Cisco Security Blog – Security Thought Leadership by Christopher Burgess
Social Media – The Efficacy of the Corporate Guide
03 June 2011
In early May we published our “Cisco Social Media Policy” for our employees to read, acknowledge and if applicable inculcate into their daily regime as employees of Cisco. An internal Governance Board created this document to empower the employee’s engagement rather than harness as the employee traversed through the social media and social network landscape. Does it answer all the questions imaginable, no, it does, however, provide the necessary guidance to allow any employee to navigate and escalate any questions which may arise during the many daily social media journeys.
Many ask, what’s inside a Cisco social media policy document and why do you have one? As stated above, the guide is there to help employees navigate social networks, as the employee engages the many audiences present within these social networks.
At Cisco we are a community that embraces transparency, authenticity and openness. We encourage our employees to be a part of social networks, both internal to Cisco, as well as, external to Cisco. Our employees may use social networking sites while at work to conduct business. Cisco does not block access to social networking sites – we believe in empowering the workforce and instilling trust in our employees to work responsibly.
We do require our employees to be transparent about who they are. If an employee is discussing Cisco, they use their name, not an alias. We also provide disclaimer text for both Cisco-sponsored sites and third-party sites (such as a personal blog). We drive for our employees to make it clear to the reader that the opinions are the author’s. And our directive to our employees includes the admonishment not to share our intellectual property, our financial data, nor infringe upon the intellectual property of others.
One of the adjustments in this latest edition of the guide was to assist our employees in how they may provide “recommendations” for their LinkedIn contacts who happen to also be current or former subordinates or colleagues at Cisco. We provided the following disclaimer: “This reference is being made by me in a personal capacity. It is not intended and should not be construed as a reference from Cisco Systems, Inc., or any of its affiliated entities.”
We also prepare our employee for the likelihood that not everything they write will resonate to a reader in the same manner as that of the owner. In those instances, unless the comment is abusive, the alternative viewpoint should be embraced and the author engaged, as the value is in the constructive engagement.
This year we also enveloped the policy guidelines into the annual “Code of Business Conduct” review process so that 100 percent of our employees would be witting and knowledgeable as to the expectations of Cisco with respect to their social network engagement.
There really is no debate as to the efficacy of a corporate guide surrounding social media; you should create a guide for your employees. And your guide must be built upon two separate foundational documents. The “Code of Business Conduct” and “Information Security Policies.” The former discusses how each employee is expected to represent Cisco and protect its customers, partners and Cisco’s own assets and the latter spells out the means by which each employee is expected to steward Cisco’s information. Absent such a guide, there can be no expectation that our employees would be knowledgeable of the expectations of the corporation.
Welcome your thoughts on the dynamic nature of the social media guide your company uses.
19 October 2010
When Your Employee Doesn’t Want to Come to the Office
How many times have you been approached by your employees asking for permission to work from home instead of coming into the office? Your immediate reaction probably includes head nodding, quickly followed by questions surrounding the resourcing that is required to make this desire a reality. In a recent Cisco study, “The Cisco Connected World Report,” respondents indicated companies that afford their employees the flexibility to work remotely are more attractive employers.
Should companies allow remote worker access?
My experience has shown that highly visible and transparent discussions lead to greater understanding, engagement, and ultimately buy-in with the ultimate decision—to allow or not. In addition, these discussions lead the individual employee to the appropriate expectation of services; if remote worker capability will be enabled, the individual will be well-positioned to understand the need to comply with a bevy of new processes and procedures. Rarely do individual users understand the resourcing nuances that are required of an IT department to protect company assets; the employee’s perspective is often times based on the experiences of others or personal experiences external to the company. Universally, and I count myself in the universe, they know what they want and they wanted it yesterday.
Implementation of the remote worker solution may require the use of a laptop or smart-phone, or both. In order to appropriately explore and resource correctly, the IT department must know and understand not only what type of devices are touching their networks, but also where and how these devices are engaging the networks. The technological data transfer solutions and attendant infrastructure for use with company email, intra-organization collaboration, external interaction, and various third-party applications that keep the business running, all have to be evaluated separately and as configured. For the transmission equation, virtual private network interconnectivity ensures data is appropriately secured when in motion. With the realization that devices do sometimes go missing, due to either theft or carelessness, an encryption capability should be in place to protect the data on the device as well as any storage media (portable hard drives, USB sticks, etc.).
