Making Security Awareness Training Effective

by Sage N Clements, Sec+

image

Now more than ever cyber security (or internet security if you prefer) is important for all organizations big or small.  Why?  It’s simple. We live in a global connected environment.  Data exchange is so prevalent now, that if it weren’t for the visionless radio frequencies making the exchange, we would be literally blinded by all the digital packets in front of us.  So if it is so important, why does it seem like security is an afterthought or reactive mindset? 

The consensus among most security professionals is that either traditional training methods do not work or that company officers do not value the needs of such training.  Although I do believe that both have merit, the latter of the two has improved in the last three years, primarily due to some high profile public breaches.  But maybe we are asking the wrong questions.  Maybe the approach of “how effective is security training” should be “what can we do to make security awareness training more effective.”

It starts by accepting the fact that a one size fits all mentality does not exist when it comes to teaching.  People learn differently and to apply the same methodology to everyone is not the best approach.  Some people learn better using an auditory style, while others learn best physically or logically.   We need to start taking a more methodical approach and incorporate a variety of learning styles and, this is probably the most important method, tie it to a performance metric that is important to the employee.  What do I mean by that?  In many of the call centers that I have been involved with over the years, they implemented a QAT or Quality Assurance Team.  They were involved with primarily checking the work of the employees to ensure that there were no critical mistakes made with their work.  Critical mistakes could lead to costly impacts to a businesses’ bottom line. Each employee would be evaluated approximately 5 or 6 times a quarter and their overall score would be weighed against the rest of their metrics. 

So why would this matter, you might say?  If quality metrics are weighed high enough, it could impact an employee’s potential for an incentive plan.  I recall the days of my fellow colleagues getting heated every time they received a quality score they felt like they didn’t deserve.  Despite the difference in opinions, the thing I always remember is that it changed the behavior of that person.  Whenever my colleague had to close the call, they did it the right way because it impacted something that they care about, their incentive eligibility.

Coming full circle, why wouldn’t we want to make security awareness training a part of an employee’s performance or quality score?  It is just as important to make employees aware of security threats as it is to ensure that they verify a caller or prevent someone from walking into sensitive areas without credentials.  Now that we have secured a reason why they should care it time to focus on learning methods.

 

As I stated prior, people learn differently and the best way to teach people about security is not just focusing on computer based training or videos to get the point across, but incorporating real-life simulations with targeted employees and giving immediate feedback as it happens.  A universal example would be tailgating.  Tailgating is when an employee badges into a sensitive area, like an employee entrance or production area and allows someone without a badge to piggyback or “tailgate” without using their own access credentials.  So when the Simulator has successfully tailgated an employee, they should pull them aside and explain to them with a security guard or a manager present, the importance of ensuring they do not become a victim and suggest mitigation techniques.  In turn, the security guard should report the incident directly to the employee’s manager for record and the manager should update the employee’s quality or performance file.  Conversely, if the tailgating attempt is unsuccessful by an employee, it is important to let the employee they passed the simulation for two reasons.  One, it reinforces positive behavior and two, undoubtable, that employee will echo their experience with other teammates giving off a vigilance effect.  This type of experience will appease to those that learn physically, visually, verbally as well as socially (to others).  The same thing can be achieved by phishing attempts.

Phishing is a social engineering attack that focuses on deceiving an individual by pretending to be a reputable person or organization.  It is commonly deployed by email but other methods include by phone or in person.  The goal is for the target to give up their credentials or critical information so that the perpetrator can gain access to sensitive information worth value.   One of the most common simulations available is sending an employee a well-crafted email from a source that appears to be legitimate.  When the employee clicks on it, the screen opens a series of webpages with loud alert sounds.  A splash page follows with the company emblem letting them know that they have just participated in phishing simulation.  After they review the information and submit their acknowledgement of the simulation, QAT updates the employee file and the manager is copied for additional follow up.  Conversely, if the phishing attempt is reported to the appropriate party (i.e. Designated Security Team or Manager) by the employee or expires (due to employee deleting the email), then the employee and the QAT are made aware.  This should appease to those that learn verbally, visually, physically, socially and logically.

