Social insecurity - security awareness gets personal

The awareness topic for November is ‘social insecurity’, meaning information security and privacy risks, controls and incidents involving and affecting people:

• Social engineering scams and frauds, especially phishing and spear-phishing by email and phone;
• Harvesting of information and exploitation of people via social media, social networks, social apps and social proofing e.g. fraudulent manipulation of brands and reputations through fake customer feedback, blog comments etc.;
• The use of pretexts, spoofs, masquerading and coercion - social engineering tradecraft;
• Serious corporate risks involving blended/multimode attacks and insider threats e.g. the exploitation of colleagues through social engineering attacks by power-hungry assertive workers with personal agendas (aka “company politics”).

While technical measures (such as anti-spam utilities and email software that disables links and attachments in suspicious messages) help to some extent, security awareness and training are, of course, the primary means of control in practice, especially when it comes to more advanced attacks representing the greatest risks.  Nothing beats having an alert, well-motivated workforce with the wherewithal to notice and react appropriately to suspicious goings-on.

Motivation is the key to making awareness programs effective.  Going beyond merely making people aware of things, our aim is to make them think and most of all behave more securely, for instance spotting the warning signs of possible phishing attacks, and reacting appropriately instead of blithely clicking and jabbering away.

Rather than trotting out the same old same old, we deliver fresh perspectives every month, helping employees stay ahead of today’s security challenges.  Having covered social engineering, social media and social networks a few times before, the awareness content was thoroughly revised and updated to pick up on current incidents and controls in this area, with an eye towards adverse trends and emerging threats. 

Unafe Harbor

After 15 years of tenuous operation and months of speculation, the EU/US Safe Harbor arrangement is sunk. According to SC Magazine:

"In a decision with widespread implications for the international transfer and processing of data - and the companies that provide these services - the European Court of Justice has ruled the EU-US Safe Harbour pact invalid. Experts are warning of massive disruption to international business."

Safe Harbor was formally implemented by the US Department of Commerce in July 2000:

"Decisions by organizations to qualify for the safe harbor are entirely voluntary, and organizations may qualify for the safe harbor in different ways. Organizations that decide to adhere to the Principles must comply with the Principles in order to obtain and retain the benefits of the safe harbor and publicly declare that they do so. For example, if an organization joins a self- regulatory privacy program that adheres to the Principles, it qualifies for the safe harbor. Organizations may also qualify by developing their own self- regulatory privacy policies provided that they conform with the Principles. Where in complying with the Principles, an organization relies in whole or in part on self- regulation, its failure to comply with such self- regulation must also be actionable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts or another law or regulation prohibiting such acts. (See the annex for the list of U.S. statutory bodies recognized by the EU.) In addition, organizations subject to a statutory, regulatory, administrative or other body of law (or of rules) that effectively protects personal privacy may also qualify for safe harbor benefits. In all instances, safe harbor benefits are assured from the date on which each organization wishing to qualify for the safe harbor self-certifies to the Department of Commerce (or its designee) its adherence to the Principles in accordance with the guidance set forth in the Frequently Asked Question on Self-Certification."

Safe Harbor was never ideal from the EU perspective since it relied almost entirely upon trust. US organizations who voluntarily attested that they complied with the additional privacy requirements under EU law (over and above those required under US law) were presumed to have all the relevant privacy and data security controls in place, qualifying them to handle personal data on EU citizens. As far as I know, there were no independent inspections or enforcement actions to speak of. In contrast, EU organizations are legally obliged to have a range of privacy and data security controls based on those originally specified back in 1980 by the OECD.

The end of Safe Harbor is a problem for EU organizations that depended upon it to absolve them of blame if personal data on EU citizens was inadequately secured by various US organizations communicating, storing and processing it on their behalf. Many websites, apps, cloud services and so forth run in US data centers, and a fair proportion of them handle personal data ... so it will be interesting to see what happens next. My guess is that some US data centers or related organizations will seek audits and certifications confirming that they do indeed have EU-style privacy and security controls in place, while others may well lose their EU customers.

Security dashboard tips

Tripwire blog's 

The Top 10 Tips for Building an Effective Security Dashboard 

is an interesting collection of advice from several people. 

It's thought provoking, although I don't entirely agree with it.

Tip 2 'Sell success, not fear', mentions:

"For example, in the event that they cannot find personnel who come equipped with the skills needed to improve progress, security personnel can use dashboards to demonstrate the impact that well trained individuals could have on finding and resolving issues and threats, as well as to subsequently leverage that insight for training and cultivating available skills."

Although somewhat manipulative, metrics can indeed provide data supporting or justifying proposed security improvements, assuming that, somehow, someone has already decided what needs to be done ... and suitable metrics can be useful for that purpose too.

The thrust of tip 4 'Use compelling visualizations' is that the dashboard needs to be glossy: I agree dashboards should be professionally crafted and reasonably well presented but I feel their true value and utility has far more to do with the information content than the look.

Tip 9 'Thoroughly vet the information before it is presented' is an odd one. The advice to be ready to explain outliers and anomalies makes sense, but the implication of someone vetting the data before it goes to the dashboard is that it will be both delayed and sanitized. Hmmm.

Well, take a look for yourself and see what you make of the ten tips.