Do You Communicate Consistently?
by Julie Fuggett
Clear, concise, well-written e-mails can be the key to getting what you want, but have you ever considered that they can also save you time, headaches, and even keep you out of hot water?
During the incident handling process, we all know that communication is key. Everyone on the incident handling team must know what the expectations are for their behavior. What is needed of them and when? What should they do? What should they not do? This is especially important if you have technical support staff members who are not full-time IT security staff assisting with incidents. Clear, concise messages that set expectations in black and white can be the one thing that stands between much-needed evidence and spoliation brought on by a network admin who thought he or she was doing the right thing.
Are you re-inventing the wheel every time you handle an incident? You may know the process backwards and forwards in your own head, but what if you have to pass the incident off to another staff member or bring in someone from outside the security office for help? Do you have faith in your own ability to explain all the ins and outs of handling an incident to someone who rarely (or never) gets involved? Having to document all the do’s and don’ts of incident handling during the incident could lead to very costly mistakes. Clear, consistent communications are key to getting your point across as well as documenting what has been done and what needs to be done.
Well-designed message templates can save precious time and mistakes when an incident has occurred. These messages should be formatted to be easy to read, concise, and written to suit the technical acumen of their potential audience. They should say what is okay to do to the system in question as well as which actions should absolutely not be performed. If a message regarding notification of a compromise is to be sent to an IT staff member outside the security office, you may wish to give them a list of actions to perform (assess the physical state of the system, fill out an initial survey with the user of what data is present, etc) and remind them not to attempt to clean an infection on a compromised system.
Depending on the structure of IT in your organization, they may also need to lay out consequences for lack of compliance with the instructions in the message. These could be technological (loss of network access) or administrative (report to HR) in nature.
Consistent communication isn’t just for incident handling, however! Use it to your advantage when dealing with customers and clients as well. Find efficiencies in the way you communicate with outsiders that set clear expectations on what you can do for them or share with them. You can also use this as a way to gauge the efficiency of other services. If you find that you are repeating the same set of instructions to your users over and over and over again, perhaps it is a sign that your service is making its users work for it instead of the other way ‘round.
Finally, make sure any message templates you choose to use are vetted. (For the sake of professionalism, you should also have them proofread!) Incident response templates should likely be vetted by management and counsel. Customer communication message templates should be vetted by representatives of your user community and not just by “the guys around the office.”
Lazy. Apathetic. Careless. Stupid.
by Julie Fuggett
All of the words in the title are words I’ve heard used by fellow technical types to describe our users, our colleagues. If you make an honest mistake, do you call yourself these names? If your best friend or spouse messes up, is your first move to accuse them of carelessness?
The Chronicle of Higher Education article entitled “Top 10 Threats to Computer Systems Include Professors and Students” described students and faculty as the number five and number four threats respectively to computer systems at institutions of higher learning. Fine—I won’t dispute that, not for a moment. But the article goes on to say this:
Every year students seem to become more careless about computer security, according to some college officials…the only people more careless on their computers than students are professors.
Students attend university to learn. If they were already equipped with all the knowledge they needed to get through life, they wouldn’t enroll. The current generation of undergraduates was raised with computers by parents who weren’t. It should come as a surprise to no one that they were not given cybersecurity lessons at home, and maybe not even at school. They arrive at college knowing just enough to be dangerous. They are given a login and password that gains access to everything from their e-mail to their financial aid, but they don’t yet fully grasp what that means. They don’t understand the implications of a breach of that password’s confidentiality, or they put too much faith in the motives of their newfound friends. When they make a mistake, does that make them ignorant? Yes. Are they worthy of being called names? Definitely not.
Faculty and staff are another matter entirely. Many are old enough that they were not raised on technology. Some would even rather not use it. We drag them, sometimes kicking and screaming, into the information age. Should it come as a shock when some of them make mistakes? They are scammed by phishing messages, they install malware, they carry sensitive information around on USB sticks that get misplaced. I have had the opportunity to work with several faculty members who fell for phishing messages. Never once have they said “you know what? I replied because I just don’t care.”
When I was an acerbic little girl (as opposed to the acerbic woman I am now) my mother used to remind me that I would catch more flies with honey than I would with vinegar. We must watch our language when we speak about the people we support. Even among friends, the way we regard users matters. If you practice derision and nastiness in private, it will come out in public. They are not idiots, they do care, and by and large they do not choose to act with malice when they misuse information and systems.
Running Outside the Zone
By Julie Fugett
When I have the occasion to share my hobbies with others, I usually list “running” among them. I am not particularly fast and I don’t have any delusions that at the age of 31 I am suddenly going to become a competitive runner. I am, quite frankly, pretty lousy at it. It’s hard for me. It’s rare that I experience that “runners’ high,” and I will never win a race. At this point, you’re probably thinking “she’s a masochist,” but you’d be wrong! Here’s why I run: It takes me out of my comfort zone. It makes me push myself to keep going.
I apply this thought process to working in information security as well. I am into my third year of working full time in this field and I finally feel as though I’m getting a handle on where my strengths and weaknesses lie. It would be easy to retreat into what I know and do only those things. I firmly believe, however, that my employer and my career are far better served if I work to keep my knowledge broad and my interests well-rounded.
