An InfoSec Pep Talk

The information security savvy are frequently as immersed in their field of expertise as to commonly forgot just how much of best practices remains a mystery to the unindoctrinated.  Don’t think so?  Take a walk through any office space, retail storefront, or healthcare facility and think like a “black hat” for a moment.  You see that pile of completed forms stacked over there?  How about that unshredded, unlocked recycle bin?  Are there really no physical controls around the fax machine?  Bingo!  An unlocked workstation!

Now, let’s think about the most recent security awareness class that your organization offered.  It probably reviewed password strength and complexity and phishing threats.  Hopefully, it also went into some detail regarding organizational security policy and how …zzzzzz….Why is it that whenever we get to policy part the audience keeps doing that?!

Ok, here’s the problem.  Most people want to do their jobs to the best of their ability and then go home.  Most people also despise change.  So, when the Information Security Department starts introducing controls that require people to change their behavior in order to do their jobs, it is frequently met with an acute case of the “I don’t wanna!”s. 

Oddly enough though, today’s change is actually tomorrow’s accepted state.  Recall the late ‘90s when you tried convincing your boss that a network firewall was needed to safely access the Internet.  After clearing budget review, end users likely flooded the help desk with calls as seemingly far-fetched as that their mouse was moving slow…ever since the firewall went in.  Today, network firewalls are commonplace as too should be the desktop variety.

The fact is that when Information Security proposes a control, policy, or process; it will likely be met with both skeptics and naysayers.  The “we’ve always done it this way!”s and “isn’t that overkill?”s are frustrating and, at times, discouraging.  However, it is also the nature of the business.  Information Security is paid to consider the risk and to make the hard decisions that err on the side of caution.  In times of trouble, Information Security is also everyone’s best friend.

Don’t ever give up in your efforts to clearly communicate organizational security requirements.  Re-commit now to the value of your security awareness program.  Rinse.  Repeat.  Develop prioritized organizational security goals according to a three year plan and institute measurable benchmark to regularly assess current state and monitor performance.

Information Security hopes for the best while planning for the worst.  With enough supporting data your boss may even begin to realize exactly how much worse off the organization would be without it.

You Better Watch Out, You Better Not Cry...

I was watching the Early Show this morning.  I know...it's a guilty pleasure.  It's just newsy enough for my mornings without being Good Morning America serious or Today Show pretentious.

With the holidays upon us, a story on phishing attacks was featured.  True to form, Harry Smith, was amazed by his guest as she described how she had sat in "a room full of world class experts" whom all had trouble identifying the phishing message due to its apparent authenticity. 

Hmm....I'm guessing that that lost something in translation.  It seems to me hard to believe that any "world class expert" would have such trouble decoding that a message indicating that the provider needs you to either reply or call with your details to "confirm" them would be anything but. 

Just the same, here are some basics to think about when you get such messages, texts, calls, or even in person queries:

• How verifiable and credible is the requestor?  Does the sender of the message read customerservice@citibank.com or adsfasdfasfs@citi-bank.com?  Does your caller ID identify the call?  Does the person have identification?
• What information is being asked for?  Honestly, when was the last time that your credit card company lost your account number?  Why would they or any merchant contact you directly to request your SSN in order to "verify" anything?
• What information do they already have?  Most credit card issuers, banks, and merchants will already possess some identifying information on you and will seek to confirm what they have as opposed to asking you for what you have.  Now, this alone does not bring instant credibility.  However, if they are telling you your recent transaction amounts and dates, it is a step in the right direction.  Whereas, if they are telling you your street address and then asking for your account number or SSN, it should be viewed as highly suspect.
• What is that agent's name and/or the assigned case number?  When in doubt, look up your credit card issuer's, bank's, or merchant's customer service number as found on your most recent invoice and call them directly with the agent name and/or assigned case number to confirm the request before providing anything.