Thinking about Cyber Security Awareness Month in October

Published: 2010-08-08. Last Updated: 2010-08-08 16:42:31 UTC
by Marcus Sachs (Version: 1)
24 comment(s)

As most of our readers know, the past three years we participated in Cyber Security Awareness Month by covering a special topic each day.  We are less than two months away from this year's awareness campaign and we are looking for your ideas on what we should focus on this year.  Here are links to summaries of the past three years so that you can see what we've done:

2007:  http://isc.sans.edu/diary.html?storyid=3597

2008:  http://isc.sans.edu/diary.html?storyid=5279

2009:  http://isc.sans.edu/diary.html?storyid=7504

The handlers were discussing this topic a couple of weeks ago and came up with some ideas.  Here is what we've been noodling as possible topics for 2010:

- Key services that should or should not be running, and how to secure those services that are necessary
- How to secure popular applications in categories like social (Facebook, etc.), desktop (MS Office, etc.), mobile (iPhone apps, etc.), web apps (online banking, etc.) and cloud (Google Docs, etc.)
- How to use security tools like Nessus or Wireshark
- Manipulating Windows registry settings
- Security horror stories

We'd really like to do something that has a lot of meaning for our readership.  So use the comment link below to add your ideas and thoughts, or if you want to share your thoughts privately with us use our contact form.  In the past, we've had a general theme for the entire month then discussed sub-themes each week.  If you look back at the previous years you can see how that theme is carried out.

Marcus H. Sachs
Director, SANS Internet Storm Center

24 comment(s)

Comments

How to survive social engineering to include, but not limited to, phishing, spear phishing, 419 scam, scareware, etc.?
How to share passwords in a secure and easy way internally in an IT department / small organization. Suggestion: Keepass Password Safe http://keepass.info/help/base/multiuser.html

You should always strive towards personal ID's and passwords, but many / most systems also use "master accounts" (example: KVM switches, UPS) that must be set to a secure password.

And these accounts will sometimes need to be used (again the exampe of KVM switch - reset the switch to restore AD / Radius authentication).

Without a good way of sharing this (!) / these password(s) you end up with the classic "well known password(s)". The same password(s) are often used across too many systems - and it/they can't easily be changed when a member leaves the team because you never wrote down where you used it...
Best practices on "priviliged account" management on PC's.

IT will often have a standard account locally on each system ("SWInstall", "Administrator", "root" or similar).

They should regularly change the password, and it should not be the same name / password for all PC's if at all possible to limit worm propogation and put a SMALL obstacle in front of malicious people.

But how do you manage that in an environment with imaging, SW distribution, rotation of IT staff and more?
Are we approaching this from the wrong end ?

Instead of laying all the onus onto the end user, as we have been for years, perhaps we should be working with software writers to produce un-exploitable software, and pressuring government and law enforcement agencies into being significantly more pro-active in fighting cyber crime and punitive to miscreants to the extent of establishing a tangible deterrent.
Karl,

I like your zeal, but why not do both (more like a defense in depth approach). There is no silver bullet for the security issues we face today. I think educated end users is a positive regardless.

I vote to see "Key services that should or should not be running, and how to secure those services that are necessary".
Thank you for organizing this initiative. I like the topics that you have listed above, with the possible exception of the last one. In my experience, sharing horror stories is intersting, but doesn't help much to get people doing the right things for security. It can even be counterproductive.

I would much prefer to read success stories that we can learn from, i.e. "our organization had this tough problem and this is what did and didn't work in addressing it".

In addition, I think a discussion of meta topics around security awareness would be very useful. Here are some that particularly interest me. I hope that other readers will submit a few more.

1. How to modify behavior with an awareness project, rather than just training the target audience to answer test questions correctly.

2. What are good ways to measure the effectiveness of an awareness program?

3. Dos and don'ts when targeting awareness program to particular audiences, e.g. executive management, middle management, government officials, various IT employee groups (software developers, system/network/database admins, etc.), factory workers, office workers, ...

I would like to see a few days dedicated to data protection and handling; not just based on US law, but European/Swiss/Chinese/Indian.
I would like to see something about searching for rogue access points and rogue wireless devices in a disparate corporate environment.
I would like to see some stories or information about successful implementations of CAG20 in mixed operating environments.
I like the idea of the key services topic and how to secure popular applications. I would also suggest something focusing on security surrounding mobile devices such as smart phones,laptops,ipads, etc.

Diary Archives