Tuesday, March 28, 2017

Big Problems, Small Packages (part 1)

    We're constantly hearing about data breaches in the news.  Many are due to external attacks as happened to Yahoo! or OPM.  Many others are caused by well-meaning staff or contractors who carry with them on laptops that then get lost or stolen.

   USB flash drives, often called thumb drives because they're about the size of your thumb, first hit the market in around 2000.  They had relatively little storage space and weren't cheap, but quickly became a security issue both for the potential to carry and load malware as well as taking data out of the office.  I remember discussions about this issue back in the early 2000s and some organizations were even thinking about using hot glue guns to fill in and block the USB ports on computers!  That would have been a mess!

   Before long the prices came down, the storage space went up and the problems multiplied.  Many organizations were not ready for how quickly these drives got integrated into every day work.

   Today we're going to focus on data that is copied on to USB flash drives and taken out of the office.

   The highest capacity USB flash drives we can find today are around 1 TB, though there are plans for 2 TB drives coming on the market before long.  Drives over 512 GB or larger are still pretty expensive.  But we know that prices of the high capacity drives will drop as new larger drives come out.

   To give you an idea of that size... 1 TB is about the size of 1500 CD-ROMs or 143,000,000 Word documents!  That's a lot of data potentially leaving your organization.

   So how do you combat this at your organization?  You don't!  We're not dealing with an adversary who's efforts need to be defeated.  These are well-meaning staff trying to get work done.  Always assume positive intent.

Tuesday, March 14, 2017

A Culture of Security - The Best Infection! (repost)

   This week we're relaunching our Security Awareness campaign at work.  In honor of that, I thought we should re-sample a past post on this subject.  Enjoy!

   I was recently reading an interesting article at SearchSecurity entitled Staff infection: IT security education is contagious.  The article notes that security is the responsibility of every individual and that for an organization to have even a semblance of security, there has to be both buy-in and shared action by the members of the organization.

   The article, very correctly, mentions:
Even in today’s world, the general IT worker tends to view security as a barrier and a pain. It is implemented by someone else, and it makes their job harder to perform.
   This is one of the key problems caused by many security programs.  The information security industry often causes problems for itself by being difficult and inflexible.  Security is often viewed as a barrier.  Security is the group that adds extra requirements, delays projects and increases costs.  And with all of that, Security can't guarantee prevention, nor even provide a reliable probability of, an incident or breach.