Survey respondents are divided on whether or not the remote worker capability should be allowed. IT departments might make the assumption that employees understand the security threats of working remotely, whereas employees might think the IT departments just don’t get it. Both are half-right, employees absolutely have the ability to understand. IT and Information Security (Infosec) departments must ask themselves, “Have we made the investment in education and awareness with respect to security concerns?” If not, then no assumption should be made that the employee is well-read with respect to how to operate securely in a remote work environment. The employee who is educated and aware of the security issues unique to remote working environments is the first and last line of defense protecting the company’s interests. The value of security and awareness programs, specific to the remote worker environment, can absolutely serve as the instrument which quiets the cacophony of complainants making the assumption that those charged with implementing and protecting the infrastructure just don’t get it.
The respondents made clear the need for a remote worker option, noting that remote work capability is not a nice-to-have option, but rather an expected table-stakes capability. Users may not wish to be working seven days a week, but they do want the capability to work and be productive outside of what might be considered normal business hours, as well as when on the road. The IT department that doesn’t have a road map for remote access may be positioning their entity to be viewed as a less attractive place to work, according to a majority of the respondents.
In sum, your employees may not want to show up at the office for work, but they will be more likely to want to work from a remote location when their position allows for flexibility.
Social Media – Security Risks? It Depends Where You Happen to be Sitting
24 June 2010
No doubt the eruption of social media applications, networks and tools has caused a significant ground disturbance; some would say it’s been a series of category nine earthquakes. I recently had the pleasure of reviewing the results of a Cisco commissioned survey provided to 500 information technology security professionals in the US, Germany, Japan, China, and India concerning social media and personal devices conducted by InsightExpress.
Do take the time to review these results, and in doing so I think you will share my realization, that with everything new there are unintended and unforeseen security issues, both real and perceived. These issues appear to be at the root of the substantial consternation amongst the participating information technology security professionals. Indeed, this multidimensional capability called social media is in fact permeating the hermetically sealed secure environments of our businesses, or so it would seem. It is time to get out the plow, hitch up the horses and hoe a few rows in order to plant the seeds to grow healthy and sustainable security practices and capabilities surrounding these concerns.
So let’s dig into the issues that are making the respondents twitch. “Our employees are using unsupported applications on their laptops.” Is that you making the comment? Or are they thinking of you when they responded? Are “unsupported” social media applications used at the office? Is it you? How about peer-to-peer (P2P) software and networks, is it a necessity of your business for you to be connected and sharing work content? Or perhaps you are using an externally hosted and maintained service (aka cloud); especially given the large number of respondents who indicated they had employee clientele doing just this. But I believe a bit more context needs to be evolved to fully understand the issue(s) or we may find ourselves making “much ado about nothing” (with a tip of the hat to The Bard).
What does this mean? It means the “consumerization of IT” has arrived. It means companies need to know who, what, where, when and how their employees are accessing their employer’s environment. It also means one needs to have an understanding of the device(s) being used to access their infrastructures. With just over half of employers conducting their own assessments and studies to determine what types of devices employees are using, is it fair to assume those who don’t measure don’t know? Or could those that don’t assess be the truly fortunate ones whose user clientele only use what is issued, because you and your colleagues understand why the policies exist.
I urge all to assess. It is important to know not only what devices, networks, and applications are being used, but also to understand why they are being used. It is very infrequent an employee will purposefully use a new tool or capability with the purpose of putting their employer/employment at risk. Your understanding can only come from collaborative dialog. An assessment effort will provide a crystalline view into what may be your opaque situation. With this, you are well positioned to create your messaging and roadmap to the future to ensure your data is safe and remains safe.
Alternatively, you could of course move to a draconian solution and lock down and restrict access to the Internet, social media tools, applications and services, and in so doing signal the participation of such should be made on a device with no connectivity to your business. It may also signal to your future employee prospect that you are not yet advancing into the new business model. If that’s you, how’s that working for you? I wasn’t surprised to read that those with a highly restricted environment still faced employees using unsupported devices and methods. From my optic it appears this is analogous to when the ground is saturated and more water arrives, the employee, like the water, will find an available route to connect and engage, even if it isn’t the employer’s preferred route. And of course when this happens, a mop is needed in both instances to clean up the ensuing mess. Even though it may feel like you are living under the constant threat of a flood, perhaps with a bit of investment the risk of damage can be mitigated and greatly reduced.
I don’t advocate draconian restrictions. In my own instance I am permitted to use unsupported applications and devices. I am also governed by a clear and concise “code of business conduct” and “information handling policy.” In addition, I don’t have to divine the expectations of my employer; they are shared with me regularly, and they evolve with equal regularity. For example, I know that I shouldn’t copy my internal email to my web-based account, even if it is more convenient to have a copy accessible from my personal laptop (and I know that my personal laptop is an inappropriate device, as it isn’t configured and provisioned with the security applications that my employer implements. If I choose an application poorly, I am fully accountable and responsible should the application wreak havoc.
While not an advocate of a total lock down, I do submit that certain data sets absolutely require restricted access, and this means your environment and your employer’s environment must be equally secured. I think it is totally appropriate to have sterile lab environments where no electronic devices are allowed — and to implement and enforce such an environment requires the occupants to understand that excluding technology is for the following reasons: A, B, C, D, … With such articulation and demonstration, you raise the level of understanding that your employees will not only comply with your desired restrictions surrounding the data, but also they will actually know when they may be putting their employer at risk and by extension their employment at risk.
The policies are there to guide the employees in their engagements, but policies without teeth are feckless and will be ignored. In my instance, those policies governing my behavior have teeth. Do yours? Make sure they do, and more importantly, make sure you can articulate the why the policy exists. From my seat, good policy adherence requires an investment in a robust and omnipresent education and awareness regime. This is not a topic relegated to your employee’s first day of work and never revisited.
In sum, the perspective of the information technology security professional is that social media evolution carries new risks that need to be understood by those implementing technology, those using the technology, and those leveraging the technology. A great way to drive that understanding is to look at the multiple sides to social media and reduce the tendency to become myopic. The practitioner is usually found in the marketing or communications departments and the audience, those with whom we wish to engage in conversation and collaboration are both the internal clientele and the customers. The importance and understanding of these risks are often shaded by where you sit. The solution to these can be addressed and mitigated via continual communication, awareness and education.
Security – Who is Responsible?
14 January 2010
Do you view your security posture in the office as more or less important in comparison to your residence? And how does that compare to the personal security profile that you exercise for you and your family? Who should be shouldering the security responsibility? I posit — you are responsible. And I would add that you also need to hold yourself accountable.
At work you may rely on yourself. If you are fortunate to work for a company with resources focused on security, you may, dare I say, share reliance with a few groups. These groups include the “information security” team who attempts to keep information safe (be it data, network, laptop or smart phone), the “physical security” team who keeps your building safe from intruders, and the local “industrial police force” responsible for keeping your person safe and secure. Such reliance is appropriate. In each instance the person or entity you are relying on the most is also relying on you at least as much, and often times more so.
An example from the physical world: when you ride public transport you rely on the operator of the vehicle to drive in a safe and secure manner and obey the “rules of the road.” These rules are designed to keep order as we meld in amongst the chaos we affectionately call “traffic.” The operators are also relying on you to make the right choices (how to enter and exit, pay fares, sit and stand, etc.) and to understand the consequences — be they intended or unintended — of your choices should you not follow the rules. This is the accountability part of the equation — you own the end result of your choices and actions.
Throughout my 30+ years involved in the practice of security it has been my experience that too often people ascribe responsibility for their security to others. When is the last time you heard someone say, “It is my responsibility to be secure! It is my responsibility to maintain security!” or conversely, “Today I am going to be insecure!” It just doesn’t happen. Though the reality is that every single day my actions demonstrate my desire to be secure and maintain security, and perhaps yours do as well. And yes, it has also been my experience that occasionally I’ve made choices which have caused others to say, “What was he thinking?” and conclude, “There wasn’t any thought process engaged.” I will try to keep those instances to a minimum. However, we all bear responsibility for our own security.
Let me share a few of my thoughts:
Security — what’s a right choice? Fundamentally, understanding why one choice is superior to another in contributing to your security and maintaining your security is how one measures success in remaining secure. I am mindful that a list of suggestions or admonishments of “what not to do” is of little value, whereas a discussion on “how or why” carries utility, and therefore value.
