You can learn more about this event here: Silicon Valley ISSA

“When people adopt a security mindset and are educated on how to protect valuable information on a daily basis, they can become your most valuable security asset,” said Safelight CEO Rob Cheyne. “Security education programs need to address the people and process side of information risk so that organizations aren’t relying solely on technology.”

Safelight’s Security Mindset Challenges will focus on some of the most pressing people security issues that organizations face. These include training the development team in secure coding practices and educating employees on how to avoid common techniques used by hackers to gain access to proprietary data and systems.

In the first Security Mindset Challenge – Breaking The Bank – attackers can leverage web vulnerabilities including SQL injection and cross-site scripting, to log on as an administrator compromising the bank’s security perimeter and gaining unfettered access to systems and applications.

During The Break-In, people can choose from various social engineering techniques, such as piggybacking off an employee badge to walk through a door or pretending to be an electrician who is working in the building, to gain unauthorized access to a facility or restricted areas.

To play the Email Defender challenge, participants will decide among “good” and “bad” emails in their Inbox and receive points for actions they take including opening good ones versus bad ones, and not clicking on links or attachments.

RSA Conference 2012 attendees are invited to participant in all of the challenges at Safelight’s booth, February 27-March 2, 2012, in San Francisco, Calif. Complete any of the challenges and be entered into a drawing for a MacBook Air or Pwnie Express PwnPhone. After completing any challenge, participants will also receive tokens they can give out to other attendees. For each of their chips that is returned to the Safelight booth, they receive an additional chance to win one of the prizes.

To learn specific strategies that can be used to effectively integrate security across the organization, attend Rob Cheyne’s talk at the RSA Conference 2012 on “Cultivating a Culture of Security, Wednesday, February 29 at 12:30 p.m. in the Briefing Center. To learn how to instill a security mindset in every employee, download Safelight’s “Security Mindset” white paper at www.safelightsecurity.com/rsa2012/.

Cheyne will also be presenting “Cube Talk: Learn to Learn by Speed-Solving the Rubik’s Cube,” at the Safelight booth, where he will demonstrate how people learn and how these lessons can be applied to teaching people security. To learn more about Safelight’s on-demand and instructor-led courses for general staff, development teams and IT staff visit the company’s Education Programs page. Organizations can receive their custom blueprint for building an education program that matches the organization’s risk profile by accessing Safelight’s interactive Security Education Blueprint tool.

About Safelight
Safelight is a leader in security education—our integration of deep security expertise and innovative approaches to interactive learning sets us apart. We help organizations build comprehensive education programs that go beyond training to measurably shift the way employees think about the value of information and their role in protecting it. We offer a full range of instructor-led and on-demand courses for development, IT and general staff; each role-specific course is part of a larger program designed to cultivate a culture of security across the organization. Learn more at www.safelightsecurity.com.

There are many strategies for dealing with the insider threat, so I’ve chosen to highlight the things that organizations most often miss.

Some of these things may seem obvious, but I would ask you to honestly assess whether or not you are living the principles mentioned below. As Morpheus famously said, “there is a difference between knowing the path and walking the path.”

So here goes.

1) Think about insider attacks before they occur.
As I mentioned yesterday, many organizations have absolutely no plan in place for dealing with insider threats. Let’s be clear – if you have an incident, you will almost certainly incur a loss. But if you plan appropriately, you can significantly mitigate that risk.

Most people never even get to the planning phase.

2) Cultivate a culture of security.
The medicine that I am prescribing here must be adopted at every level of the organization to be effective. If only the security and technologists in the company understand the things I’m mentioning here, the security problems you currently have will persist, despite your best intentions.

I have seen many examples where a world-class security team is stymied by a business side of the house that doesn’t fully grasp the security implications of their business decisions.

The worst part is, the risks are often simply overlooked or marginalized without being properly analyzed. In many of these cases, if the true risks were known, completely different decisions would be made.

To be successful here, organizations should train and equip every employee to protect information. A successful program sustainably shifts the way employees think about the value of information and their role in protecting it, and is built with a clear understanding of how employees interact with information in their everyday work.

3) Assume nothing is 100% secure.
Any other assumption comes with huge risks. Most companies have a really hard time with this because they have been led to believe that they can somehow address every problem that comes up. It’s uncomfortable to assume things will fail, but every security expert will tell you that there is no such thing as 100% security.

