Information Security Advisor
February 2016
e
T he T hre
curit y
e
S
f
o
s
Domain
CYBER
PHYSICAL
N
A
M
HU
We all face threats in the Cyber,
Physical and Human domains.
Following compliance regulations
and work policy will help us all
stay more secure.
Good security comes from
timely response.
Report security incidents
immediately!
THE RULE
OF THREE
Humans are hardwired to think in triads. We best make sense of, collect
and remember information using groups of three. The Rule of Three is
an integral part of our jokes, speeches, music, and movies. Security experts
created the following security triads to help organize the many facets of
security we encounter every day.
The CIA Triad
The Many Lives Triad
The first information security triad is
known as the CIA – Confidentiality,
Integrity and Availability – the 3 pillars
of information security. This triad is
the foundation upon which all security
principles are founded.
Today, most of us lead three distinct lives, and each has its own set
of security concerns and challenges. In our Personal lives, we do all
we can to protect our families from harm in the Physical domain.
Teaching and protecting them in the Cyber domain is no different. At
work, we are expected to follow certain rules, protocols and policies.
But when we telecommute from home, how much of our Personal and
Professional lives overlap? No matter where we are, we must stay
aware of security as it affects our organization. To make matters even
more complicated, any time we are not in the comfort of our home,
or in the confines of an office, we are considered Mobile. Meaning we
can be anywhere in the world at all, connected to anyone, anywhere,
touching both our Personal and Professional lives.
PERSONAL • PROFESSIONAL • MOBILE
THE Domains TRIAD
Information security is about a lot more than just techno-babble, computers and mysterious networks. It’s about the
three domains in which we live, work and play. The Domains Triad neatly enhances the C-I-A Triad, giving us a more
complete view of security.
Cyber
The Cyber domain includes the internet, networks, the cloud, computers, phones, tablets,
carriers and the software that drives it all. Just think about all of the CIA Triad connections
within this domain.
Physical
The Physical domain is about protecting our physical perimeter and the physical
access to our offices, network closets or data centers, and is equally as crucial to
our security as the Cyber domain.
Human
In the Human domain we look for people who are out of place—anyone
acting strangely, misbehaving, violating policy, or otherwise engaging in
actions which may compromise security.
Advice and articles are for information purpose only and intended as general safe practices.
Please follow and adhere to applicable company policies.
THREE DOMAINS OF SOCIAL ENGINEERING
Social engineering has been and remains one of the most effective methods for attacking organizations because it
doesn’t rely on technology to get past defenses. Instead, social engineering hacks the human. Even though social
engineering relies on exploiting human emotions and characteristics, such as empathy, curiosity and greed, the
specific techniques can fall into any of the three domains.
CYBER
PHYSICAL
HUMAN
PHISHING: By now, we are all
too familiar with this common and
highly effective social engineering
technique. Phishing is said to be the
first step in most of the APTs, or
Advanced Persistent Threats, against
organizations. Phishers send massive
amounts of potentially harmful spam
to anyone and everyone using email
lists available on the underground
internet. However, there are two
kinds of phishing attacks
which are much more
prevalent:
Spear
phishing targets
specific people
or job functions,
and whale phishing
targets management,
high profile employees
and senior executives.
PIGGYBACKING: You’ve heard the
term “tailgating” before, which refers to
when another person passes through
a secure door or checkpoint without
the knowledge of the person who had
legitimate access. Piggybacking is
very similar, except that it implies
consent on the part of the person
with legitimate access. For example,
if you swipe your ID badge to get into
a secure area, and hold the door open
for that frazzled co-worker with their
arms full, you’ve just allowed them to
piggyback on your credentials. This
can also occur in the cyber domain
with user IDs and passwords. Never
allow someone to piggyback on your
credentials!
PRETEXTING:
This
common
telephone
technique
involves
a
pretext, or scam scenario, in which
the scammers lie about their identity
and their motives in order to obtain
information they want. The technique
is often used by private investigators
to obtain information and is commonly
used by people pretending to be from
your bank or credit card company.
It can also be used to impersonate
coworkers, admins, executives, or
anyone in a place of authority. Pop
culture shows us many examples of
pretexting, such as in Star Wars, Ocean’s
11, Catch Me If You Can, and many others.
Not that kind of whale.
