Creating a Culture of Cybersecurity at Work

With it being National Cyber Security Awareness Month, one of the most important things to think about is whether or not you are practicing good cybersecurity habits at work. Here’s a top ten list of ideas that can help foster a culture of cybersecurity in the workplace:

  1. Institute quality cybersecurity training. Teach employees cybersecurity policies, procedures and best practices such as managing passwords, how to recognize a breach or attack and respond accordingly, and proper web browsing procedures. If there is a breach, they should know what actions to be taken such as who to contact. Training should be provided for new employees and refresher training should be conducted at least annually for regular employees. Include self-assessment security quizzes to test their knowledge of cybersecurity threats, vulnerabilities and countermeasures.
  2. Create a dynamic cybersecurity awareness program. These could include cybersecurity posters, newsletters, email reminders, token gifts with security reminders and computer log-on displays. Messages should change at least monthly to keep the information fresh. Include fun and informative events such as cybersecurity fairs, guest speakers and brown bag lunches.
  3. Gain managerial support. The CEO, other executives and managers need to announce their support and full commitment toward cybersecurity. They should also participate in cybersecurity activities. Employees will recognize that they mean business when it comes to cybersecurity.
  4. Establish sound cybersecurity policies, procedures, controls and practices. This is a basic requirement for any organization that wants to establish a culture of cybersecurity. If these policies, procedures and controls are weak, outdated and/or impractical, employees will not see the importance of cybersecurity.
  5. Ensure cybersecurity employee performance. Due to its criticality, the need for cybersecurity should be considered for inclusion in the employee’s performance appraisal to ensure that it will be addressed.
  6. Certify employee accountability. Require employees sign “acceptable use policy” statements that address requirements for cybersecurity and outline penalties for not complying with these requirements.
  7. Relate to the employee. Employees often think that they will never be victims of a breach. Share recent cybersecurity breaches that occurred in similar environments so employees can relate to possible attacks. This information can be conveyed through email or newsletters.
  8. Tie cybersecurity to every business process. Every new and existing standard operating procedure for each business process should be reviewed for possible security breaches and appropriate adjustments be made in a timely manner.
  9. Establish a cybersecurity community of interest. Have a team of employees who are well versed and/or interested in cybersecurity share information and experiences with each other and the rest of the organization. This can be accomplished through social media if there are adequate security measures.
  10. Conduct informal security checks on employees. For example, have an outside third party perform social engineering attacks to see how many employees give up their passwords.   These will certainly grab the attention of your employees. Of course, employees should not be disciplined for these actions since the security check is meant as an educational experience.

Have anything to add? Post it in the comments and keep the conversation going!

 

pangDr. Les Pang, CISSP, is a Program Chair and Associate Vice Dean in the UMUC Graduate School.  Besides several technical classes, he teaches Cyberspace and Cybersecurity (CSEC 610), the first course in the Master of Science in Cybersecurity Degree Program.  He is a former professor at the National Defense University where he taught both information security and technology courses. He was the 2004 recipient of the Drazek Teaching Excellence Award, the 2011 United States Distance Learning (USDLA) Faculty Teaching Excellence Award – Platinum, and the 2012 University System of Maryland (USM) Board of Regents Teaching Award.

Cyber Catch Up 10/5/15

Here’s what you missed last week…

It’s bad enough to have to worry about your data getting stolen. Now officials are concerned about the next front in malicious cyber activity: efforts to deliberately manipulate data. As data theft continues, banks are now looking to retailers to bear the losses. News of the VW scandal continues, and one story indicates that “the faster we upgrade our roads and autos with better capabilities to detect and analyze what’s going on in the transportation system, the better we’ll be able to find hackers, cheaters and others looking to create havoc on the highways.”

Microsoft reported that the highly suspicious Windows update that was “delivered to customers around the world was the result of a test that wasn’t correctly implemented”– but this isn’t the first time a Windows update has been compromised. As cybercriminals move from online banking to the industrial supply chain, they find the Dyreza computer trojan a useful tool. On Thursday, T-Mobile announced that about 15 million of its U.S. customers may have been exposed in a data breach at one of its vendors. Also on Thursday, it was reported that newly discovered vulnerabilities in Android’s media file processing may lead attackers to compromise devices by tricking users into visiting maliciously crafted Web pages.

