Friday, July 23, 2010

ERM-BC-COOP: Security awareness training


I preach awareness training for all hands. Mostly the training I recommend is awareness of the environment so that any changes can quickly be identified and, if necessary, dealt with.

The following article from the Washington Times, DC's "other" paper, reminds that awareness training needs to include electronics - computers, telephones, etc. - both in and out of the office.

As with all training, it must be repeated until it becomes second nature, automatic.

The article shows that even people who should know better sometimes don't - there may have been training at one point, but it apparently lacked consistency and reinforcement. While we are at it, let's also think about awareness in the parking lot and other public areas.

Fictitious femme fatale fooled cyber security
Intel, defense specialists fell for ruse in test

By Shaun Waterman Washington Times
Sunday, July 18, 2010

Call her the Mata Hari of cyberspace

Robin Sage, according to her profiles on Facebook and other social-networking websites, was an attractive, flirtatious 25-year-old woman working as a "cyber threat analyst" at the U.S. Navy's Network Warfare Command. Within less than a month, she amassed nearly 300 social-network connections among security specialists, military personnel and staff at intelligence agencies and defense contractors.

But Robin Sage did not exist.

Her profile was a ruse set up by security consultant Thomas Ryan as part of an effort to expose weaknesses in the nation's defense and intelligence communities - what Mr. Ryan calls "an independent 'red team' exercise."

* Ms. Sage's connections invited her to speak at a private-sector security conference in Miami, and to review an important technical paper by a NASA researcher. Several invited her to dinner. And there were many invitations to apply for jobs.

* One soldier uploaded a picture of himself taken on patrol in Afghanistan containing embedded data revealing his exact location.

* A contractor with the NRO who connected with her had misconfigured his profile so that it revealed the answers to the security questions on his personal e-mail account. "This person had a critical role in the intelligence community," Mr. Ryan said. "He was connected to key people in other agencies."

* Many other connections also inadvertently exposed personal data, including their home addresses and photos of their families.

He added that he was surprised about the success of the effort, especially given that Ms. Sage's profile was bristling with what should have been red flags.

"Everything in her profile screamed fake," he told The Times. She claimed to have 10 years' experience in the cyber security field - which would mean that she entered it at age 15 - and there is no such job as "cyber threat analyst" at the Naval Network Warfare Command. Even her name is taken from the code name of an annual U.S. special-forces military exercise, as a two-second Google search establishes.

Several people with whom she attempted to connect spotted the fakery, Mr. Ryan said, "I was pretty much busted on Day Two." He said some people with whom Ms. Sage tried to connect took simple precautions such as trying to call the phone number she provided, or by asking her to e-mail them from her military account. Others checked public records on her purported National Security Agency information security qualification or reviewed the college alumni network for the Massachusetts Institute of Technology, where she claimed to have been educated.

David Wennergren, the deputy chief information officer for the Department of Defense, said in an e-mail that the answer was to continue the Pentagon's effort to "ensure our folks are well trained on responsible use of the Internet - at work and home."

"We should address the behavior, not abandon the tool."

But Paul Strassmann, a professor at George Mason University who was the Pentagon's director of defense information in the early 1990s, said the unrestricted use of social networking by Defense Department personnel poses unacceptable risks.

Mr. Strassmann, who said he was recently engaged by a U.S. agency he declined to name to help develop a policy on social networking, added that it didn't matter that the security breaches in the case were unintentional. "In intelligence, many of the most important leaks are inadvertent."

Another person involved at a senior level in the U.S. military's cyber security efforts, who asked for anonymity because he was not authorized to speak about the case, called it "an object lesson in the dangers of social networking."

"People feel they are safe" on the Internet, he said, but in reality, "it is a perfect environment for preying on people's weaknesses."

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida

No comments: