View From The Bunker
A blog about security and availability by Guy Bunker at Symantec

• Home
• About
• RSS

• Recent Posts

  • National Identity Fraud Prevention Week
  • Read All About It
  • A Meeting Of Minds
  • Time For Encryption - Everywhere
  • See You In The Hague

• Tags

  business continuity CNI data-gain data-loss Education email encryption financial loss fix fraud Identity Identity theft impersonation information cost InfoSec ISTR IT department Las Vegas Malicious insider new process no data-loss passwords PCI DSS People Phishing pictures policy Reputation RUSI SaaS SLA security sensitive information SMB social networking Software as a Service Spam Speaking strangers usability USB virtual machine Vision vulnerability whaling Work practice

• Blogroll

  • Ask Marian Consumer Security Blog
  • Bruce Schneier’s Blog
  • Con Mallon’s Symantec Consumer Blog
  • Get Safe Online (The Blog)
  • Gizmodo Gadget Blog
  • Jonathan Schwartz’s Blog
  • Phil Windley’s Technometria
  • Toby Stevens’ Data Trust Blog

• Multimedia

  • Symantec guide to scary Internet Stuff - Phishing
• 

What Makes A Spam Trend?

Are the CNN and MSNBC spam emails that are going around at present a trend? Yes - this is an example of ‘brand jacking’, i.e. it leverages a popular and trusted brand. These particular examples also use another trend - current events. Eye-catching headlines around current events, particularly things like the Olympics and the US Presidential race, can make people click a link before they think about it - and when the email appears to come from a reputable sender, the likelihood of falling for it rapidly increases .

We are getting much better at not opening attachments from users we don’t know so the spammers have moved on. Social engineering is the biggest weapon in the cyber-criminals’ arsenal and one of the easiest to beat. Rapid communication and education as to new threats is critically important. An email to staff on the new trend, just to make them think twice about clicking a link in an email is a worthwhile investment. All staff need to become security aware - it’s not just a job for IT.

Not Me Guv

So, if you lost your laptop and it resulted in a data loss incident - who would you blame? In a recent surveyonly 17% of office staff and 21% of IT staff thought it would be their fault… the rest thought it was the CEO’s fault or the company’s. Bizarre but true.

Reality is that it is up to everyone to protect the data and the company should provide appropriate technology to help. If you have a company laptop and it contains sensitive information ask about full disk encryption, the same is true for mobile phones (well, the ones which get email, etc, etc). These are relatively simple to install and administer. If you send data out on a CD, then ask if it is encrypted - and if not, ask about encryption solutions to be added into the process. Again, this is not hard to do - and it does reduce the risk.

Finally, if you are really worried about data leaking through email and the like, then ask about content based data loss prevention - it’s not as simple as putting in encryption, but it does create a much better solution.

So… if you lose data - it is your fault. Especially if you haven’t been and asked for help in preventing it from happening in the first place.

Not Waving But Drowning

Hurray, Google and Intel have come up with a way to reduce the impact of email on our daily lives. Turn it off - for fifteen minutes at a time. What!?!?! Simple discipline is all that is needed - you don’t have to respond to email the second it arrives, or Instant Messaging for that matter - what would happen if you didn’t? Would the world stop turning, the lights dim, or any other catastrophe occur - no, of course not.

Introduction of ‘no email days’ is also being hailed as a good thing… I remember when a old colleague introduced the same thing a few years ago and was ridiculed in the press for it! What goes around, comes around.

So - let’s put email back in its place, it is a business tool - which helps us to work more effectively and efficiently - it is not ‘work’ in and of itself. Patience from the sender’s perspective must be expected, if you don’t get a reply in 5 minutes, don’t resend or phone them up to see if they have got the email… if you are a recipient, then don’t think you have to respond immediately - and don’t foster the expectation that you always will. Task switching (in this case in and out of email) destroys productivity and therefore effectiveness! Creating the additional stress of believing that you have to respond to every email ‘first’ is not good for you - or the company. Companies should create and communicate email policies which outline good email practice, perhaps that a response will be given in 24 hours, or 4 hours - you decide, but set the right expectations for everybody’s sake.