Now I know that there are many other learning styles that I may not have accounted for; to my defense, there are many other methods of attack that contribute to cyber security.  The point is, that it is important to incorporate different methods with the mindset of what works with a multitude of learning styles.  Equally important, is to tie the importance of security with a metric that impacts the employee so that it matters to them.  As security professionals, it may be ideal to inquire with the organization if this is currently in place.  If not, this would be a powerful recommendations.  One of my favorite quotes is by Steve Conrad of Media Pro, “it’s not just about providing security training, it’s about providing educational experiences that change behaviors.”

Advertisements

Have You Prepared for Windows 10?

have_you_win10

Nothing is more rewarding than getting something for free and thanks to Microsoft we will not have to wait until the 4Q Holidays.  Microsoft has placed a rubber stamp on the release date of their newest operating system branded Windows 10.  It is set to be released on July 29th for a limited time and to select users.  For full details, terms and conditions, please visit http://www.microsoft.com/en-us/windows/windows-10-upgrade (external link).  The newest operating system is a hybrid of their predecessors Windows 7 and Windows 8.1 and promises to deliver a familiar user friendly environment.

With all new implementations of operating systems, it is always a good idea to take precautions. Here are the three important steps to take while implementing Windows 10:

BACKUP, BACKUP, BACKUP

As with anything you do that is major to your computer, before you upgrade, ALWAYS backup important data and software.  Having a backup will ensure that if anything goes south, your data will not be impacted. In today’s day and age, you cannot afford to not back up your data. All too often do we hear the stories that “my screen is cracked and it’s too expensive to get repairs” or “my system won’t boot and I need my data back.”  If you are not in the habit of backing up your important information, now is the time to practice new habits.

For those that are on a budget, you can get an external drive from your local electronic store for less than $70 or you can find a great deal from vendors on Amazon.  There are also many online backup solution providers that do a great job in automating backups to the cloud.

Once you have completed the backup process, it is recommended that you test the files to ensure usability. There are rare occasions that although uploaded to an external source, the file itself could be corrupted or inaccessible.

Upgrade or Fresh Install?

Now that backups are in place, it is time to upgrade.  For the majority that will get the Windows 10 update, they will initiate the process by way of an in-place upgrade while the cautious few (myself included) will do a complete reformat of the system and a fresh installation of the new OS.  So, you may be asking yourself, which one is correct.  Honestly, there is no right or wrong way to install Windows 10 but if there is one thing we can all agree upon; that is, software is not perfect and glitches happen.

It is always a good idea that before you install a new OS, be sure to have a copy of the ISO file that contains the OS, burned to an external source as a backup.  An ISO file is an executable CD/DVD/USB program or application.  It will allow the computer to launch directly into the program at startup or initiate the setup process.

For corporate or enterprise environments, it is a good idea to do a fresh installation on a test machine first before fully deploying in a production environment.  This will allow you to test all native programs for functionality and compatibility.  If the tests are successful, you can create an updated image to automate your new user process.

It is worth noting that there may be instances where a custom software solutions you use will not be compatible with the latest OS.  If you run into that issue, contact the software vendor and inquire about Windows 10 support.

Install an Active Anti-Malware and AV Solutions

Lastly, before you start browsing websites, install an internet security suite.  It is true that having a Free Anti-Malware (AM) or Anti-Virus (AV) program is better than having nothing at all, but it is strongly recommended that you have an active subscription at all times.  An active subscription will ensure that you have the latest protections to the ever growing threats in cyberspace.  On the same note, it is always a good idea to schedule full scans and/or boot-time scans if your AM/AV program has that functionality.   A boot-time scan will allow the security program to search your computer without any active processes running on your system.  This is especially helpful if you have any rootkits or Trojan viruses lurking on your system. Since these types of scans are labor intensive, not to mention time consuming, it is a good idea to automate these scans for times outside of production or normal usage hours.

Freeware Software? Better Click Again!

001 If you weren’t aware, malware is big business in today’s day and age.  Now when I say malware, I’m not just talking about viruses and Ransomware, which seems to be all the rave these days; specifically, I’m referring to spyware and adware.

Lately, I have been seeing a lot of machines coming into the shop with advertising pop-ups, browser redirects and various forms of keyloggers running in the background.  I ask myself, how exactly is it possible for so many machines to have the same kind malicious software on them.