So sticking to my previous automobile analogy, let’s compare how we are responsible for our security both in the physical and online world. When we wish to use an automobile, we are required to go through a number of steps even before we get the vehicle rolling. During the drive, we adhere to the rules of the road (drive on the appropriate side, use our signals, stop at red-lights, go when green, etc.). When the engine light illuminates, the brakes start to screech, or the steering pulls too far left, we take note and either perform the required maintenance or we take it to the garage shop for service. We correct. The mechanic isn’t sitting in the backseat providing telemetry surrounding your vehicle’s operation, and unless my grandmother is in your backseat, you’re probably not being told how to steer, accelerate or brake. You are responsible. All of these actions are the responsibility of the operator — the user. You, the user, will decide “How do I maintain my vehicle and operate it?” When you violate motor vehicle laws (and are caught), what occurs? You receive a ticket and tickets carry consequences. In the US the consequences might include a monetary fine, points on your license and, for some, a mandatory trip to court. With choices and actions come consequences.
You see where I am taking you. In the online world, we have the same basic responsibilities for security as a driver has in the physical world for safety. I personally strive to know and understand the best possible security protocols available to me in my work environment. Why? Because I know that the individuals and teams which create the policy and procedures and those teams which research and select the software/hardware I use are to keep me and my experience safe. My responsibility is not to undermine the work of others. If I don’t have that support apparatus, then I rely on the reviews and advice available, make my choices and purchases. I should, if I am thinking rationally, make sure I have my auto-update set for the software, as this is the means by which the vendor updates and secures previously unknown vulnerabilities. What if I am a singleton or small business who doesn’t have a security team supporting me? Is my lack of a support team in and of itself a vulnerability? Not in my view. You can still use the preferred practices of the industry — strong passwords; non-duplicative passwords across third-party environments; keeping the security software engaged in the “on” vice “turned off” due to the software-stealing CPU cycles and it slowing the system. And have a defined process of what happens if an anomalous event is observed. In my case, I take note, and I take action — I contact those who support me, and I research the security of my applications when alerted.
How do I know this? Osmosis? No. Just as I learned how to drive and maintain an automobile, I must learn how to be a responsible user. This takes education. When I learned to drive I took driver’s education. Why wouldn’t I take computer user education? I read, trained, and practiced prior to being tested for my vehicle operator’s license, and tested I have been — in every single state or country I’ve resided. I avail myself to any and all training presented so that my and my family’s online experiences are safe and secure. If I undermine my own secure computing environment what are the consequences? At work I might lose sensitive company data; at home I risk losing personal identifying information, account information or family memorabilia.
In closing, wear your seat belt when riding in a motor vehicle; don’t self-inflict wounds upon yourself in your online experience — use strong passwords, keep your security software up to date, and backup your data.
Thank you for your time,
Out of Control User = Frenetic IT
08 November 2010
When you access your email each day, do you do so at a distance of 15 paces because you’re just not sure what might jump out of that inbox? You can just about anticipate an email detailing how another user has caused a “blip” that will stretch your capabilities to protect both the user during their online engagements and the assets of the company? Or perhaps, there will be an email asking to set up a meeting of all-concerned to discuss how the employees in the sales department believe your information security policies are standing between them and their ability to do their job. Whose responsibility is it to keep the user engaged, informed, and compliant with company policy? Odds are, information technology leads will find their constituents asking how to accomplish something that wasn’t anticipated when the policies were created.
In a previous blog “When Your Employee Doesn’t Want to Come to the Office,” I shared my thoughts on the mobility aspects of the employee who wishes to work remotely. Today Cisco released part two of theCisco Connected World Report and confirmed my hypothesis above: email inboxes are overflowing and IT departments are racing to catch up as the consumerization of the work place continues. Reading part two of the report, I was encouraged to see that more than 80 percent of IT department respondents noted they had an IT policy. What I found disheartening was the results from the end user, which detailed that ~24 percent of respondents didn’t know a policy existed, let alone where to find it. If that is the case, the escalation of policy collision isn’t going to occur.
Are your employees prohibited from accessing social networks? The survey showed that of those that blocked or restricted access on their jobs, more than 50 percent of their employees will find their way to the social networks in violation of the policy. The reality is employees follow the path of least resistance, and like water flowing down a rock covered hill, they will find a path. Similarly, some employers (approximately 36 percent) prohibit personal devices to be used by employees in the course of their official duties, while greater than 60 percent of employees can and do use personal devices in the performance of their official duties.
So even if the employee is racing into the technological abyss and using the latest and greatest software applications that have crossed their radar, the employee may be in a blissful state not realizing that their un-vetted application may be putting the entire enterprise at risk.
