[BreachExchange] How We Can Turn National Cybersecurity Awareness Month Into Cybersecurity Action

[Inga Goddijn]

https://dzone.com/articles/how-we-can-turn-national-cybersecurity-awareness-m

Want to take a peek at the World’s Worst Data Breaches? Here
<http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/>
you go.

Now that we’ve got that out of the way, let’s start this blog post over
again. Our goal isn’t to frighten you or deepen the numbness you might
already be feeling from the drip, drip, drip of bad cyber news.

It’s National Cybersecurity Awareness Month
<https://www.dhs.gov/national-cyber-security-awareness-month> (NCSAM),
which was launched in October 2004 as a collaboration between the National
Cyber Security Alliance <https://staysafeonline.org/ncsam/> (NCSA) and the
U.S. Department of Homeland Security with the goal of raising awareness and
providing education on cybersecurity issues.

The name is something of a misnomer, however. NCSAM
<https://staysafeonline.org/ncsam/get-involved/> is really designed to do
more than make you aware of cyber risks. It’s bigger goal is to arm you
with information and tools you can use to strengthen yourself, your social
groups, and your businesses against the cybercriminals who prey on us.

In the spirit of NCSAM, we want to do our part by sharing some of the
advice our bloggers have offered on how to take action to protect yourself
and your companies from cyberattacks. With that in mind, here are summaries
of four recent blogs.
1. 4 Steps to Building a Security Awareness Program

First up is a post that gives advice on creating a security awareness
program in your organization. Recognizing that security isn’t just about
technology, this post addresses human factors and the part that employees
can play within the context of a company-wide security awareness program.

The goal is to stop treating security as a series of one-off events or
activities that are handled by experts (often in reaction to incidents
after they’ve taken place) and to create a proactive, pervasive culture
where employees can recognize security risks and then take action on their
own or escalate as appropriate.

The post recommends carrying out the following “human factors” steps:

   1. Creating a Security Handbook containing a body of information that
   employees know about and actually consult when they need information about
   a security issue.
   2. Setting up real-time communication channels using two-way tools such
   as Slack so you can report and be advised on issues as they occur.
   3. Holding in-person information sessions to create a culture of
   openness and to bring important issues to employees in a dynamic, engaging
   fashion.
   4. Creating a Security Awareness Week to pull security out of the
   shadows and raise awareness throughout your company.

Read the full post here. . .
<https://dzone.com/articles/4-steps-to-building-a-security-awareness-program>

If you’re up for more reading, you can also take a look at the
recommendations in How to Implement a Security Awareness Program at Your
Organization
<https://www.threatstack.com/blog/how-to-implement-a-security-awareness-program-at-your-organization/>
.
2. The Real Implications of the Shared Security Model

Providers like AWS have gone to great lengths to codify and transparently
communicate a Shared Responsibility Model
<https://aws.amazon.com/compliance/shared-responsibility-model/> that has
expressly defined the scope and boundaries of responsibility. Increasingly,
customers recognize that Amazon and its brethren have all-star teams that
have a security focus ingrained in them.

In this post, Pete Cheslock <https://www.threatstack.com/company/>, Threat
Stack’s Senior Director of Operations and Support, takes a detailed look at
the Shared Responsibility Model and explores areas where companies can
extend their security beyond the basic “Providers secure the cloud; we
secure our data.”

As he points out, even as the cloud is proven to be quite secure and as
confidence in it increases, Security and DevOps teams still have to be
vigilant about their own workloads. Organizations have to pick up their end
<https://www.threatstack.com/blog/what-all-devops-teams-should-know-about-the-aws-shared-responsibility-model>
of
the shared responsibility bargain — and in some cases, even take it a step
further than what is required.

To determine where and how you should extend your security
responsibilities, Pete recommends asking questions like:

   - What can we control security-wise? What can’t we control?
   - What do our customers expect of us, security-wise?
   - What do we need to focus on from a compliance perspective?
   - What types of data pass through our system, and what security concerns
   arise?
   - What do our competitors cover security-wise that we don’t?
   - And more, depending on your situation

Simply put, by going beyond the basics, you will strengthen your overall
security posture, gain or strengthen competitive advantage, improve your
reputation with customers, and likely affect your products and services for
the better, too.