Embrace this one idea, and you will fundamentally make better security decisions.

4) Build defense in depth, and assume that everything will fail.
This has been said a thousand times, but it bears repeating until organizations actually do it. Every security mechanism will eventually fail, so it is key to put as many security layers in place as possible so that when one fails, there is something there to back it up. And it’s not all about technology – sometimes the best layers are human-based processes!

Which leads me to my next point …

5) Trusting in technology alone is absolutely the wrong approach.
Security technologies are a part of the picture, but people and process are just as important, if not more so. It’s extremely important to know that every security technology can be bypassed in some way, no matter how good it is.

Many of the technologies we deploy to resolve insider threats are flawed in some way. Data loss prevention (DLP) software is a great example of this. DLP software helps keep honest people honest, but no matter what the vendors tell you, It will never stop the skilled, dedicated attacker.

Unfortunately, many organizations are deploying DLP as if it were the holy grail of security. Every technology comes with trade-offs, and the overhead of something like DLP is not worth the trade-offs for every organization.

6) Make the assumption that your employees are also potential attackers when building all your internal systems and processes.
Even if you could be positive that every employee has your organization’s best interests at heart, the assumption that internal is safe leads to major architectural weaknesses.

The assumption that “internal is OK” leads to organizations having a hard outer shell and a soft gooey inside. And from experience, I can tell you that there is no such thing as an impenetrable outer shell.

A healthy dose of paranoia is required here. If you build your systems as if your employees will attack everything, you will make better architectural decisions and you are much more likely to frustrate an attacker who does get part way in.

If you can honestly say that you are doing all of these things, then you are probably better off than 95% of organizations out there.

The security threat from insiders is extremely challenging, so many organizations address it half-heartedly and focus instead on preventing external attacks. In my experience, this is usually because it is far easier to understand and deal with an external attacker than having to come to terms with the reality that every person in your organization is a potential threat.

Don’t get me wrong – it is important to address the external attacks. But for most organizations, this is where it stops, even if they know they have a problem.

The truth is that insiders have more access than anyone else, and any company or organization that has been around for any length of time most likely has a potential problem on their hands. And this isn’t just theory – more than half of attacks are known to come from inside the organization.

Insiders know how internal systems work, how to get into them, and probably already have at least some level of access. According to a new Ponemon Institute study State of IT Endpoint Risk, concern over negligent insider risk has been consistent over the past three years with 43 percent of organizations polled seeing this as the greatest risk moving into 2012. Insiders know exactly what to do to get in and avoid detection. Therefore, they are harder to catch and often cause far more damage than an outsider.

While many insider threat cases are the result of human error or inadvertent data leakage, all insider threats, whether accidental or intentional, have the potential to significantly disrupt your business operations and lead to losses.

Insider attacks may also lead to expensive litigation to recover missing information or require you to defend your organization against civil lawsuits for violation of privacy and loss of sensitive data. Potential insider attacks are a persistent threat and companies need to be constantly vigilant to defend against them.

Next week, I will post a list of tips for properly addressing insider threats that many organizations overlook.

In a recent Gartner report on organizations revising their privacy policies analyst Carsten Casper says, “The policy needs to be more than a just a piece of paper.” As a security educator, I could not agree more.  One of the biggest assets that companies often overlook in their struggle to secure their information is their staff.  Not just the security staff who toil away keeping threats at bay, but each and every member of your organization.  Consider for a moment all of the employees that make up your organization: Is there a single one who is not, on a daily basis, in a position to behave in a way which either protects or exposes sensitive information?  Each person you pass in the hallway is an all-powerful weapon in the battle to secure the sensitive and proprietary data upon which your organization is built and they so often remain untapped in this effort.

What sort of response would you get if you polled your employees asking who had read the organizational privacy policy?  How many of them understand what is being asked of them?  How many of them truly appreciate the gravity of the threats and their duty to guard against those threats?  Sadly we all too often see unsatisfactory answers to this line of questioning.  Each and every employee in your organization is part of your information security team. You must equip them to do their part to protect the organization.

Educating all users has been an ideal I have held up for a long time.  How many recent high profile breaches would have been avoided if employees understood the dangers of phishing emails or social engineering phone calls?