When this occurs, the situation becomes chaotic and frenetic. IT departments race to educate and discussions take on urgency, where only one side of the equation understands the “why.” At this point, they are racing to plug the new hole, as well as educate the individual employee who created it. If this is you, it begs the question: is there a regular security awareness and education regime that goes beyond the coasters, posters, and cafeteria table-top triangles? Are you really engaging the individual employee? The employee who the survey advises includes one in five who will break the IT policy simply because they know enforcement is not going to occur, or the likelihood of detection is close to nil, so the personal downside risk is perceived as not being an important or calculable issue.
Therefore, in addition to having a security and awareness program, one needs to ensure the education side of the equation includes all employees and clearly states the “why.” No longer is it possible to rely on the age ol’ adage of our parents, “You’ll do it that way, because I told you so!” Now, the IT department must be prepared to explain why the seemingly unencumbered, externally available, social network environment wasn’t designed to house the company’s human resource files. The IT department must also be prepared to understand how the external environment was perceived as enhancing the calibration and throughput, as clearly there is a void within the company that employees gravitated toward so that they might perform their primary tasks more effectively. It’s never enough to say that it is out of bounds, without investing the time to listen to how your employees found themselves out of bounds.
As I noted above, if the policy stands between the employee doing their job successfully or being unsuccessful, who really believes the employee will opt to adhere to the policy and fail in their job performance? It is unfortunate, but rare is the employee who raises a hand and says to both their management and the IT department, “You know, this policy on social media is sitting between me and being successful in doing my job.” How can you jumpstart that conversation so that those hands being raised aren’t a rarity? In the survey, more than 70 percent of the employees noted that they believed their relationship was good with their IT department. However, only 22 percent believed their employees actually understood their role in protecting the strategic assets of the company.
May I suggest that when crafting information security policies, include those most affected by the policy in discussions about the wordsmithing, implementation, and most importantly, compliance and enforcement. When collaborative creation occurs, policies will no longer be viewed as an iron ball and chain to be dragged about by the employee in the name of keeping the company safe and secure. Rather, the policy is owned by the employee and their business unit as a tool that enables and carries the business toward success.
For Additional Reading:
Social Elements of Security Policy and Messaging
Security – Who is Responsible?
Common Sense Approach to Social Media
Social Media – Security Risks? It Depends Where You Happen to be Sitting
Social Engineering – A Threat Vector
09 September 2010
What is “social engineering?” A simple working definition that I like is, “to induce an individual to take an action in which they otherwise would not engage.” This begs a second question, “What does this have to do with business?” It means that employees of businesses, both large and small, may become targets of unscrupulous and malevolent entities interested in obtaining the information or assets belonging to the business. The individuals may wish to engage in criminal behavior and break into your business headquarters; may attempt to follow an employee through the side door, or perhaps speak to you on the telephone and ask you to share the phone number of an executive; provide your user id and password; reveal the physical whereabouts of a facility or executive.
In all cases two factors are always at play – compassion and urgency. The individual will attempt to trigger the target’s basic human trait to be helpful. The individual will also infuse a sense of urgency in their quest for information or specific action with the expectation that you won’t have sufficient time to verify their proffered bona fides.
So what happens before the phone rings or you’re faced with an unknown person either face-to-face, on the phone, in an instant message window, or via a Twitter/Facebook exchange?
Step 1: Targeting: Every employee of every company could become a target. Your self-analysis may lead you to believe the information you access would have little value to an outsider. Unfortunately, you don’t get to choose whether or not the information you access would be of interest to another, those conducting the targeting effort make their decisions on who is the most viable target based on the results of their own reconnaissance.
Step 2: Reconnaissance: What type of reconnaissance? Technical? Physical? Passive? Active? Technical reconnaissance could entail a remote scan of a corporate network with intent to learn about equipment type, utility, location, security status, etc., to determine if any technical avenues are viable means by which to attack the network. While physical reconnaissance may be as simple as watching the to and fro traffic through an intersection or entrance; or performing comprehensive physical surveillance of an individual to determine patterns, residence, business associates, etc. Similarly, social media network footprints of both individuals and businesses will and do provide a plethora of information with respect to an individual’s whereabouts, their patterns of movement, their schedule of activities, etc. The information we publically display, be it physical or virtual environments, is available for all to see and collect passively.
