Select Page
How to Build a Holistic Information Security Learning Program for Your Organization

How to Build a Holistic Information Security Learning Program for Your Organization

The security of our information systems is now a number one priority. We can no longer think of a society without all the luxury of technology. These technologies are powered by information systems that need to be secured. Whether you are trying to secure a multibillion-dollar company, a government institution, or a small one-person business, everyone should start taking security seriously.

According to the NIST publication SP 800-50 there are three steps that lead to an effective security program. This program targets everyone in the organization at different levels and functions.

For Everyone.

Everyone should have basic information security understanding and know what they should do in case of a security event through an awareness program. Awareness is about helping people know what to do and not necessarily understanding how security works.

“Awareness is not training. The purpose of awareness presentations is simply to focus attention on security.” The Awareness program is intended to allow individuals to recognize IT security concerns and respond accordingly.

The awareness program should be based on key aspects of the organization’s information security policy. The information should be adapted to suit the need of everyone within the organization right from the top of the organization to the lowest level. Therefore, everyone within the organization should be provided with a security awareness program.

All IT System Users

All users using the information systems should be provided with basic information security training. This is in addition to the security awareness program for everyone. The security awareness program tells people not to click on a link in an email from an unknown sender but to delete it. But how does the user go about deleting this email securely?  Therefore, these users should be trained to carry out the recommendations in the security awareness program.

Any user exposed to the organization’s IT systems should be provided with basic information security and literacy training. The main difference between an awareness program and training is more formal, having a goal of building knowledge and skills to facilitate job performance. Training strives to produce relevant and needed security skills and competencies.”

Here, the organization needs to come out with the training need analyses and build a training program that ranges from a beginner to an advanced level.

IT and Security Professionals

Any misstep by any IT professional could easily lead to a security breach. It does not matter whether they are System Developers, Network Engineers, or Operating Systems Administrators.  They are all standing side by side with the information and cybersecurity professionals on the battlefield of cyberwarfare.

Education teaches people to make educated decisions. All IT professionals exposed to the information systems on a technical level should be well-educated to help them perform their jobs effectively and efficiently.

Therefore, a continued security education program that will provide them regular security training tailored to their job role should be available to them. A well-tailored information security education should be available at multiple levels. The beginners, the intermediate, and at the advanced level.  Organizations should strive to produce IT security specialists and professionals capable of vision and pro-active response.

 

 

North Koreans Hackers Indicted by U.S. DOJ for $200 Million Heist

North Koreans Hackers Indicted by U.S. DOJ for $200 Million Heist

Some North Korean citizens are being charged by the U.S. Justice department for the 2014 Sony Pictures hack, and the global WannaCry Ransomware attack of 2017. According to investigators from the US Secret Service and the department of homeland security those indicted includes:

Jon Chang Hyok (a.k.a “Alex/Quan Jiang”)

Kim Il (a.k.a. “Julien Kim”/”Tony Walker”)

Park Jin Hyok (a.k.a. Pak Jin Hek/Pak Kwang Jin)

They are also being accused of masterminding the theft of $200 million through cyber theft. They are suspected to be members of north Korea hacking group operated by the Reconnaissance General Bureau (RGB), which is an intelligence division of the Democratic People’s Republic of Korea (DPRK).

In the last few years these groups were suspected to have masterminded the $81 million Bangladesh Bank Heist

It is also confirmed that the group stole $6.1 million through ATM heist in 2018 using Payday ATM attack in what is called “ATM cash out scheme”.  Their area of specialization goes beyond traditional banks heist and into cryptocurrencies. The suspects are also accused  of stealing over $112 million in cryptocurrency across the globe.

The U.S. DOJ Indictment
https://www.justice.gov/opa/press-release/file/1367701/download

Documentary of the Bangladesh Bank Heist.

What do We do About the 4% Clickers?

What do We do About the 4% Clickers?

