Podcast Directory

Directory Home | Add your podcast | Latest podcasts | Last Updated | Help

Browse Tags: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z - Tracking 47,031 Podcasts, 573,593 Episodes.

Top Podcasts by Votes | Top Podcasts by Subscriptions

Podcast title	The Streetwise Security Zone Podcast
Website URL	http://www.streetwise-security...
Description	A series of audio sessions to help you get the most out of the Streetwise Security Zone
Updated	Thu, 15 Apr 2010 12:03:57 GMT
Image
Category	Business Technology Education
Subscribe
Vote for this podcast	Currently 0.00/5 Rating: 0.0/5 ( votes cast)
Link to this podcast
Episodes
1. Array http://feedproxy.google.com/~r... download (audio/mpeg, 12.32Mb) Description: The Streetwise Security Zone Podcast Episode 11 – April 5, 2010 (Click the Play button above to hear the podcast, Click the down-arrow to download, or click the iTunes link to the left to subscribe) This Episode's Topics: 1 – Recent developments in the Streetwise Security Zone Podcast and Townhall 2 –Article in CSO Online Magazine by Joan Goodchild on “10 reasons to quit Facebook” 3 – Case study of a financial institution breach that started with a compromised Facebook account 4 – A business strategy for using social media more securely (my views) 5 – PDF reader vulnerabilities are a big risk 6 – The arguments for and against reliance on standards compliance 7 – Social engineering threats from stolen accounts in Email and Facebook 1 ) Recent developments in the Streetwise Security Zone Podcast and Townhall Due to technical difficulties, my plan to do a separate weekly live Townhall session that has recorded video for future viewing is not working out as well as I’d planned. So, for now, I’m going to combine the audio podcast recording with the live Townhall sessions that I try to do on Monday afternoons at 4pm Eastern. So, the video will not be recorded, but the audio will. This way, I can incorporate any comments or questions from the chat room as they come up, and it will all be available in audio form eventually in the podcasts. I don’t always get to publish the audio podcast right away and I have a number of episodes nearly completed that will be put up in the next few days. As always, comments are appreciated. 2) "10 Security Reasons to Quit Facebook" - The article by Joan Goodchild of CSO Online Magazine that included comments from Tom Eston and myself on the security reasons why baby-boomers are starting to quit Facebook, and one reason they may be staying. Here’s a link to the article: http://www.csoonline.com/article/584813/10_Security_Reasons_to_Quit_Facebook_And_One_Reason_to_Stay_ On_ 3) Case study of a financial institution breach that started with a compromised Facebook account It’s a very interesting story with some challenging implications for corporate security managers. Here’s a link to my post in the Social Media Security blog: http://socialmediasecurity.com/2010/03/23/we-use-layered-safeguards-but-so-do-attacker/ 4) A business strategy for using social media more securely This is a little rant I did on how we need to use the concept of Zoning for corporate IT security a little more explicitly for social media usage by employees. It has a lot to do with recognizing that it may not be wise to allow everyone in the organization carte blanche and free reign in using the public social media tools like Facebook and Twitter in ways that can impact the organization – whether it’s posting or reading of articles or content. People in different roles should have different policy constraints and depending on what computers they are using, might have different technical constraints on being able to reach these sites. But there is also an opportunity to use other types of Web 2.0 solutions to achieve the business’s goals and allow younger employees to have the experience of using social media, but in more focused and controlled environments. I encourage business managers to contact me about how I might be able to help with safely developing this type of progressive strategy in their organization. 5) PDF reader vulnerabilities are a big risk PDF files have been a security problem for quite a while now, in that the Adobe Reader (and even other PDF readers like Foxit) are very powerful, but have not really been built with safeguards to protect the user’s computing environment. As a result, it’s often possible for attackers to create “malformed” or “malicious” PDFs that cause the reader to do things that put the user’s system at risk. Recently, it’s been demonstrated that the Adobe reader can be used to launch external applications in a way that would allow an attacker to load malware onto a user’s machine. Here is a link to Steve Gibson’s Security Now Episode 243, that cover these risks in more detail: http://www.grc.com/sn/sn-243.htm And there are a couple of quick tips for Adobe Reader users that will probably reduce your risks when using this software: 1) In the Adobe Reader preferences (Edit / Preferences on Windows versions; or Adobe Reader / Preferences on Apple Macs), click on the “Javascript” sidebar link, and uncheck the “Enable Javascript” checkbox. Javascript has very few legitimate uses in the Adobe Reader, but many security risks are related to this option. 2) Also in the preferences window, click on the “Trust Manager” link in the sidebar, and uncheck “Allow opening of non-PDF file attachments with external applications.” This is the most recent risk described in the two article links above. Do also allow automatic updates for Adobe products. They often have critical security fixes in them that should be implemented as quickly as possible. 