By mindfully pushing yourself out of your comfort zone, you are bound to improve the parts of your information security practice in unexpected ways. I am a mediocre runner, but when I run regularly my pants fit better and I have more energy. Think over the things you’re expected to do as part of your job. I’m guessing there are parts of your job you could do in your sleep. Maybe you’re a rock star at packet analysis and you can build firewalls in with half your brain tied behind your back but don’t know much about federal regulations affecting your company. Perhaps you can audit information systems with ease but wouldn’t know who to call first in case of a security incident. In most situations, you won’t be called upon to know everything there is to know, but I promise that your work product will be improved by seeking out people who excel at tasks with which you struggle.
In some offices cross training and collaboration are encouraged and even expected. If that’s the case where you work, take advantage of it! Where appropriate, ask to sit in on meetings. Request training. Shadow colleagues who do what you’re interested in. If this kind of activity isn’t encouraged, work to change the culture—but go elsewhere to get your cross training fix. I know a great place: http://www.securitycatalyst.org/forums/
Try things you’re “bad” at in the privacy of your own home, or at least away from work. Do you spend all day on compliance issues? Pick up a copy of Ultimate WRT54G Hacking, a wireless router, and set to work. Configure the firewall. Experiment with security settings. Practice notifying your family about unplanned outages. (Maybe that’s just at my house…)
Perhaps you’re shaky on building presentations on information security. Ask friends and family what their concerns are—they’ll tell you. Build a talk on a simple idea like “surfing securely” or “how to spot a phish” and then find people who will listen to it. Church groups, retiree groups, and community-based organizations (among others) are all on the lookout for people who are willing to come in and talk. A side bonus? Depending on the certifications you hold, you may be able to count these activities as CPEs!
While it’s possible you will tap a new well of previously undiscovered talent, the main goal here is to push yourself and find new ways of thinking about problems you see in your daily work life. Don’t worry if you don’t become a genius at network architecture or if you still break out into cold sweats when you think about giving a presentation. Get out of your comfort zone now and again—you just might find it makes you even better in the areas where you already excelled.
Three Ways to Make Awareness Measurable
By Julie Fugett
So much of what we do in information security is immediately measurable: how many packets did the firewall drop? How many security incidents did we handle this week? Elsewhere, however, our reach can be more difficult to measure. How effective is our awareness program? Are we talking about the right topics to the right people? Does anybody even care?
My primary job duties center on security awareness, so it’s important to me that people care. I like to joke that I’m “justifying my existence” by compiling metrics regarding security awareness, but that’s only half the story. Showing that your security awareness program is reaching its intended audiences may have compliance implications as well. Regulations like HIPAA and contractual agreements like the Payment Card Industry Data Security Standard have security awareness requirements built-in. Depending on the type of data your organization handles, you may have some of these obligations placed at your feet!
You should ensure that your efforts are actually measurable. Posters on the break room bulletin board are great, but how do you know they’re having an impact? A banner on the company intranet draws attention to your cause, but have you taken steps to track how many people are clicking through to your website? When you give presentations, how do you know if anybody even paid attention?
It can be overwhelming to think about all the data points you “should” track when it comes to security awareness. My advice: start small. Do the easy things. There will be time later to draw detailed conclusions about the efficacy of your campaign. If you are just beginning, try to put those things out of your mind—if you’re anything like me, you’ll get so caught up wanting it to be “perfect” that you’ll never take that first step.
One of the simplest things I do is count how many people I talk to during the course of a year. I have a spreadsheet where I record the date, the nature of the event, and how many people showed up. When you are showing your managers how effective your awareness campaigns are, it is far more effective to say “I talked to 1500 people in 2008” than “boy, we did a BUNCH of stuff for Security Awareness Month in October!” If you fight nerves during your presentations, have someone else count for you so you don’t forget.
Asking for specific, written feedback can be hugely beneficial. Bribing for it is even more so. I teach workshops for which there is optional online feedback that can be given after the workshop is finished. Probably 10% of my students fill out that feedback. I see three reasons for this:
1. It’s online. My presentations tend to make people skittish about the Internet for awhile, so they don’t believe me when I say the feedback is anonymous.
2. It’s kind of long. The feedback form asks at least 10 questions—most of them about the class and the instructor.
3. They get nothing for their time. No fun swag, no free soda, just a “thanks for your feedback.”
On the other hand, the feedback I solicit during Cybersecurity Awareness Month in October gets nearly 100% participation. Here’s why:
1. It’s anonymous—I don’t even give them a place to write their name
2. There are three questions, and they’re mostly about the student’s perceptions and concerns.
3. The bottom of the feedback form tears off and enters the attendee in a drawing for prizes.
Finding out about what worries your coworkers about information security will help you learn where to focus your efforts. Knowing their frame of mind will give you an “in” so you can discuss your issues (encryption, document disposal, mobile devices, whatever) in a manner that is more meaningful to them.Tracking this feedback is another great way to show management that you are running and agile and responsive security awareness program.
Engage with Michael
-
Journey Into the Breach
