I don’t have an article to reference for this weeks blog post because I want to talk about something that happened at work this week. It turned out to be I’m not even, but the level of awareness (or lack of) has me concerned. Here’s what happened:

I start work later than most of my department, so by the time I come in everyone is usually busy and getting things done. When I got in the other day, everyone was milling about and talking so I knew something was up. They told me the phones were down so we couldn’t do anything. Shortly after that the network went down as well. My first thought was, “could this be the result of some kind of an attack?” When I asked this question of my co-workers, I received a range of looks from confusion to disbelief. I don’t work in the technology department, so I understand that an attack might not be the first thought people have. But, what I found surprising is the fact that they wouldn’t even consider it as a possibility. Some people thought no one would be interested in attacking us, others not an attack wouldn’t affect our internal network. I pointed out that neither of those things were necessarily true, but no one was interested in discussing it. 

Like I said earlier, this turned out to be a non-event, but I’m disturbed by the fact that no one even considered the idea that we could have been attacked. I think it comes down to a training issue. Even though we aren’t a tech department, I think we would benefit from a training program that would address threats  and the fact that the company could be a target. I don’t mean to sound like I’m judging my coworkers – I’m not – but I think there needs to be a higher level of security awareness. It comes down to if employees think a company wouldn’t be a likely target attack, how can you expect them to follow the security rules in place?

Access Control and Training

In the chapter we rent this week, the book referred to access controls. There are two sides of this: the electronic and the physical. Naturally, the electronic access controls are going to address what systems and information can be accessed by which users. While that is a topic that would sustain its own lengthy conversation, I want to focus on the physical side of access control, specifically some of the dumb reasons why people I work with think it should apply to them. I know that sounds like a negative statement, but seriously it’s one of my pet peeves. Physical access control has been a factor in most of my adult working life. First in the military, then my career within the financial industry. Maybe it’s due to my time in the service that doesn’t bother me now, but it really seems to be a hassle for some people to grasp the importance of it.

I work in a building which requires that we have badge access not only for the building itself, but to get into my specific department. The entry points and key areas within my office are monitored with security camera, and there are additional measures that I’m not going to discuss for security reasons. All of this security is because we work with a lot of high-value and very portable assets. If someone were to run off with one of them, it could literally cost the company millions of dollars. All of these controls make sense to me, and I understand the reasoning behind the need for them, but I’ve heard people complain about them daily. Here are some examples of the complaints from just this week, “Do I really need to wear my badge everywhere?”  “I should be able to have people visit me in the office if I want to – other departments allow it.”  “It’s a violation of my rights for them to record me coming in and out of the office.”  

First, is it really that much of a hassle to put a badge on your belt loop, or to talk to the friend over chat instead of having to come to your desk. That one I understand can be a little bit frustrating when you can just walk into other departments, but the no visitor policy does reduce the risk of lost assets. And lastly, a violation of your rights? Seriously? How do you survive going into a mall? or a gas station?

Enough of the rant. I think a lot of the issues in access control compliance come down to training. A company can deploy risk management policies all day long, but if employees are trained in how the procedures related them into their daily work, we are going to understand why it’s so important.  According to DiversifiedRiskManagement.com, “probably the simplest and most cost-effective precaution one can take is to see that every employee is involved in maintaining a safe and secure work force and work area, and through employee awareness training and empowerment of the workforce to get involved in daily security at work, even the most skilled intruder can be stopped in his tracks.” I think this statement meals the solution to the problem of getting employees to follow risk management procedures.

http://www.diversifiedriskmanagement.com/articles/access-control.html

Career Thoughts

I had a weird week. I spent some time in the hospital, and whenever I was trying to do homework someone would come into the room and asked me what I was studying. This resulted in my having the same conversation several different times with different people.  I would explain that I am enrolled in a cyber security program degree program.  This would invariably would get the reaction, “I didn’t know that was a job.” I told them it is and what the program was about, and that I hope to get a job as a civilian contractor once I graduate.  If I’m lucky enough to do this, it means I can apply my active-duty time towards a government retirement. Even though this has been my plan all along, I got to thinking about other possibilities for a career in cyber security. Since there’s nothing else to do in the hospital other than daytime TV, I did some research on the web and came across an article in which the interviewees complained about the lack of inspiration of their government jobs.

The article interviewed a couple different individuals who work in cyber security capacity for the government, and both called the boring and unimaginative. They talked about how regulated the environment is, and the lack of access to the computers they are actually protecting. They went on to talk about the restrictions they face when it comes to the type of security programs that can be applied.  In the article said that individuals working in cyber security for the government were essentially acting as a gate keeper who spent their time explaining to people what they can or cannot do ensuring that they either do or don’t do it.  There was nothing in this article that the sweets me from my original goals.  

After my years of working in Air Force Intel, I’m very well aware of government bureaucracy and what kinds of restrictions the place on various points of access.  For example, I remember the IT guys coming into our secured work space , and every time they did, we had to secure the classified and bring everything down to zero before they could be escorted in.  It was an Airman’s duty to watch them like hawks in case they found any kind loose paper, or anything that could potentially be classified.  if they did come across something, we were actually instructed to grab it out of their hands before they could look at it.  So yeah, I think I am prepared to face restrictions over what I can or cannot access.

http://gcn.com/Articles/2010/08/23/Cybereye-cybersecurity-jobs.aspx?Page=2

Poster Thoughts

Even though it’s off-topic from previous post I’ve made to this blog, I decided to just do a Google search for information security posters to see what comes up. And, there were a lot of examples.  Some of them were quite clever, and got their point across using just visuals with very little commentary.  

For example the “Take it From Red” poster raises awareness about social engineering, and the different forms the threat can take. It uses figures that are immediately familiar to us, and places them into a security conscious context.

http://www.educause.edu/visuals/shared/policyAndSecurity/TakeitFromREd.jpg

Another poster I thought was very effective raised wet awareness of emails and attachments. It’s simple, grabs your attention, and gets the point across through a combination of graphics and few words. It is something that you can read on the go, and immediately understand the message.

http://www.sandiego.edu/its/images/security/Amanda_Abito.jpg

Then there were others like the, “only the strong survive,” which initially grabs your attention.  But then I was so busy trying to figure out what cheese has to do with the message, that I really didn’t pay attention to anything else in the poster. sometimes being too clever get in the way of your message.

http://mindfulsecurity.com/posters/highway/CompromisePoster.jpg

Generally speaking, I’m in favor of using animals to make a point, but I didn’t understand this one at all. It asks “is your identity in safe hands?” and then says “security is everyone’s responsibility.” Good question at the top, but the following statement is a non sequitur. And where does the dog in the pink wig come in? It makes no sense to me.

http://4.bp.blogspot.com/_Mt0djarkXrA/TUCQTJsR-rI/AAAAAAAAAuQ/AtCP7YFtJh0/s1600/PIMI%2BGuard%2BDog%2Bposter2.jpg

Of course this is all just my opinion because different graphics are going to stand out in different ways different people. These are some examples of what either did or didn't appeal to me.