My research has shown that the majority of the malware my customers have encountered are directly related to bundling software they download unknowingly.  Bundling software, also known as deceptive software in many tech circles, is typically software that is downloaded in conjunction with a free program (most of the time) or game.  It’s typically denoted by a checkbox in the lower left hand corner of the installation prompt and in small print as an automatic opt-in option.

002

Here is an example of the opt-in check box commonly used when installing Java.  As you can see, there is a check box on the lower left hand of the prompt advising the user of the option to install a 3rd party program and change the default settings. If the user clicks through this screen without properly inspecting it, they are opting into the installation of the said software.  By the end of the installation, the system has been modified.

The main issue with the bundling software is that the Freeware or Software publishers the user intends to download from does not do a very good job of vetting the software.  Instead they rely on a 3rd party vendor to do the screening per their contract.  The contract typically states that the 3rd party will ensure that the software is not malicious in nature, but also includes an indemnification or hold harmless clause to the effect that they are not responsible if the software is harmful in any capacity.  That seems to be the extent of the vetting process. This is unfortunate as it does not take much time to test a software package prior to distribution.

Now don’t get me wrong, not all bundling software is consider malicious in nature and there are great companies like Java, who do provide a thorough inspection prior to bundling; but this is not an industry practice.

If bundling software is such a problem, then why do software publishers continue to use it?  That’s a great question and it is as simple as saying TINSTAAFL. There Is No Such Thing As A Free Lunch and free software is no exception.

Bundling software is a great source of revenue for software publishers and vendors.  It allows them to receive revenue by allowing an advertising vendor or other software publisher to embed their software in the installation process.  The freeware is essentially an advertising hub.

Seems pretty harmless for the most part.  The only red flag is that in many cases, the software publisher has embedded software in their product that is not fully disclosed to the end-user.  Just a lot of ambiguity and warranty disclosures in the End-User Licensing Agreement (EULA), but I digress.

So what’s the answer to prevent your computer from being impacted by malicious software?  The easy answer would be to always deselect the bundling options, but honestly, it is not always practicable as it has advantages. Here are some tips that I provide to my customers:

  1. Consider the Source

The best way to ensure that your computer is not impacted is by not downloading software or bundles from sources that are less than reputable.  If you are not sure, Google their name or product.  If the first entry that comes up is malware or potentially unwanted programs [PUP] entries, then think twice before downloading.

  1. Reviewed Checked Entries or Custom Installation

One thing I forgot to mention is that bundled software is not always downloaded because a user forgets to check the box in the 003installation screen.  There are also instances where the bundled software is hidden within the installation process and the only way to prevent it from installing is by going through a custom installation.  Selecting this option will give you a list of all components and software that will be installed on your machine.  Deselect all undesirable software packages.

  1. Actively Scan For Malware

It is good practice to have your Anti-Virus and/or Anti-Malware solution scan for infections directly after the installation of Freeware or bundled software.  Catching the exposure early can help prevent future headaches.  Always keep you’re A/V or Anti-Malware definitions updated.

Passwords Are Still an Issue

2014. Sage's Computer Repair.  All Rights Reserved.

 

After reviewing the Verizon Data Breach Report, it is apparent that passwords are still a problem.  Specifically, users are choosing passwords that are easily guess-able or worse, do not change the default passwords of networking devices.

Here are three tips to improve passwords:

Password Complexity

According to an article published by CBS (http://www.cbsnews.com/news/the-25-most-common-passwords-of-2013/), in 2013 the top 3 passwords used were “123456“, “password” and “12345678.”  Unbelievable!

It should be no big secret, the longer the passwords, the more difficult it is for anyone to guess it (or crack it).   Add in some numbers, combination of upper and lower case and a symbol (if possible), will increase your protection 10-fold.

If we take the example that were used earlier for passwords and we made a few tweaks here and there, you would have a more secure password.  Let’s explore:

 

Password: 123456

There are a couple of things wrong with this password.  You should never have more than 2 sequential numbers (i.e. 1,2,3) in a row.  The password contains no letters or special characters.  It would take a script kitty all but 10 minutes to break this password.