Apple’s new privacy policy was announced and has been given kudos in its design and simplicity, promising personalization without sacrificing privacy. In the meantime, privacy advocates increase efforts to beat back cybersecurity information-sharing legislation. Recently, Edward Snowden and a number of his supporters put forward a proposal to curb mass state surveillance. Could this be doomed?

With National Cyber Security Awareness Month in full swing, it’s time for millennials to step up their slacking security habits— according to a recent survey, they are least likely to protect their data, despite being the most concerned with cybersecurity. According to another survey, even though IT professionals often warn their superiors about pending IT security disasters, almost half of respondents report that executive management fails to take action.

Researchers have created an AI system to detect malware in shortened Twitter links, exposing a security flaw in Twitter’s site. Speaking of malware, are you searching for celebs in your spare time? Be careful who you search for– a study shows that celebrity searches are loaded with malware. Steer clear of getting the scoop on Kelly Brook, Nick Grimshaw, Kate Middleton, Idris Elba, Frank Lampard, Jeremy Clarkson and Tom Hardy, among others.

Screen Shot 2015-09-30 at 12.36.23 PMRebecca Foss is the Director of Social Media at the University of Maryland University College (UMUC). In her current role, she is working with stakeholders across the university to develop the overall strategic approach in using social media platforms and tools globally for UMUC. She has over 15 years of marketing and communications experience and has been involved with championing social media initiatives since the early stages of the medium’s existence in 2007. Rebecca specializes in content management, creation, and curation and serves as co-editor of the Cyber Connections blog. 

October is National Cyber Security Awareness Month

We live in a digital era and are more connected than ever before. The increased reliance on the use of Internet in our daily lives comes with increased cybersecurity risks. Today, no one is immune to the cyber risks. As a nation, we face rapidly evolving cyber threats against our cyberspace, a critical domain of our national security. As individuals, our finances, identity, and privacy can be threatened by online theft, fraud and abuse.

Recognizing the importance of cybersecurity to our nation, President Obama designated October as National Cyber Security Awareness Month. The purpose of National Cyber Security Awareness Month is to enhance cybsercurity awareness among organizations and individuals of all ages and segments of the community.

UMUC has joined with the Department of Homeland Security in the promotion of Stop.Think.Connect, a national public awareness effort aimed at enhancing cybersecurtiy awareness and empowering Americans to be safer and more secure online. As part of the Stop.Think.Connect Campaign, UMUC offers a variety of cybersecurity awareness and educational activities during the month of October to its community – students, alumni, faculty, staff and beyond. We encourage you to actively participate in these activities as cybersecurity is a shared responsibility and we each have a role to play in promoting and protecting the cyberspace.

Thank you for all your efforts in promoting cybersecurity awareness during October and beyond. Together we can meet the cybersecurity challenges of today and tomorrow.

Dr. Amjad Ali serves as associate vice president and cybersecurity advisor to the president of University of Maryland University College (UMUC). In addition, he is professor of cybersecurity at the Graduate School. He made significant contributions to the development and launch of UMUC’s cybersecurity programs and initiatives, and has served as director of the UMUC’s Center for Security Studies of the Cybersecurity. Before joining UMUC, Amjad worked as manager of Continuing Education at the American Council of Engineering Companies in Washington, DC.  He has also served as the Dean of Keller Graduate School of Management-New York Region. Amjad has presented at major conferences and seminars on cutting-edge topics in cybersecurity, and he has a strong portfolio of scholarly publications. He holds a doctorate in Engineering Management from the George Washington University. He is UMUC’s staff to the Maryland Cybersecurity Council and serves on the advisory board of the Center for Strategic Cyberspace & Security Science and AFCEA International Cyber Committee.

 

Cyber Catch Up

Here’s a recap of what you missed last week in cyber.

The charge that Beijing was behind the theft of the personal data of more than 20 million federal workers could become a primary topic for an important visit from China’s President Xi with hacking to shadow the China summit. At the start of President Xi’s visit, he sought to reassure American companies that his government was committed to protecting the interests of foreign companies and fighting cybercrime. But was it all double talk? Speaking of stolen personal data, it is reported that OPM underestimated the number of fingerprints stolen by approximately 4 million. The government now estimates this number to be 5.6 million.

