April 12, 2016
Turn, Press, Pull -- Gonna Get Ya
February 23, 2015
Keep 'Em Clean
Keep 'Em Clean
May 6, 2013
Learning IT Security By Consequences
This is a brilliant little video on IT Security.
What I like about it is that it doesn't just tell you what not to do to stay safe, but rather it shows you the consequences of not doing the right things.
Whether you are letting someone into your office, allowing them borrow your badge, leaving your computer unsecured, posting your passwords, and more--this short animated video shows you how these vulnerabilities will be exploited.
It is also effective how they show "Larry" doing these security no-no's with signs everywhere saying don't do this.
Finally, the video does a nice job summing up key points at the end to reinforce what you learned.
I think that while this is simpler than many longer and more detailed security videos that I have seen, in a way it is more successful delivering the message in a practical, down-to-earth approach that anyone can quickly learn core basic practices from.
Moreover, this video could be expanded to teach additional useful IT security tips, such as password strengthening, social engineering, and much more.
I believe that even Larry, the unsuspecting office guy, can learn his lesson here. ;-)
(Note: This is not an endorsement of any product or service.)
Learning IT Security By Consequences
March 29, 2013
Catching More Flies With Honey
And this is true in cyberspace as well...
Like a honey pot that attracts cyber criminals, organizations are now hiring "ethical hackers" to teach employees a lesson, before the bad guys teach them the hard way.
The Wall Street Journal (27 March 2013) reports that ethical hackers lure employees to click on potentially dangerous email links and websites, get them to provide physical access to data centers and work site computers, or give up passwords or other compromising information through social engineering.
The point of this is not to make people feel stupid when they fall for the hack--although they probably do--but rather to show the dangers out there in cyberspace and to impress on them to be more careful in the future.
One ethical hacker company sends an email with a Turkish Angora cat (code-named Dr. Zaius) promising more feline photos if people just click on the link. After sending this to 2 million unsuspecting recipients, 48% actually fell for the trick and ended up with a stern warning coming up on their screen from the cyber security folks.
Another dupe is to send an faux email seemingly from the CEO or another colleague so that they feel safe, but with a unsafe web link, and see how many fall for it.
While I think it is good to play devil's advocate and teach employees by letting them make mistakes in a safe way--I do not think that the people should be named or reported as to who feel for it--it should be a private learning experience, not a shameful one!
The best part of the article was the ending from a cyber security expert at BT Group who said that rather than "waste" money on awareness training, we should be building systems that don't let users choose weak passwords and doesn't care what links they click--they are protected!
I think this is a really interesting notion--not that we can ever assume that any system is ever 100% secure or that situational awareness and being careful should ever be taken for granted, but rather that we need to build a safer cyberspace--where every misstep or mistake doesn't cost you dearly in terms of compromised systems and privacy. ;-)
(Source Photo: Dannielle Blumenthal)
Catching More Flies With Honey
July 6, 2008
Biometrics and Enterprise Architecture
Biometrics is “the study of methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits.” (Wikipedia)
Biometrics is crucial for identifying and taking out of play enemy combatants, terrorists, and criminals or for providing access to trusted employees or partners in public or private sector organizations, like the intelligence community, defense, security, and various sensitive industries like financial, telecommunications, transportation, energy, and so forth.
National Defense Magazine, November 2007 has an article on the significant advances being made in biometric technologies and their applications to our organizations.
According to “’The National Biometrics Challenge,’ a report produced by the Office of the President’s National Science and Technology Council…’a tipping point in the maturation of the technology has been reached.’”
Both the FBI’s Information Services Division and The Department of Defense Biometric Fusion Center are leading the way in this field.
Currently, identity is established based on the trinity: “something you know (such as a password), something you have (like an identity card), or something you are, which is where biometrics comes in.”
Biometrics includes technologies for recognizing fingerprints, facial features, irises, veins, voices, and ears, and even gait.
But these are technologies identification means are not fool-proof: remembering multiple complex passwords can be dizzying and identity cards can be lost, stolen, or forged. So biometrics becomes the cornerstone for identity management.
However, even biometrics can be spoofed. For example, fake rubber fingers have been used in lieu of a real fingerprint (although now there are ways with living flesh sensors to protect against this). So therefore, biometrics is evolving toward “multi-modial” collection and authentication. This could involve using 10 fingerprints versus one or combing fingerprint, iris scans, and digital mugshots (called the “13 biometrics template” and used to gain access in U.S. managed detention centers in Iraq) or some other combination thereof.
Biometrics has advanced so much so that an Iris scan system from Sarnoff Corp. of Princeton NJ “can scan and process 20 people per minute from distances of about 10 feet away, even those who are wearing glasses.”
The keys to further enterprise application of these technologies in our enterprises are the following:
- Lowering the cost (especially to make it available to local law enforcement agencies)
- Making it rugged enough for extreme environments for the military
- Making it portable so that it can be used for a variety of law enforcement and defense operations
- Reengineering business processes so that measurements are captured, stored, accessible, and readily available for making a match and generating a decision on someone’s identity in real-time
- Developing policies that “effectively govern the proper use of the data” and ensure adequate protection for civil liberties and privacy.
Overall, biometrics has moved from emerging technology to applied technology and needs to be planned into your identity management architectures.
Biometrics and Enterprise Architecture