We can improve this password by amending it to: K23*l6iM

The first thing I wanted to accomplish was to make sure that I have at least 8 characters in this password.  The password length is important.  The more characters you have, the harder the password is (traditionally).  I also took the liberty to remove the numbers 1,4 and 5 and replace them with special characters and upper case and lowercase letters.  In the process, I spelled milk backwards. Clever.

Let’s try one more example.

 

Password: password

So this one does things right and wrong.  The good is that it is 8 characters long.  The bad is I can find this word in the dictionary.  There are programs in the wild that will allow you to crack a password by going through every word in the dictionary in a matter of seconds.  Ordinarily, I would say, change it up by converting it to P@$$WorD or p@$Sw*rd, but these are more common than the word it self (kinda).

 

The best defense if this is your password is to just change it all together.  Make the password at least 8 or 9 characters minimum.  Avoid using any words or phrases that you are fond of or that can be found in a dictionary.

Password Managers

Password managers are starting to gain some steam in world where data breach runs rampant.  Password managers will allow you to use a program to generate random passwords or store custom passwords in a secure program.  Before settling on a password manager program, YouTube or read reviews by others to determine if the product is right for you.  Be sure that your master password that you use to sign into the service is complex since this is your first line of defense.

And no more non-encrypted excel spreadsheets.  You have been warned.

 

Change Default Passwords

When I saw the top passwords used in the report mentioned earlier, I asked myself, how is it possible for so many people to be using the same exact password.  If I would have to take a guess, I would say these were all default passwords.  If you take anything from this post, it should be to CHANGE THE DEFAULT PASSWORD and increase the number of characters in your password.

It should go without saying that the first step when setting up any network device or program is CHANGE THE DEFAULT PASSWORD.  I will give you a little secret; the default password is available to everyone on the Internet including my Oma. Leaving the password unchanged is like leaving your car running while you are inside dreaming of sheep jumping fences.

Although this was not meant to be an all encompassing guide to password use, I am hoping this will help generate ideas on securing yourself or your network.  We live in an age where data breaches and password dumps are common place.  There is no full proof way to keep people from accessing places they shouldn’t, but together we can make it a lot harder.

5 Ways to Improve Your Internet Connection

The degradation of your internet connection can happen for many reason. As we continue to use our machines, we collect e-dust or junk files that are known to slow down computers. If left unintended, your internet browsing can feel like molasses over time.

Here are some helpful tips to improve your internet connection.

Power Cycling Hardware

An excellent way to improve connection performance is to power cycle your network connection. Power Cycling involves unplugging and reconnecting a modem, router and computer for 30 to 60 second time intervals from its power source. Doing so can help reestablish a clean connection between network devices and discharge any static between the connection lines.

Regularly shutting down your computer can help reduce memory leaks which can lead to the browser malfunctioning or applications not opening. If your computer is on a network, restarting your computer after the end of operations is ideal. This will ensure that computer memory is refreshed and admins can still provide updates to computers.

Cleaning Browsing Data and Cache

Another method to improve internet connection is to clear your internet browsing history and stored data (cache). This is often done in the option or tools section of the browser. Cache data is internet data stored in the computer that can later be retrieved for faster loading when you revisit a commonly visited website. The more cache data stored, the greater the network degradation.

Update Operating System and Software

The health of your operating system and software plays a critical role in the performance of your computer. An outdated operating system or software can lead to exploits or configuration problems that can prevent you from accessing the internet. For residential consumers, it is recommended that you utilize the automatic update option for your operating system. For businesses, it is recommended that you update critical O/S updates immediately after testing in lieu of waiting for your patch management schedule.

Front Line Defenses

Hand in hand with the previous section, firewalls, anti-malware, anti-virus and IPS/IDS systems should be updated with the latest patches, definitions or firmware. An outdated system can give rise to configuration and intrusion issues that can have a significant impact on your internet connections. Scan your system regularly and monitor security logs for irregularities.