According to a report from Webroot.com during crises such as the COVID-19 Crises “3 in 10 workers worldwide have clicked a phishing link in the past year. In the US, it’s 1 in 3.”

In a normal situation 4% of the people will click on a link from an unknown sender even when the hyperlink states, “Don’t click on this link” Research shows you cannot avoid this phenomenon.

Training and security awareness programs have helped organisation to reduce successful attack on their network from phishing. However, such an attack does not need lots of people clicking to be 100% successful. The success from the 4% is enough to be a nuisance to your organisation.  So, what can you do about this problem?

The attackers trying to break into the corporate network want to be able to move laterally within the network. Even when you cannot eliminate the 4% you could take measures to reduce the effect of their actions by introducing Zero Trust Security (ZTS) into your organisation. With Zero Trust Security you can reduce lateral movement in your network and as such, intruders have limited access to few systems within the network. Zero Trust Security is not a product but a set of design principles which cannot be implemented using a single product. So, watch out for vendors that promise to sell you a single product that would provide you Zero Trust Security.

According to Microsoft, Zero Trust controls can be implemented across six fundamental elements of your network:

  • Identities
  • Devices
  • Applications
  • Data
  • Infrastructure
  • Networks

In addition to the above controls, there should be visibility of all assets of the environment and complete orchestration of all automation.

Other security vendors such as OneTrust (CISCO), Checkpoint, Palo Alto Networks have similar ideas regarding the implementation of Zero Trust Security. Zero Trust Security is a holistic approach to security architecture design. It is based on the fundamental concept of Never trust, always verify anyone or anything operating within or from outside the security boundary. It is designed to protect all computer assets, applications, and data.

Zero Trust Security ensures all resources are accessed securely regardless of location.  The principles of The Least privilege are implemented through access control and strictly enforced.

To learn more about Zero Trust Security please visit our ZTS training.

TRAINING

Understanding Zero Trust Security (ZTS)

DATE

Febuary 24-25, 2021

TRAINING TYPE

Virtual

ENROLL BELOW

All training runs from 9:00 to 16:30 every day.

Data Leaks Was Up About 93% In 2020 In New Reports

Data Leaks Was Up About 93% In 2020 In New Reports

Breaches and leaks of sensitive data from agencies almost doubled last year, even as consumer worries over information privacy surged, in accordance to two new reports posted on Data Protection Day.

January 28 marks the signing in 1981 of Convention 108, the first legally binding global treaty dealing with privacy and records protection. Also known as Data Privacy Day in North America, it is now an awareness raising event aimed at groups and consumers alike.

However, new research from Imperva warned that unauthorized transmissions of data from organizations’ networks to external locations had soared 93% in 2020.

The security vendor detected 883,865 such incidents at the begin of the year, rising to 1.7 million via the end of December, and argued the figure would be even greater if loss of data via physical devices, printouts and the like had been included.

“Data safety should never be an afterthought – but sadly it frequently is, specifically when companies prioritize speed over security. The rush to hold business continuity in 2020 has accelerated trade at such a tempo that large gaps now exist in process and safety round data,” said Chris Waynforth, AVP Northern Europe at Imperva.

It is naïve to assume that it is only human access to information that leads to compromise. Over 50% of access requests to databases are coming no longer from users, but from application to application.

The danger of major regulatory fines should be making this a board-level issue, the vendor added.

Imperva urged corporations to comply with various key steps to better guard their data, beginning with discovery and classification, good controls, non-stop monitoring and quarantining in the event of an attack.

Data minimization must be a paramount consideration throughout, as information continues to disperse throughout complicated multi- and hybrid cloud environments, the company argued.

However, consumers also have a large part to play in maintaining their information out of harm’s way. Some 77% told Entrust they are worried about data privacy, and 64% said their focus about the difficulty has extended over the previous 12 months.

At the same time, though, many people (63%) have been willing to hand over more data to applications in return for greater personalization. Nearly half (47%) stated they don’t review the T&Cs of an app before downloading, with most claiming it was because these were often too long to read.