Read the full post here. . .
<https://dzone.com/articles/the-real-implications-of-the-shared-security-model>
3. W-2 Phishing Scams: What You Need to Know to Stay Secure

Last February, Kevin Durkin, Threat Stack’s CFO, wrote an important post
about W-2 phishing scams. His advice is all the more important following the
latest Equifax breach
<https://www.forbes.com/sites/thomasbrewster/2017/09/08/equifax-data-breach-history/#7e406ecc677c>
that
exposed a huge amount of personal information including Social Security
Numbers.

Here’s some of what Kevin had to say.

Phishing attacks have recently been targeting W-2 forms because they are a
treasure trove of personal and financial information. The attackers
generally pose as a company official or other trusted source when they send
phishing emails.

Kevin recommends making yourself an unappealing target through a
combination of employee training to tell people what to look for, periodic
testing, and continuous security monitoring.

Who falls for phishing scams? According to the 2017 Verizon Data Breach
Report <http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/>,
a lot of us: around 30 percent of all employees fall for phishing attacks.

Read the full post here. . .
<https://www.threatstack.com/blog/w-2-phishing-scams-what-you-need-to-know-to-stay-secure/>

(A final note: We’re very proud of Kevin at Threat Stack. Recently Boston
Business Journal
<https://www.bizjournals.com/boston/news/2017/07/19/kevin-durkin-of-threat-stack-receives-cfo-of-the.html>
honored
him as CFO of the Year
<https://www.threatstack.com/blog/boston-business-journal-names-threat-stacks-kevin-durkin-cfo-of-the-year/>,
and he’s a frequent contributor to this blog. For a summary of a some of
his recent articles, take a look at 5 Security Blogs Your CFO Needs to Read
<https://www.threatstack.com/blog/5-security-blogs-your-cfo-needs-to-read/>
.)
4. How to Stay Secure at Conferences

Pete Cheslock spends a lot of time at conferences, and when we asked him to
share advice on how to stay secure on the road, he came back with a lot of
valuable tips.

Anytime there’s a large group of people, especially one that has its roots
in tech, security can be a concern. More devices in one place and a
concentration of industry players can mean a field day for casual or
targeted hackers. Luckily, there are key security basics and hygiene best
practices you can follow to ensure that attending conferences doesn’t mean
opening up a wider attack surface for yourself or your organization.

First and foremost, he focused on ways you can protect all of your devices
— phones, laptops, tablets, wearables, and IoT devices, stressing, among
other things, that you need to:

   - Take inventory and maintain control of your devices by knowing which
   ones you’re bringing with you and where they are at all times.
   - Password-protect the devices themselves, set up an autolock after a
   short timeout, and use a password manager.
   - Use Two-Factor Authentication whenever possible and consider using a
   service like Find My iPhone
   <https://support.apple.com/explore/find-my-iphone-ipad-mac-watch> or Prey
   <https://www.preyproject.com/> that will let you geotrack your devices
   if they are stolen or lost and remotely wipe them if needed.
   - Stay away from unsecured public WiFi networks, or any network that
   isn’t trusted.

To remind that technology by itself isn’t the answer to all security
problems, Pete also talked about the human side of security, including best
practices for using social media as well as excellent advice on what to
discuss (and not discuss) in public.

While his advice focused on attendance at conferences, it applies just as
well as we go through our daily personal and work routines.

Read the post here. . .
<https://www.threatstack.com/blog/how-to-stay-secure-at-conferences/>
Final Words

In the midst of all the bad news, it is reassuring that a lot of
individuals and organizations are working to make life online safer for all
of us. Nationally, of course, there’s Cybersecurity Awareness Month. In our
region, Massachusetts Governor Charlie Baker has announced the formation of
the brand new Cybersecurity Growth and Development Center
<https://www.mass.gov/news/baker-polito-administration-announces-new-cybersecurity-center-at-mass-tech-collaborative>,
whose goal is to unite the cybersecurity sector in Massachusetts while also
training new talent. And, at Threat Stack, where we take security very
seriously, we are committed to accelerating cybersecurity innovation
<https://www.threatstack.com/blog/threat-stack-raises-45m-round-c/>.
Finally, it is reassuring to know that as individuals and as organizations,
there is a great deal we can do to turn awareness into action to help make
life safer in our cyber world throughout the year.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171017/7660ef86/attachment.html>