. As a wrap up to National Cyber Security Awareness Month, today's final installment will focus around how to go about implementing a successful Security Awareness program within your organization.

As a disclaimer before we go into specific detail, let me first point out that there is no "one size fits all" solution to implementing this type of program. Each program will need to be tailored to fit within your company culture and to merge well with the work habits of the other employees. If your new security policies introduce unnecessary process, are poorly outlined/conveyed, or make people less efficient it will be rejected.

First and foremost when going about putting together your SA program, before you do anything make sure you have executive approval for your program. Put a presentation together which outlines some of the things that we have spoken about here in the past month and make a good business case for why your company needs to prioritize SA as an important company initiative. If you go forward without this approval from the beginning you will end up either redoing a lot of work to make the program fit executive direction or it will be shot down outright.

The next item that will ensure the success of your program is the development of meaningful security metrics. Once you have the program in place, it will be important to be able to justify its successes (and also to point out what areas still need work). Create metrics that are easily measurable, preferably automatable, and have an achievable target. Once that target is consistently reached, change your focus and start collecting metrics on other areas that need improvement. The goal of a successful metrics program should be agile enough to be able to change what is being tracked so that you are reporting on areas that are currently being improved upon. If all of your metrics always show 100%, then they are not showing continual process improvement. They are only showing what has already been successfully implemented across the company.

Be sure to have regular (Monthly? Quarterly? Whatever works best for you) checkpoints with internal stakeholders to determine if they have any needs in supporting the mission of your SA program. If they need additional tools or training, be sure to provide them. If other managers do not feel as if they can implement your program successfully within their group for whatever reason, they likely will not do it.

Always remember that you need complete buy in across the organization in order for your program to succeed. That isn't just at the manager level. All employees need to buy in. It only takes one person to not participate and that person can be responsible for a major security leak or information breach.

The most important thing to remember is that security is a journey, not a destination. Continual communication and education will be necessary in order to assure the continued success of your program and to make sure that it remains a high priority for everyone.

Best of luck implementing your own SA programs. It can be one of the most difficult, yet also one of the most rewarding tasks to undertake as a security professional as you see your efforts begin to bear fruit. Missteps along the way are certainly not failures, rather opportunities to learn and grow!

In keeping with their trend of releasing new variants on or around holidays (at least here in the US), the Storm Worm folks have released yet a new Halloween variant.

This new variant has a Halloween related subject line like "Nothing is funnier this Halloween" and a message body such as "Come watch the little skeleton dance" followed by a URL where the Storm malware can be downloaded.

This blog post will be updated as more information becomes available.

Update 1: Here are some additional subject lines associated with this new variant:

To much fun

Show this to the kids

Make him dance

Watch him dance

Dancing Bones

Dancing skeleton

Happy Halloween

Halloween Fun

Have a Happy Halloween everyone

Party on this Halloween

For people with a sense of humor only

Send this to your friends

I am sending this to everyone

I played with this for hours

If your in your office, keep the speakers low

This will make you laugh

You'll laugh your but off

Man this is funny

Earlier this month we discussed why a Security Awareness (SA) program should be implemented followed up by a discussion on what the goal of such a program should entail. Let's take a brief look at the opposite side of the coin today and discuss some of the challenges that are likely to be encountered when implementing your SA program.

The immediate first question in the mind of anyone who is working on a program such as this would likely be "Why would I have any challenges? Everyone should know how important security is. Don't they read the news? There are new security breaches and more compromised data every day!" That very well may be true, but they may not understand how that applies to them, why it is important to them, or why they should care. Not to mention that any SA program needs to fit well into the corporate culture and structure of the organization in which it is implemented. In other words, SA programs are definitely not a one size fits all solution.

Here are some suggestions that I believe will go a long way toward making the rollout of your SA program a success:

-- Deliver a consistent message about the importance of Information Security. If you are inconsistent, then people will be confused about what you are really trying to accomplish.

-- Convince users to develop and maintain safer computer usage habits. This includes education about what types of web sites are generally safe to visit and which are not, not to open email attachments from people they don't know, and make sure they have up to date security software on their computers (anti-virus and outbound firewalls). It's really about changing the way your users think so that they think twice about clicking that email/IM link or opening that attachment.

-- Motivate users to take a personal interest in Information Security. Make sure they understand that they are part of the process and that the success of the program really relies on them. It only takes one person not actively taking part to potentially introduce an organization wide security or information breach.