SMISHING: SMS Phishing is exactly
what it sounds like – phishing through
text. If you’ve ever received a text
from an unfamiliar number or person
containing a URL or phone number,
it could be a smishing attempt. The
smishing message will use classic
phishing techniques such as urgency,
threats of account closure or the
lure of a prize to get you to click. Do
not respond to smishing messages.
Delete them.
Check out this blog post about
social engineering and pretexting
in Star Wars: http://blog.
thesecurityawarenesscompany.com/
looking-for-security-in-alderaan-places/
USB STICKS: The Greeks duped
their Trojan opponents by presenting
an enormous “gift” only to have their
soldiers jump out of the wooden
horse once inside the city’s walls. The
same concept is used today when
an attacker leaves an infected USB
stick for victims to find. Most people
who find it may think, “Awesome, a
free USB drive!” But when they plug
it in, their computer becomes infected
with a Trojan horse or other malicious
software, allowing the bad guys access
to all of their data. Many USB sticks
(even new ones) have auto-run
enabled, which can automatically
infect a computer just by plugging
it in. Make sure you are aware of
company policies regarding bringing
USB sticks and other data devices into
our networks.
VISHING:
Phone
phishing
(or
“vishing”) is an automatic pretexting
attack, using and interactive voice
response (IVR) system. The victim is
prompted to call a toll-free number in
order to “verify” information. The rogue
IVR will reject the log-ins continually,
ensuring the victim enters PINs or
passwords multiple times.
Advice and articles are for information purpose only and intended as general safe practices.
Please follow and adhere to applicable company policies.
Protecting PII in all Three Domains
Protecting Personally Identifiable Information, or PII, is everyone’s responsibility. It involves a combination
of encryption, threat detection, data-loss prevention and policy compliance – tools and actions that lie in
all three domains.
RESPECT IT,
PROTECT IT: Try
thinking about PII
like money, and
respecting and
protecting it as
such. Consumer
and client PII is not
only valuable to the
organization but also
to the consumers
themselves.
Did You Know...?
PII is
sometimes
called SPI
(Sensitive
Personal
Information) or
NPI (Non Public
Information).
DATA PRIVACY AROUND THE WORLD:
Personal information is legally protected
differently in different countries. For
example, a key difference in how PII is
defined in Australia (versus in the United
States) is that a piece of information
can be considered PII even if it indirectly
identifies the person. The Austrailian
Privacy Act of 1988 says, “...’personal
information’ means information or an
opinion…whether true or not, and whether
recorded in a material form or not, about
an individual whose identity is apparent, or
can reasonably be ascertained, from the
information or opinion.” To learn more
about how personal data is protected
around the world, take a look at the
2015 International Compendium of
Data Privacy Laws PDF. To learn about
the Safe Harbor agreement and what
that means for US companies and EU
citizens, read this explanation.
PHYSICAL LOCATIONS: Think about all the places
PII might be stored. File cabinets. In your desk. On
your desk. On a memory stick. On a mobile device.
On hard copies in the trash. Always follow proper
procedures for shredding physical documents
containing PII – we wouldn’t want the wrong
person getting any documents containing customer
or client PII! Also, adopt the habit of maintaining a
clean desk; never leave documents with PII out in
plain view when away from your workstation.
Learn More:
Interactive
Map of Global
Data Protection
Laws
Global
Privacy Blog
by Latham &
Watkins, LLP
2015 ID Theft
Report by ITRC
SHARE WITH
CARE: Much
of data privacy
comes down
to the Human
domain and the
decisions we
make every day
as we interact
with technology.
Remember that
what you post
online can last a
lifetime. Before
posting anything,
always think
about how it might
be perceived and
who might see
it. Take control
of your digital
presence by
checking your
privacy settings
on all social
networks and
limiting what data
your Friends can
see. Also, stay
aware of what
is being shared,
not only by you,
but about you by
others.
UNDERSTANDING
COMPLIANCE REGULATIONS:
Compliance might seem
like something you don’t
want to hear about,
annoying and tedious and
just another roadblock to
getting your job done. But
we need to remember that
compliance standards exist
to help us protect data and
actually do our jobs better.
Every organization, and the
people who work there,
needs to understand which
compliance regulations
they are expected to
follow. If you don’t know,
ask immediately!