I am reminded of a security awareness course I taught at a large organization some time back.  This was a course for general staff and we covered all sorts of threats to organizations, such as social engineering.  The class was not any different than the many other times I had delivered a similar course but some months later I was back at that organization and happened upon one of the people who had taken the class.  She stopped me in the hallway to tell me about a phone call she received from a man claiming to be “Joe from Help Desk.”  It seems Joe was troubleshooting an issue and wanted the IP address of the printer in her area.  She confessed that before having taken my class she wouldn’t have thought twice about helping Joe but the discussion about social engineering gave her pause.  She immediately checked the phone display to find that the call was from an external number.  It was then that she remembered he said “Help Desk” while they referred to their support staff internally as “Support Services.”  Instead of handing over the information she began to question Joe, who suddenly no longer needed the information and hung up.  She then reported the incident to information security.

What has always struck me most about this conversation is not that she managed to avoid a social engineering attack and may have prevented a system breach, but the look of pride on her face as she told the story.  Though she didn’t formally work in the information security department, she knew she had done her job as a member of the information security team that day and her organization was better for it.  Your employees want to be helpful, and if properly educated they can put that energy toward helping you instead of “Joe from Help Desk.”

As your organization begins to dust off the old privacy policy for a frantic update, spend some time considering how you will socialize this policy within your organization.  What sort of communication vehicles can you use to effectively enlist the support of your employees in safeguarding your information?  In many ways these are far more important questions than determining which Data Loss Prevention (DLP) vendor to go with.

What successes or hurdles have you encountered when attempting to socialize security best practices within your organization?  Please join the discussion in the comments area below.

Full Story

PROVIDENCE, R.I. (June 20, 2011) – To bolster the security of applications coded in the C family of languages, Safelight, a leader in security education, today announced the newest addition to its on-demand courses for developers: Secure C/C++ Coding. The highly-interactive, scenario-based course equips development teams with a deeper knowledge of application security so they can find and fix common software bugs, understand how these flaws are exploited and use coding best practices to proactively reduce software vulnerabilities.

Safelight is offering organizations an opportunity to take a unit of the new course, as well as units of two of its other popular on-demand developer courses: Application Security Fundamentals and Secure Java Coding, for free during its Summer Test-Drive beginning June 20.

“There’s a lot of C and C++ code out there in legacy systems and embedded applications and many C and C++ developers may not be trained in today’s secure coding practices because they learned to code at a time when application security wasn’t a focus and systems weren’t connected via the Internet,” said Safelight Chief Executive Officer Rob Cheyne. C and C++ languages pose tough challenges when it comes to security because applications have direct access to memory and system resources. If developers code insecurely, they can create memory or resource corruption or open an opportunity for an attacker to run system commands on a local machine. “Learning C/C++ is a lot like learning English in that you have to be aware of all the exceptions to the rules,” continued Cheyne. “A mistake in C/C++ typically has many more repercussions than other programming languages and there are potentially many more mistakes that can be made.”

Presented in five units, Safelight’s Secure C/C++ Coding course delivers deep content and opportunities to interact with multiple code examples in ways that engage students and reinforce learning. Developers will follow pieces of code through a secure software development process learning to uncover vulnerabilities, understand their security implications and discover secure coding best practices. Lesson units include: Introduction to Secure C/C++ Coding, Memory Corruption Bugs, Design Bugs, Privacy & Secrets and Securing Code. View the Secure C/C++ Coding Course Overview for more details.

Companies can sign up to try out Safelight’s Secure C/C++ Coding, Application Security Fundamentals and Secure Java Coding courses on the company’s Summer Test-Drive page.

Safelight is also offering special product pricing through August 15. Organizations can save 25 percent when they purchase up to 1,000 licenses for Safelight’s Secure C/C++ Coding, Application Security Fundamentals or Secure Java Coding on-demand courses. Organizations that register for the Test Drive by July 8 will be entered to win a paid registration to the Black Hat Briefings, August 3-4 in Las Vegas, Nevada. Register at Safelight’s Summer Test-Drive education page to qualify for the offer and for more details.

About Safelight Safelight is a leader in security education—our integration of deep security expertise and innovative approaches to interactive learning sets us apart. We help organizations build comprehensive education programs that go beyond training to measurably shift the way employees think about the value of information and their role in protecting it. We offer a full range of instructor-led and on-demand courses for development, IT and general staff; each role-specific course is part of a larger program designed to cultivate a culture of security across the organization. Learn more at www.safelightsecurity.com. # # #

Full Story

Full Story

Full Story