-- Give end user security awareness a higher priority within the organization. Make sure though that in doing this you aren't making it more difficult for people to do their jobs. A well drawn out SA program will actually make people more efficient. If it makes them less efficient, they will reject it.

-- Develop materials that deliver a clear message about security topics. Hang posters about security or give brown bag presentations that show stats on the success of the program. Also, be sure people understand the potential risks if those policies aren't followed. Continuous education is key!

I can't say it enough, but the success of the program ultimately depends on the willingness of the users to follow it. If the message is not clear, consistent, and efficient, it will not be adhered to and you will find your job very frustrating. The best security programs fit like a puzzle piece into the culture of an organization so that it is easy to understand and easy to follow.

Now that we have all of the administrivia out of the way, tune in next time when we will discuss how to actually go about getting started putting together your SA program.

Since MX Logic is based out of Denver, I have an acute interest in the Rockies' advancement to the World Series to face the Boston Red Sox. From a personal standpoint, I also grew up just outside of New York City and as such grew up a Yankees fan (the only team that I like more than the Rockies) so I also have a pretty sour taste for anything having to do with the boys from Fenway.

Anyway, tickets for Games 3-5 of the World Series were supposed to go on sale today via the Rockies' Web Site. Quickly after the sale started, however the ecommerce site (hosted by a company called Paciolan) crashed and crashed hard. Of the 20,000 seats that were available for each game and were expected to be sold, only about 500 seats total were purchased before the site went down. According to reports from Paciolan, there were 8.5 million hits to the Rockies' web site after tickets went on sale.

Most of the afternoon passed and there were no updates from neither the Rockies nor from Paciolan as to the cause of the outage nor when tickets would go on sale again. Finally, this evening it was announced that an "external malicious attack" caused a system-wide outage with Paciolan.

Call me a cynic, but I have some serious doubts as it relates to this claim.

First, shouldn't a site that handles ecommerce transactions for schools like the Universities of Michigan and Southern California and Florida State as well as professional baseball franchises such as the Rockies, Padres, and Phillies be able to handle more than 8.5 million hits? Either way, the article states that the *** Rockies' web site *** sustained 8.5 million hits, NOT Paciolan. There is a difference even though one could reasonably assume that most people who were visiting the web site were there attempting to purchase tickets.

Second, hackers have bigger fish to fry than trying to take down the Colorado Rockies' web site when World Series tickets go on sale. Hackers are financially motivated. Plain and simple! If this was an attack, not only did the person who orchestrated it not stand to make any money off of the deal, but this wasn't exactly the type of attack that would make the underground community take notice of you either.

Riding on the wave of popularity of e-card variants related to the Storm Worm, we now have another one to add to the mix: The Laughing Kitty.

Similar to other Storm Worm e-card variants the subject lines looks fairly innocuous in an attempt to get the recipient to open the message. Some subject lines that we have seen include:

"Someone is thinking of you! Open your ecard!"

"Have you seen this hilarious greeting?"

"Someone Just sent you an ecard!"

"You have one new ecard waiting!"

"This greeting's for you!"

The body text of the message contains text such as:

"You have been sent the Laughing Kitty kard"

"Click here to view your laughing kitty card online."

"Preview your Kitty card online. It is so funny!"

The message contains a link where the user will be prompted to download a file called "superlaugh.exe" which contains Storm malware code.

Rest assured that there is nothing funny about the laughing kitty.

Storm and its many variants have easily created the largest vector of attack since the Sober worm in 2005, and at this point has dwarfed it in botnet size, observed traffic volumes, and staying power.

Storm worm variants have been reported to have infected up to 50 million PCs worldwide. Thanks to its effective social engineering techniques and enormous botnet power at its disposal we expect it to continue to be a major player for some time to come continuing to send spam, additional Storm malware, DDoS attacks, and more!

I've been at the 11th General Meeting of MAAWG in Washington, DC for the past few days. I can honestly say that this, my 8th MAAWG conference, is the best one that I have been at yet. In addition to MAAWG members, representatives from the London Action Plan (LAP) and the Contact Network of Spam Authorities (CNSA) were also invited. Having all of these groups at the conference provided some great insight and perspective as to law enforcement and anti-spam efforts in the UK and the EU. There are some invitation only meetings between MAAWG, the LAP, and the CNSA on Thursday which I am hoping to will lead to action items for continued cooperative work between the organizations as we move forward.