 

Why do the Dutch government keep making these blunders?

Why do the Dutch government keep making these blunders?

How could two employees of The Dutch municipal health organization for preventive healthcare GGD steal millions of personal data from Dutch citizens and start selling them in the open market?

The Background?
In the Netherlands about 8 million coronavirus tests has been done. In addition, there are over 800 thousand source and contact tracing carried out. All this information is stored in the GGD databases which contains personal information of all those that have participated in any coronavirus related GGD exercises.

What Went Wrong?

It happened that GGD employees could do a search of specific persons or a complete dump of the database. The idea was to enable an employee to quickly find the test result quickly of any person in the database.

Employees then do a global search and export the result to an external file which could then be downloaded, forwarded to anybody within or outside the GGD.

Apparently, this outer disregard to privacy has been going on for months at the GGD. Apparently about 26,000 employees and call centre employees had access to the database. From these, 8000 of them had access to the source and contact tracing information. It is unclear how many of these people could export the content of the entire database.

The Bad News

The data leak contains full name, email address, home address, telephone numbers and social security numbers, gender, date of birth. Medical records and the contact trace information. In fact, the data haul contains all you need for an identity theft and for potential blackmail.

How Often does such things happen?

Unfortunately, data leakage at government institutions in the Netherlands is very common, but such a malicious event where you have the private data of citizens leaked from the government being sold in the open market is not very common.

In March last year a data leak was discovered at the infection radar of the National Institute for Public Health and the Environment (RIVM). This body is responsible for the handling of the Coronavirus management in The Netherlands. Due to poor security programming non-technical users could see the information filled in by other users.

It seems many government organizations have not really taken data loss prevention and Zero trust security as very important yet. Otherwise, it is mind-bending to imagine how these employees could not only see all personal data of citizens but do a search of someone in the database and finally able to dump the result to a file and forward it out of the organization without a red light going off.

Impressive.

Data loss prevention training for your organization

Training programs to help your organization prevent data loss.

Twitter Introduces Beta Program to Curtail the Spread of Fake News

Twitter Introduces Beta Program to Curtail the Spread of Fake News

Social media giant Twitter has launched a new pilot scheme in the United States to handle the spread of misinformation.

Under the new Birdwatch scheme, customers are invited to identify data in other people’s tweets they suppose is misleading and write notes that “provide informative context.”

Twitter said it believes that a community-driven strategy in which customers monitor each other and furnish a free fact-checking service will enable extra content to be flagged as misinformation.

“We apply labels and add context to Tweets, however we do not desire to restrict efforts to circumstances where something breaks our rules or receives widespread public attention,” said the company in a blog post yesterday.

For now, any notes that are made will not show up on Twitter but will only be seen on a separate Birdwatch site where pilot participants can rate the helpfulness of notes added by different contributors.

“Eventually we aim to make notes visible directly on Tweets for the global Twitter audience, when there is consensus from a broad and various set of contributors,”  said Twitter.

All data contributed to Birdwatch will be publicly accessible and downloadable in TSV files. When fully fledged, Birdwatch will be powered by algorithms based on the reputations of the contributors and “consensus systems.”

A computer will rank the notes made on tweets according to how useful they are.

Commenting on the pilot scheme’s introduction, Twitter user @morganiswizard wrote: “So let me get this straight, you’re attempting to stop random people from spreading misinformation with the aid of letting other random people decide what misinformation is? OK.”

Another Twitter user, Ben Collins, said that he was worried how the “Birdwatch” scheme would work in the open internet.

“The big thing I’m worried about with Birdwatch? Brigading,” said Collins. “Say one extremist forum really hates one true tweet by way of a particular user. They all sign up en masse and drown out good info. “As this rolls out to more people, I do not see a defence against that.”

He added: “Long term, Twitter desires to take the labelling of harmful lies out of the mouth of a faceless team at the company and provide it to the community.”