Big news this week was Apple’s confirmation of the the discovery of malicious code in some App Store products. The Washington Post reported that the Obama administration has been exploring ways to bypass smartphone encryption to allow access to law enforcement. Also this week, a campaign was launched by a group of privacy advocates including former NSA whistleblower Edward Snowden for a new global treaty against government mass surveillance. Business advisory firm Grant Thornton International, released a report that indicates that global cybercrime has cost $315 billion over the past 12 months.

In policy news, cyber crime laws are showing their age and some are badly outdated, including the Computer Fraud and Abuse Act (CFAA) of 1986. Senator Ron Wyden of Oregon announced this week that the Section 603 provision on terrorist activity was removed from the 2016 Intelligence Authorization Act. Finally, a federal judge ruled this week that forcing suspects to give up their cell phone passwords is a violation of the constitutional right against self-incrimination.

Screen Shot 2015-09-30 at 12.36.23 PMRebecca Foss is the Director of Social Media at the University of Maryland University College (UMUC). In her current role, she is working with stakeholders across the university to develop the overall strategic approach in using social media platforms and tools globally for UMUC. She has over 15 years of marketing and communications experience and has been involved with championing social media initiatives since the early stages of the medium’s existence in 2007. Rebecca specializes in content management, creation, and curation and serves as co-editor of the Cyber Connections blog. 

Student View: The App store has been attacked. Should you worry ?

Palo Alto Networks, a security firm based in Santa Clara, California, announced on Sunday September 21, 2015 that Apple’s App Store has been compromised and more than 80 malicious apps have been inserted to the store by hackers. This is a big deal since according to multiple sources, only 5 malicious apps have been found in the store since its first launch in July of 2008.  As of today, this major security breach affects the Chinese version of the App Store. Cybersecurity experts agree that this is a game changer for the trusted App Store.

What is the App Store ?

The App Store is the one-stop-shop for applications (apps) use on iPhone, iPad and iPod Touch. The store allows users to buy or download apps. It is in the same place where iOS devices receive updates. It is worth noting that the users may chose to apply these updates or ignore them.

How do apps get into App Store ?

iOS, the operating system that runs iPhone, iPad and iPod Touch does have some native applications (apps) such as Maps, Calendar, iBook and the App Store itself. Additional apps enhance the usability of the these devices for users. This is where app developers come into play. According to Palo Alto and Apple, some developers in China downloaded a fake version of Xcode, called XcodeGhost. Xcode is the apps development platform distributed by Apple.

Xcode helps developers in the process of building new apps and allows the developers to submit their app to Apple for the review process. If the app is approved, it is published in the App Store and available to iOS device owners. For the record, there is nothing worse for an application than the code being compromised. XcodeGhost injects malicious code in Apps developed from the rogue platform.

How developers downloaded XcodeGhost instead of Xcode is unclear, but there are several scenarios that may have happened:

  1. Search engine poisoning: This attack takes advantage of the fact that a group of people may be searching for the same thing, in this case developers. The attackers may setup a rogue website that indicates that clicking on the link will allow the developer to download Xcode, but the link actually takes the developer to the Xcode Ghost download.
  2. Rogue ftp website: In the developers community, downloading Xcode takes a great deal of time. The developers may chose to go with an easy to download alternative site and get tricked into downloading XcodeGhost.
  3. Spear Phishing Attack: The attackers may target a specific list of known developers and provide information about Apple products and regularly update these developers through email until they receive the fake link.

What now?

The affected apps are able to collect a great deal of information including phone location, device name, network type, and more. Apple has managed to remove the known apps from the App Store. You should always keep all your apps updated to avoid attackers exploiting known vulnerabilities. If you worry about this particular attack, you can always check out the list of the affected apps.

FullSizeRender (1)Tapoko Honore is a world class IT Support Analyst for UMUC where he started as student worker. Tapoko studied computer science for 3 years in Cameroon before arriving in the United States in 2008.  He is currently ITIL  V3, Security +, SSCP and HDI certified. He received B.S. in Computer Information Technology at UMUC in 2014 and is a current UMUC student studying to complete his M.S. in Cybersecurity. He decided to continue his education because it was a logical evolution in his career and he also aspires to teach Information Systems and Cybersecurity.