RECOGNIZE PHISHING
ATTACKS: The
phishing emails
themselves, carefully
crafted and often
highly targeted, rest
in the Cyber domain,
laced with malware
and just waiting for
an unwitting victim
to click without
thinking. But the
awareness that keeps
you from being one
of those victims is
squarely in the Human
domain. Stay aware
of current phishing
trends.
WHAT IS PII? The US Department of
Homeland Security defines PII
as, “any information that permits
the identity of an individual to be
directly or indirectly inferred,
including any information which
is linked or linkable to that
individual regardless of whether
the individual is a U.S. citizen,
lawful
permanent
resident,
visitor to the U.S., or employee or
contractor to the Department.”
Click here to learn more.
Advice and articles are for information purpose only and intended as general safe practices.
Please follow and adhere to applicable company policies.
5 Traits of a Security Aware Employee
Organizations rely on their trusted employees to protect and defend their networks.
Are YOU a truly security aware employee? A security aware employee…
1
Knows, understands and follows policy to the letter…
in all three domains.
Policy exists for a reason: to protect company networks and data. Think
about policy like the brakes on a car. The brakes are there not to make
you stop but to allow you to go fast! Policies (laid out in the human
domain but affecting all three) are designed to let you do your job as
best you can while keeping the data and networks secure. We can not
pick and choose which policies to follow – “Oh this one about the
corporate VPN sounds good… but the badge policy is so annoying…”
– since they all exist to protect us, our customers and data.
2
Reports all (potential) security incidents immediately...
in all three domains.
Security aware employees are sentinels (not tattletales) for any potential
situation that could cause problems for the organization. This includes
everything from an unknown person (Human) on the premises
(Physical) without identification, to a usually locked door that is sitting
wide open (Physical). A potential security incident doesn’t have to be
dire – like if you actually clicked on a phishing link and now your
computer is infected with ransomware (Cyber). In fact, that’s why we
call them “potential” security incidents; they are not yet incidents but
could be. If you think you may have seen, done or overheard something
that could potentially become a problem somewhere down the line,
tell someone.
3
Stays alert and aware at work, at home and on mobile
devices... in all three domains.
4
Keeps up-to-date with security news and improves
security posture regularly... in all three domains.
The only way to avoid security risks is to know what to look for, and
the only way to know what threats we must be on the lookout for is to
read the news and know what’s going on in the security world. What
tactics are criminal hackers using now? What caused the most recent
data breach? What kinds of malware should my software be detecting?
Following infosecurity news outlets and Twitter feeds will keep you in
the know and make you a more informed digital citizen.
5
Asks questions when they aren't sure about something...
in all three domains.
There’s no such thing as a dumb question! Your managers and bosses
won’t mind if you need to ask who you should report security incidents
to or clarify policy. They would rather you ask when you don’t know
than for you to stay quiet and passive. So whether it’s about badge
policy, your email passwords, or if that delivery guy is really supposed
to be in the server room, ask away! Asking questions shows that you are
engaged and care about the security of the organization.
Have you
taken the Human
Firewall Pledge?
http://bit.ly/1S8t4lw
We must be alert for potential security incidents in all three domains,
and in all three of our lives – Personal, Professional, and Mobile.
Remember that security awareness is not any one thing but a balance
of many triads, working together. Read about it here: http://blog.
thesecurityawarenesscompany.com/the-many-lives-triad/.
So how do you stack up?
Do you think you are truly a security aware employee?
What can you do to improve your security posture and
be more security aware in all three domains?
Advice and articles are for information purpose only and intended as general safe practices.
Please follow and adhere to applicable company policies.
Domain
GAMES
Can you correctly classify each of these potential threats into
the correct domain/domains? Careful! Some might fall into
more than one. Print this out & challenge your co-workers to a
face off! Fold on the dotted line to hide the answers. No peeking!