Passive collection by and large is known as “open source” collection, and allows for the acquisition of information that is made available for public consumption, either intentionally or unintentionally. Information that may intentionally be made public may be the business hours and address posted on your company’s website. Information that may be unintentionally made public could be a picture posted online that has all individuals tagged and the address of a family’s residence visible. Regardless of the environment, passive collection presents a lower level of the discovery that a reconnaissance is taking place than active collection does.
Active collection, as the name suggests, requires the collector to engage in an action. It may be walking up to a door and pulling on it to see if it is locked; or sending an email to see if it bounces; or physically conducting surveillance of an individual’s movements. Whenever active collection is taking place, the individual conducting the reconnaissance has increased the odds of being discovered by the targeted individual or entity.
Step 3: Analysis: The physical data is merged with the electronic data and the attacker begins to create a plan of attack, identify the resource required, and puts together the plan to separate you or your company from the information, goods, or services. In their review, they are attempting to design a plan to be executed that provides the avenue of highest potential success with minimal risk of discovery.
Step 4: Execution: In every instance the targeted individual is being touched, sometimes in a number of different manners.
- Technical – Some examples may include, a specific piece of software being created to take advantage of identified vulnerabilities in your network or device which the initial reconnaissance showed as susceptible. Technical means is used to induce an individual to click on a specific url or document provided in an email, or insert a device (e.g. a USB memory stick) into a machine.
- Personal – Some examples may include the individual being directly engaged, be it via social media network capabilities such as chat or IM. Perhaps the individual chats with you in the parking lot and follows you through the doors into the building. If you’ve placed your resume online, a pretext call as a potential recruiter could be a viable avenue to learn about the work you have been engaged in, are engaged in and may be engaged in – all data points of value to the miscreant.
For an example of a professionally executed social engineering attack which moved through the cycle of target, reconnaissance, analysis and execution read, “The Tale of the Targeted Trojan” (Chapter 1 in“Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” by Christopher Burgess and Richard Power). The perpetrators created a small cottage industry of corporate/industrial espionage which used physical and technological surveillance and data accumulation, one-off-execution scenarios and successful collection of targeted data sets from the attacked companies.
I believe social engineering has and will continue to be a viable threat vector for both individuals and businesses. Why? The methodology produces the desired results for the miscreant – not only is it productive but it is also cost feasible! Can it be thwarted or stymied? Absolutely. Do realize you have little control over an entity which has crossed through the moral threshold of legality and engages in reconnaissance and analysis of you or your business with the intent on attacking you or your firm. You can however raise the bar on your person and/or business being an attractive target. This is accomplished through a comprehensive and continuous employee education and awareness program.
Employee Awareness: The first step requires that both individuals and colleagues understand and learn to recognize the signs of social engineering, accept the reality that it is occurring and that it will most likely continue to occur. Through the use of real-life experiences and scenarios, the best education and awareness programs can be created. If you don’t know if you or your firm is susceptible to a socially engineered attack, then I would recommend that a “penetration test” from a reputable pen-tester be conducted, to provide a realistic level of awareness. From this position of knowledge, effective training can evolve.
Training and Resources: At Cisco, we have evolved an internal security awareness regime. The social engineering threat is specifically called out as a viable threat vector. With respect to addressing telephone calls from an individual seeking information, the following guidance is provided:
To help keep your company safe from social engineering, Cisco publicizes these security tips for anyone receiving phone calls:
- Do not discuss or provide any company information until you confirm the caller’s identity as an employee by using the corporate directory.
- Ask the caller to provide a phone number that you can use to return his or her call. The caller should provide a company number (any number listed in the corporate directory). You can offer to send information to a highly-secure company voicemail or email account, or you can transfer the caller directly to the person requested without providing their contact details.
- Never provide employee, project, or company details to strangers or external email accounts.
- Take notes of a suspect caller, such as a particular accent, caller ID, date, time, and duration of call. File a report with security.
Please do visit the Cisco Security Education program for a comprehensive overview on how to create a program for you or your business. Continuous education and awareness are the key ingredients to turning back the social engineer.
Mail – Got Mail? Got Criminals!
01 February 2010
Who gets mail? We all do.
Mail arrives from a variety of public sector sources such as the court system inviting you to jury duty or county assessor providing you with the annual assessment and tax bill. You may also receive in your mail box your credit card statements, and personal correspondence. Perhaps your medical service provider or insurer mails to you an explanation of benefits. Merchants send you opportunities to appreciate their services. Similarly, we all have e-mail addresses; some of us have more than one. Our use of these addresses may be identical to that of our physical mail box. Sadly, the mail, both physical and electronic, is also used by the criminal world to perpetrate fraud.