So, in keeping with the theme of the month today's topic is understanding the goals of a successful Security Awareness Program. We've already discussed why organizations of all types need an SA program, so now that you understand this, the next logical step is to understand what the goals of that program should be. If you go forward with implementing a program without a clear goal in mind, it will surely fail.

One of the most important things to remember about implementing an SA program is that security is a journey, not a destination. There isn't a point where you finally say, "We're here" and stop. The process of your SA program needs to continually evolve and change to meet the needs and requirements of your organization.

The end intent (your goal) is to create an overarching security posture so that the thorough assessment of risk and potential security issues become larger parts in corporate decisions and initiatives.

So, how to achieve this goal? There are 4 main steps:

1. Build interest in Security Initiatives Internally

In the end everyone has to be on board with whatever security initiatives that are enacted. In order to make sure everyone is on board the implementation needs to not take away from someone's ability to do their job efficiently. Additional burden means additional resistance. Even just one person who decides to undermine the integrity of your security position can cause a breach of confidential information of any kind.

2. Educate! Educate! Educate!

Make sure that employees understand not only what policies and procedures are being implemented (and where they are posted on your corporate intra/extranet) but why they are important and why they should care. Policies that are not understood are less likely to be followed and less likely to receive continuing management support.

If done properly, good security procedures can actually make you more efficient!

3. Communicate! Communicate! Communicate!

Regularly follow up on implemented procedures to make sure that your SA program is not "set and forget." Remember this needs to be a process that evolves as regularly as your business does. Otherwise its policies and procedures will become out of date and irrelevant which leads to the policies not being followed.

4. Repeat

Start back at Step 1 and do it all over again! This is the best way to reinforce the program and its importance to the organization. It's easy to forget something you just hear once. It also removes some of the urgency if it is not regularly followed up on and reinforced. Continually repeating these steps will not only show continued urgency and support from the organization, but will give better chance to ensure that your SA policies are better ingrained into your corporate culture at all levels.

MX Logic has announced that we will be joining the National Cyber Security Alliance (NCSA) to actively promote awareness of internet safety and security issues in conjunction with National Cyber Security Awareness Month (NCSAM) during the month of October.

As such, I have pledged to devote a series of blog postings this month to assist with the development of a Security Awareness Program within your organization.

Before we get into the meat and potatoes of developing a Security Awareness (SA) program, the question one must first answer is "Why should I implement a security awareness program? Aren't security programs for the Techies?" This is an excellent question, especially for organizations who might not be anything Information Technology related.

The answer to that question is that no matter what field you are in, security should be a part of your organization. Security doesn't just mean making sure someone doesn't hack your web site or that your computer doesn't get infected with a virus. The concept of corporate security also involves physical security of your office as well as data that you might be storing there.

Let's use a car repair shop as an example. Should they be concerned about security? Absolutely! We'll put aside for the moment that a car repair shop may have thousands of dollars of inventory sitting right in their main lobby area (tires and the like), but where the real money is to be had from a thief's perspective is from the customer records. A car repair shop has customer lists with customer names, addresses, phone numbers, and potentially credit card numbers. If this information isn't properly secured by the shop, your personally identifiable information could be at risk.

As organizations, who are we trying to defend ourselves against? From a technology perspective there are virus writers, hackers, spammers, etc. Those are a given. Data and physical property thieves are also a risk. What are companies doing though to protect against their internal employees? As much as you want to believe that everyone that works for your organization is there to advance the progress of the company, a 2006 E-Crime Watch Survey reports that insiders were responsible for 27% of all security incidents. More than 1 in 4 security incidents (either accidental or intentional) were the result of an employee at a company obtaining access to information that they shouldn't have had access to.

Why is that? For starters, it is easier to get information. The higher up you are in an organization, the more critical data that you likely have access to as part of your normal network access levels which means that your potential risk to a company is also much higher. Why break into the house to steal the jewels when you are already in the bedroom?

Over the next few blog entries we'll go into some more detail on what the goals of a successful SA program should be, some of the inherent challenges that come along with the implementation of such a program as well as steps that you can take to start implementing a security awareness program at your organization. Different types of companies have varying requirements for security (Do you have servers? Do you accept credit cards? etc), but the discussion can certainly be made general enough to apply to everyone.

Hopefully over the rest of October the information that is presented here will be of use to you and will help jog some thoughts of your own on how a security awareness program could work for you.