KEY:
dumpster diving
C
P
H
shoulder surfing
C
C
P
H
free wifi
P
H
natural disasters
C
P
H
cloud computing
C
P
H
C -­ Cyber
ignoring policy
C
hard copies
C
tailgating
C
P
H
/ piggybacking
P
H
P
H
P
H
badges
C
P
H
C
P
H
id theft
C
P
H
H - Human
messy desks
C
P
H
social networks
C
usb sticks
downloading software
C
P - Physical
P
H
phishing
C
P
P
C
P
talking too loud
H
social engineers
C
P
H
not following compliance
H
mobile apps
C
email
H
C
P
H
C
P
H
H
internet of things
C
P
H
passwords
C
lost devices
C
P
P
H
accidents
C
P
H
ANSWERS: DUMPSTER DIVING: physical // CLOUD COMPUTING: cyber // IGNORING POLICIES: cyber, physical, human // MESSY
DESKS: physical // EMAIL: cyber, human // TALKING TOO LOUD: physical, human // SHOULDER SURFING: physical, human // HARD COPIES:
physical // BADGES: physical // SOCIAL NETWORKING: cyber, human // SOCIAL ENGINEERS: cyber, physical, human // INTERNET OF
THINGS: cyber // FREE WIFI: cyber // TAILGATING / PIGGYBACKING: physical, human // USB STICKS: cyber, human // PHISHING: cyber,
// NOT FOLLOWING COMPLIANCE: cyber, physical, human // PASSWORDS: cyber // DISASTERS: physical // DOWNLOADING
SOFTWARE: cyber // ID THEFT: cyber, physical, human // MOBILE APPS: cyber // LOST DEVICES: physical // ACCIDENTS: physical, cyber
human
Advice and articles are for information purpose only and intended as general safe practices.
Please follow and adhere to applicable company policies.
HEADLINE NEWS
EU General Data Protection Regulation
Finalized & Expecting Approval
The text of the European Union’s new privacy
legislation, the General Data Protection Regulation
(GDPR), has been finalized and is awaiting approval
from the European Parliament this month. It is
expected to pass, and if so will become law across all 28
EU Member States in 2018.
The GDPR is a direct replacement of the EU Data
Protection Directive, which was put into place in
1995 and since then hasn’t grown with the exponential
advancement of technology. The GDPR will change
how data is collected, stored, and transmitted into
and out of the EU. It will also consider jurisdiction
as something not physical or geographical, but rather
digital. To learn more, click here: bit.ly/1S8CmxS
New Trojan “SlemBunk” Targets Mobile
Banking Apps Across the Globe
Just as mobile banking apps were ranked among
the top ten malware threats by Kaspersky Lab (http://
bit.ly/1lRIvBE), a new Android banking trojan called
SlemBunk was found targeting 33 financial institutions
around the world.
Researchers at Fortinet and FireEye have discovered
that SlemBunk is downloaded via adult websites, where
users are tricked into installing a fake Flash Player app
to view videos. SlemBunk immediately starts invading
their device and taking over permissions, secretly
collecting login credentials for banks and payment
systems (though it steals other types of logins, too).
This trojan is still active and has grown in its scope
and sophistication. To learn more about this mobile
banking malware, click here: http://bit.ly/1ZSj2q8
CN
IS
IS
CNET @CNET • Jan 12
Support for IE versions 8, 9 and 10 ends on
Jan 12th. http://cnet.co/1IRi21b
Infosecurity @InfosecurityMag • Jan 7
WhatsApp Malware Attack Unleashed via
Phishing. http://bit.ly/1OR82rg
SAC @SecAwareCo • Jan 7
EZCast TV streaming service allows
hackers easy access to home network.
http://bit.ly/1RdcSPR
TC
TechCrunch @TechCrunch • Dec 22
Google confirmed beginning of passwordfree login testing. http://tcrn.ch/1PO0pyM
IS
Infosecurity @InfosecurityMag • Dec 21
US Congress passes highly controversial
Info-Sharing Act. http://bit.ly/1PTicGH
HS
S
BBC
IS
Heimdal Security @HeimdalSecurity • Dec 21
New IRS spam campaign already hitting
inboxes; Trojan attachment delivers
ransomware. http://bit.ly/1RdQ2HD
Symantec @Symantec • Dec 17
Adult-themed Dropbox notification spam
lures users to click. http://symc.ly/1kSOLaW
BBC @BBC • Dec 16
Tech companies could face hefty fines
under EU privacy laws. bbc.in/1T1wSSU
Infosecurity @InfosecurityMag • Dec 16
80% of companies had a security incident in
2015. http://bit.ly/1QtFdRD
#infosec
Advice and articles are for information purpose only and intended as general safe practices.
Please follow and adhere to applicable company policies.