Homeland Security Ransomware

Homeland Security Ransomware

Today I had my first run in with the infamous Homeland Security / FBI Ransomware. For those who are not aware, it is a form of malware that hijacks the use of a computer at start up and demands the user pay a sum of money, typically $300 from what I have heard from other techs. After selecting a profile to load, a single window pops-up that appears to be a notice from the Homeland Security Department claiming that you have violated internet laws. To further scare the user an “English” Voice blasts the speakers demanding restitution in the amount of $300. I must admit, I was somewhat impressed by the presentation and excited as I have heard that it was pretty difficult to cleanse from your system. I do not take viruses or malware very lightly, but boy was I disappointed as it took little effort to remove this notice from the system.

My first action was to restart the computer and boot into Safe Mode with Command Prompt. Being in Safe Mode allows only the essential applications to run, hopefully giving some wiggle room to un-compromise the system. As I entered the desktop, I used the command prompt to access the desktop using explorer.exe. I let the system run for two minutes before proceeding and I was shocked that the Ransomware did not load (I know I should be thankful). I continued with my action plan by using Windows Restore feature on Windows 7.

Now I have a theory on how this malware works. I do not believe it activates automatically, but is triggered after a certain action has been taking by the user or time elapse, similar to how a Logic Bomb works. Knowing this, I did not go back three days prior when the system was working without a hitch but instead 30 days. I can say with a degree of certainty that this system including its registry was not infected last month, so it’s a safer bet that starting at that point would be okay.

The restoration process took about 10 minutes, but after it was completed and the computer was restarted, everything appear to be right on the outside. For precaution, I scanned the system with Malwarebytes, TDSKiller and did a boot time scan with Avast; after which, I found remnants of some infected files and I removed them (unclear if they were related) and updated Windows.

The entire process took less than 3 hours (with multiple scans) and although I was disappointed on how easy it was to get rid of this version, I learned a very valuable lesson as a tech. Don’t underestimate the use of Windows Restore. Educating your friends, family and clients on keeping updated restoration points on their systems is invaluable. It can solve close to 60% or more of any software troubles that you may have, especially the ones that have altered the registry without the user’s knowledge.

Written by Sage NC

The Dangers of Downloading Apps

Mobile apps are a great way to solve immediate problems that we deal with on a daily basis. Need a flashlight to aid you while you look under the hood of your car? A quick stroll through your local market will reveal a plethora of applications that will instantly turn your device into a high powered sensation. What about converting dollars into pounds? Guess what? With a click of your finger, it can happen. Even apps for dog whistles exist.  Let’s face it, mobile apps are a staple of our culture and society. We often get so complacent on using them, that we never consider at what price these illustrious tools come at.

The majority of the applications we purchase on the various markets are free and do not require anything additional in the form of sign ups. That’s great, right? Well consider TINSTAAFLs rule. There is no such thing as a free lunch. What I mean is what is package as free, is often accompanied with a price: your privacy.

Your personal information can be sold to third parties at a decent premium by app developers. This helps to offset the cost of development and is the most widely used method to generate revenue for publishers besides embedded ads.
Many apps that you download can have access to vital and private information including your contacts, phone number, pictures, email addresses, documents and even your camera.

I recall one day, I downloaded a game from the market and within minutes I received an unsolicited text messages for a vacation I recently won and apparently signed up for. Perplexed by this, I uninstalled the application and reinstalled just to isolate the root cause. To my amazement, I received the same solicitation. As I investigated the application’s permissions in settings, i discovered that the application has access to my phone book and my phone number. Needless to say, I had to uninstall the program to avoid my friends and family from being impact.

So what can you do to protect yourself? First and foremost always explore the permissions you are granting an application prior to downloading, especially if you are downloading from an android market. Apple has a more stringent submission process than Google Play at the time of this writing. Ask yourself, does it make sense for this app to access this information; am I comfortable with giving them  this access; how reputable is the publisher?

Next, take some time to review the comments left by others who have experienced this app: is there a consistency in the comments; is there anything outside the ordinary that the app should not do; are others uninstalling the app for reasons not related to it’s intent. That valuable information could help prevent you from being exposed.

Lastly, prior to downloading, ensure that you have a popular well known antivirus application on your mobile device that has the ability to scan applications that have been downloaded.  Many of these programs have the ability to notify you right away if the application has been marked as malicious or problematic. Some even give you the option to limit the permissions the application has. This is a significant benefit.

Understanding how the app market works is a great step in protecting your privacy.