Ask yourself this question: When mail is processed, arrives or is dispatched, where and how does this occur? Simple enough? Let’s discuss.
- The Threat: Theft.
- Office: Where do you receive and process your mail? In an attended or unattended building mail center? A locked or unlocked mailbox? Delivered to a designated individual or company mailroom? Post Office? Is it subjected to an x-ray security scan?
- Home: Is your residential mailbox locked or unlocked? Live in a condo or apartment and have a shared mail facility? Perhaps you use the Post Office or a commercial mail box service?
- Destruction: What do you do with your mail when you discard the paper? Do you shred your paper? Home or office, I suggest investing a bit in a cross-cut shredder. If you are looking at your business needs, assess your volume to decide the size that best suits your requirement. Which paper to shred? Shred anything with your name, account numbers, requests for subscriptions, statements, new credit cards solicitations, memberships, etc. Why shred? To protect your data — there is no reason to allow access to your disposed documents, which would allow others to engage in identity fraud or theft at your expense.
Electronic Mail: The 2009 Cisco Annual Security Report projects “In 2010, spam volume is expected to rise 30 to 40 percent worldwide over 2009 levels…” A serious amount of e-mail by any one measurement, magnified even more so when one realizes that approximately 97% of all e-mail hitting corporate systems is junk. Therefore, it behooves us to understand the methodology of the perpetrator. With such, we can identify within the noise of the spam the boat load of phish.
- Phish: These take the form of e-mail designed to specifically get you to take an action — be it to respond to the e-mail or click through to a website. We have all seen these in our inboxes. Lamentably, there were those who took advantage of the tragedy following the earthquake in Haiti and peppered inboxes with appeals for donations — donations to bogus charities. A few common topics:
- The Bank: The bank ostensibly requests you to verify account information (Note: Your bank will not — I repeat, will not — request you to update your account or send data via e-mail or request you to “click “on links.) Have a need to engage your bank online? Directly enter their URL in your browser.
- The Opportunity: “You’ve won the lottery;” “Help me process remittances from your country;” “Work from home and earn thousands;” and the latest to hit my inbox, “Be a mystery shopper!” Just hit delete, no need to open.
- Spear-phishing: Spear phishing occurs when the perpetrator personalizes the effort. In “Secrets Stolen, Fortunes Lost, ¹” a book I co-authored with Richard Powers, we tell the story of “The Tale of the Targeted Trojan,” where specific individuals and companies were targeted for their intellectual property, personnel files, go-to-market plans, etc. In this specific instance, we saw the confluence of physical surveillance with technological know-how. Regardless, spear-phishing occurs when the perpetrator is able to create a one-off deliver of a message in a manner with a high probability of the victim taking the desired action — visiting a website, responding to the e-mail, or opening an attachment. Like the physical world of spear-fishing, the virtual world has evolved to include spear-phishing, where one specific fish is targeted.
- Whaling: The bulk, but personalized, targeting of senior corporate executives. Who can forget the infamous e-mail sent to CEO’s around the country that advised the recipient that the U.S. District Court wished to issue them a subpoena and directed the executive to the “court website” to download the document? [see box] Over 1800 recipients responded, even though there were a number of obvious spelling errors, which should have piqued the interest and perhaps raised a yellow flag. For those who visited the website, there was no subpoenas, simply malware.
- Destruction of E-mail: Is the online destruction of mail easier or harder than that of physical paper? Technically, you can hit the delete key and the “e-mail” leaves your inbox, so that’s pretty easy. Similarly, when you read, write, copy or save documents, photos, diagrams or media, the bits occupy storage space on a storage media, disc, server or hard drive. Logical destruction is straightforward, hit the delete key. This is satisfactory as long as you maintain control of your device or storage medium. If you have occasion to discard your storage device, I have only one piece of advice — degauss or physically destroy the electronic media prior to disposal. As in the physical world, why give someone who comes across your media the opportunity to obtain your data for their use?
Physical mail or electronic mail, you can help protect yourself and your data by understanding how you process and dispose of your data. The unscrupulous will monetize your data at any opportunity. Don’t give them that opportunity.
Thank you for your time.
¹Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century By Christopher Burgess and Richard Power ISBN: 978-1-59749-255-3 Copyright 2008