What big teeth you have grandma
"News International's chief infosec officer, on the other hand, says ... "
Taking security advice from News International? The irony.
Experts on both sides of the vendor-customer divide in the UK and a US cryptographer are at odds over whether or not security training is a waste of time. American crypto guru Bruce Schneier says the fact that "we still have trouble teaching people to wash their hands" means the dosh splurged on staff training is likely better …
And what of the Invitation to Party by Direct Correct E Mail Address? Is that Uncovered and Discovered in Intelligence Sweeps? Or Already Withheld Pending Sensitive Inquiries on Tempting Provisions/Future Supply.
In the IT world we tend to put untrained users on potentially hazzardous tools, then expect technology to make those tools "safe"... and then wonder why things go wrong.
Why does much of the world insist upon driver's training and testing before being allowed to drive a car on public roads? Because it helps. Does an educated driver eliminate all accidents? No, but it improves the situation.
CLEARLY, throwing technology alone at security is not working. We've been trying this for well over 20 years and the situation is getting WORSE, not better. Maybe it IS time to try education in addition to "improved" technology.
The usual response I get to this idea is, "education doesn't work!", my reply is, "it has never been seriously tried".
All the "education" attempts I have seen are based on chanting of rules, which attackers can then use as tools of their own, not true understanding of how the Internet actually works, and how it is used against us. Even the "advanced" security training starts from a premise of "you can't stop them", which I reject -- for the most part, we haven't seriously tried.
The cost would be outrageous, but I still don't think a real attempt of educating this is possible, because everyone is different. Too many of us know what to do, and too many of us don't. I think we are pretty much "there" in regards to this topic, but the whole thing seems to boil down to human element. If you still don't know to question that dodgy e-mail attachment or whatever, chances are you never will. This doesn't make people dumb in all fields, it just sets a standard to what field they shouldn't be in.
It's not the full solution, it never stops, but it does work. This is analogous to the handwashing campaign conduct in UK hospitals in recent years. People new they had to do it, they new it had benefits, they just didn't do it (too busy, I'm not doing anything critical, it's just the once, excuse, excuse, excuse).
So a training campaign with lots of reminders and reinforcement was implemented, with significant benefits (i.e. less people dying).
Exactly this problem came up at work today.
User: Central Government requirements require us to log this data, but the datalogging SD cards are getting rather full, but I can't delete old files after emailing them in without Admin access.
Corporate Security: Local Government requirements require us to prevent write access to external devices to prevent security issues.
User: But that means at some point the datalogging will fall over.
Corporate Security: We've prevented write access to external devices to prevent security issues.
The solution we've come up with is: throw away the full SD card and buy an empty one.
Look on the bright side: at least you could crush them and throw them away. I've know people with a safe full of dead drives that can't be thrown away because first you need to be able to certify that they've been sanitized. They apparently don't have the money to hire the appropriately certified mobile van crusher to stop by the office and since the drives are physically damaged, they can't run the software they would otherwise use to wipe the drives.
"They apparently don't have the money to hire the appropriately certified mobile van crusher to stop by the office and since the drives are physically damaged, they can't run the software they would otherwise use to wipe the drives."
I'm sure the budget would stretch to a torx screwdriver and a sheet of emery cloth. Take the platters out and give them a quick sand. With only 20nm of magnetic material that's easily going to come away sufficiently well to prevent anything being recovered. If you're feeling particularly keen maybe bend them as well, since there's no chance that they could be straightened enough to align properly in a new mechanism. Or if they're laptop drives with glass platters just smash them.
I'm sure the budget would stretch to a torx screwdriver and a sheet of emery cloth.
I'm sure that's not "appropriately certified". It doesn't matter whether it's effective; the point of the original post is that it has to be certified.
Rather than dismantling the drives and hand-sanding the platters, it'd be a lot faster to throw a drive in a vise and cut a slot through it with an angle grinder. That doesn't make the entire surface of each platter unreadable, if you have your magnetic-force microscope handy, but it clearly raises the cost high enough that an attacker is extremely unlikely to be motivated to try to recover any information. But again, not certified. Hell, these are drives that have suffered hardware failure; I doubt there's any information on them that's sufficiently valuable to even justify trying to swap the controller board and get the drive going again.
This isn't an information-protection problem. It's an auditing problem.
But you can say don't open PDFs under Windows ...
`One of the firms providing technical tools in the area, PhishMe, will be talking about how what organisations can do to train their staff on how to recognise phishing scams and how to prevent them"'
Buy a computer that don't execute native code from opening an email attachment or clicking on a URL ..
mod-down quick :)
Sadly, he's mostly right.
Although its important to differentiate between security training and security awareness because they're not the same thing. Technicians designing and building systems should certainly be trained to code and designed securely and I genuinely believe that that's money well-spent.
Staff (and indeed Management), need to be security aware, even if that awareness extends only to knowing the extension number of the Information Security team and to have the confidence to be able to call that number if they see something that doesnt look quite right.
To be honest, though, the motivation for many companies I've worked for in paying out for security training can often boil down to 'If they dont know the Policy, you cant sack them if they breach it'.
Biting the hand that feeds IT © 1998–2019