There are always exceptions, but lets bring back a little old fashioned common sense.

How High… How Low: Part 2

… OK, so now the story is that there was some confidential information on the stolen PC - and that it was emailed from an internal account to the one on the PC.

How many times have you emailed something either to or from a personal email account - just because it was convenient? Several I suspect. Once again, it didn’t used to be a crime to lose a laptop, but it virtually is now… similarly no-one used to mind (or notice) if email came and went from personal accounts - but that’s all changed. Technology can now be deployed to prevent this type of ‘accident’ from happening - and of course process, procedure and policy should also be changed to prevent it from occurring. Education is once again top of the list. Why is it bad to use ‘public’ email (the data’s in the clear for one thing!), why should you check the recipients (The Wrong Dave…), why does this keep happening… Time to wise up…

24 Percent

A civil servant has been suspended for leaving top secret documents on a train. A recent survey showed that 24% of data loss was through paper records, so perhaps this should come as no surprise. As I think back through the past decade or more there has always been one or two occasions each year where records were found, in a skip or beside the road, and before now it was reported and that was that. However today, as we all know, data loss is taken much more seriously.

Electronic data is easily transported, readily copied and therefore simple to use. You can also get a lot of information in a very small space… losing the details on 20 million people in paper form would require a sizeable truck!

We now protect electronic information, either by encryption (if you have a laptop or mobile device) or by content analysis and classification - preventing emails being sent to the wrong people or data being copied unencrypted onto CD ROMs etc. But what to do about paper records? We are back to people and processes. Awareness that paper can be just as damaging as electronic records needs to happen and the processes whereby records are printed out need to be re-examined - especially to ensure the appropriate destruction, eg shredding. In the same way that we are questioning the need for people to have copies of sensitive or confidential electronic information on their laptops, companies should also look at why they need to take bundles of papers home… this would be one case where an electronic version could be more secure.

Symantec Vision Conference - Day 2

Time flies by when you are having fun - and when you are learning a lot. The second day has been packed with information including the sessions that everyone wants to go to… what’s coming out in the next release!

There was a great round-table with customers discussing Enterprise Vault - it’s a pity that there were not more engineers there to hear what they had to say. While there were a few niggles, the feedback was really positive, so often engineers only hear about the problems. If there is one thing that customers do really well, it’s sell the product to other customers! There is nothing like hearing from someone who has implemented 150,000 seats to inspire confidence. Thanks to you all.

The day finished up with the Customer Appreciation Party where Jim Belushi played some great songs - he certainly knows how to get an audience going.

What’s The Buzz, Tell Me What’s A Happening…

Symantec’s Vision conference starts today in Las Vegas. Even the airport is excited by it… with long banners in the luggage reclaim hall!

For customers, today is tutorial and certification courses. For me, it is partners, customers and the Dell party this evening!

What The FAX…

Bad process strikes again. A businessman was convicted and jailed for fraud after one of his employees accidentally sent a FAX to the wrong person resulting in some unfortunate data-loss! While sending email to the wrong person is commonplace, sending a FAX to the wrong person is seldom reported. However, it does show that data can be lost in a variety of ways and the risks and consequences can be quite dire.

Businesses need to start thinking out-of-the-box when looking at processes in order to catch all the different ways in which data can accidentally (or otherwise) be lost, leaked or breached. FAX machines, printers, photo-copiers all pose a risk as they tend to take a copy of the data before processing it. So, if someone walks out with the physical device they could retrieve the data. New(er) copiers now encrypt the data to disk making it harder to walk out with the disk and recreating the data… is this true of the devices in your organization?

• Subscribe

  

  Enter your email address:

  Delivered by FeedBurner

• Podcasts

  
  Detach Player
  

   

• Symantec Security Response Weblog

• Links, downloads and other resources

  Symantec UK
  Symantec Podcast Directory
  Symantec Security Response