Scared straight is not a good model for Cyber Security awareness…

http://docandersen.podbean.com
https://docandersen.wordpress.com
http://scottoandersen.wordpress.com
My Amazon author page!!!!
http://www.safegov.org

I read technology blogs frequently (most of them I try to read at least once a week – there are a number I read so it ends up being about one a day). I find it interesting to see where people believe the technology market is going. Not that I expect to find the words of Nostradamus carved into a blog  I am simply watching interesting trends to see if there is one I am intrigued by.

Yesterday I talked about organizations using Cyber Scare to make sure you used security and secured things in your home. For the most part it is common sense, don’t expose yourself. But I was thinking about the concept yesterday of security while doing some research for a whitepaper.

There are two kinds of security proactive (what is done before there is a problem) and reactive (what is done after the problem exists).  The first part is comprised of systems and processes including training. The reality of training is you are trying to keep honest people honest as my father used to always say. Don’t make it easy. Train people on what to look for. Years ago there was a wonderful virus with the subject line “I love you” sent of course from someone at work where the virus hit. It launched a world wide effort to remove such risks. Following the “Melissa” or “I love you virus” was the virus that purported to contain pictures of the Russian Tennis star Anna Kournikova”. Needless to say corporate email systems were flooded with spam email and worse based on these two attacks.

In the end that is what a spam message of the nature of sharing a virus is really about. It is an attack. A probing process to find the weakness in the organizations security. Blackhats being hackers who probe for organizational weakness for later use in exploitation. Whitehats are hackers who seek the same bugs but turn them in to the company so they can be patched. Software companies talk about time to patch – as if it were a strength. The reality is time to patch is really days of complete vulnerability to that hack.

The process though can’t be about scaring people. It has to be about considering the what and how of the people involved and how they use the computer today. Security Analysts always say hackers are ahead. But we also for the most part know what the hacker is looking for. When we are talking about an individual for the most part it is identity theft that is the primary goal. Or to steal a piece of your on-line compute power to use for other things. That is as much modern vigilance as anything. Once upon a time when human beings lived in small villages and you grew your own food, you spent your time making sure wild animals and other human beings couldn’t steal your crops, you were vigilant. We don’t have to worry about that as much now, people steal from grocery stores now but we do have to protect our identity. Not by the way by using reputation services – that is still in the end wrong. If someone posts something negative about you, its part of the freedom of speech on the Internet. If it isn’t true, then let the preponderance of evidence support your case, don’t remove the negative comments.

Rather this is about being careful. Your personal information is the key to your identity. Don’t use the same password everywhere. Change your passwords and use pass phrases rather than passwords.

Be vigilant but don’t be scared.

.doc

Scott Andersen

IASA Fellow.