6) Arguments for and against reliance on standards compliance The bottom line is that standards compliance is usually a good place to start if you expect that security is weak. It can strengthen a lot of areas without having to do much analysis. The downside of relying on compliance only (as opposed to doing full risk assessments for networks and systems) is that it is possible to be fully compliant with any standard and still have serious security vulnerabilities. So I recommend a mix of both standards and risk-based approaches. This is inspired by the Threatpost.com article by Dennis Fisher listed here: http://threatpost.com/en_us/blogs/security-programs-focusing-too-much-compliance-study-finds-040510 7) Social engineering threats from stolen accounts in Email and Facebook It’s becoming more common now that a compromised Email or Facebook account will result in an attempt at scamming friends or contacts. Attackers will scan contacts to see who might be susceptible to an urgent request for assistance in the form of wired money (i.e. “Help, I’ve been robbed in Europe and need money for a hotel and airfare.) It’s very easy to scan emails and contact lists to put together a credible scenario that can pay off very well before anyone notices. So, don’t ever take significant action based on information from one Internet source like an email or Facebook message. Always try to verify through some other means before sending money. Have you thought lately about how you or your team will get the job done securely? Do you really need to expose your sensitive assets to 400 million strangers on a public social media site? Contact me if you'd like to discuss how you can use modern information sharing technologies without exposing ALL your data and systems to unnecessary risks. Scott Wright The Streetwise Security Coach Join the Streetwise Security Zone at: http://www.streetwise-security-zone.com/join.html Phone: 1-613-693-0997 Email: scott@streetwise-security-zone.com Twitter ID: http://www.twitter.com/streetsec To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
2. Array http://feedproxy.google.com/~r... download (, 0.00Mb) Description: You may have noticed that the Streetwise Security Zone Podcast has been dormant for a few months. While I'd love to do one every week, there are only so many things I can get done at a time without the help of others. At the beginning of January, 2010, I launched the weekly Streetwise Security Edge Townhall sessions (click HERE), which are a weekly live video news program that has a live text chat room. In these events, I cover security news items from the previous week, and am working on trying to implement a co-hosted program that others can watch and/or listen to live, and provide text chat questions or comments. I'm also recording these video sessions, and will try to post links to them in this website. It's been a bit of a struggle to get this program set up the way I envisioned it. So I haven't been doing the normal Streetwise Security Zone podcasts. When I geto more members in this community who are regular contributors, I plan to start offering free Business memberships to them in return for taking responsibility for some of these collaborative features. So, for now, the Streetwise Security Edge Townhall sessions are taking the place of the Streetwise Security Zone podcast. If you prefer one format over the other, please let me know. Thanks Scott Have you thought lately about how you or your team will get the job done securely? Do you really need to expose your sensitive assets to 400 million strangers on a public social media site? Contact me if you'd like to discuss how you can use modern information sharing technologies without exposing ALL your data and systems to unnecessary risks. Scott Wright The Streetwise Security Coach Join the Streetwise Security Zone at: http://www.streetwise-security-zone.com/join.html Phone: 1-613-693-0997 Email: scott@streetwise-security-zone.com Twitter ID: http://www.twitter.com/streetsec To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
3. Array http://feedproxy.google.com/~r... download (audio/mpeg, 9.65Mb) Description: The Streetwise Security Zone Podcast Episode 10 - December 1, 2009 (Click the Play button above to hear the podcast, Click the down-arrow to download, or click the iTunes link to the left to subscribe) This Episode's Topics: 1 - iPhone risks 2 - Christmas online shopping scams 3 - A Case Study on the liability risk of running an open Wi-Fi hotspot 4 - Social media security risks from Google and Foursquare 5 - Conducting security reviews and internal audits sooner, rather than later 6 - A new downloadable instructor pack for teaching security awareness to your staff or clients Introduction It’s time for another episode of the Streetwise Security Zone Podcast. I’m your host, Scott Wright. I’m a professional information security consultant in Ottawa, Canada, and this podcast is part of the Streetwise Security Zone experience, intended for Small Business and IT Managers who don’t have a lot of security resources at their disposal. The Streetwise Security Zone is a place where you can come and browse articles and participate in discussion forums. Now, I’m just one guy with a consulting business, and don’t have as much time as I’d like to spend on creating content and discussion threads. But, I’d love for you to join and make the community part of your daily routine. The more people contribute, the more value everybody gets out of it. I know that sometimes people don’t like to talk about security because it exposes a bit too much about themselves and their vulnerabilities. That’s always been a problem in this industry. But when you join the Streetwise Security Zone, you can make up an anonymous nickname, and select an option to hide your real name and email address. So, you can discuss sensitive topics anonymously. We currently have, as of December 1, 2009, 135 members in The Streetwise Security Zone. There’s lots of free content that I’ve created already, like the Non-Trivial Streetwise Security Edutainment Quiz, which is a Powerpoint presentation you can download and it runs like a pre-movie quiz. So, you can use it before presentations to get the audience engaged. You don’t have to sign up for anything to download the quiz, but I’d like you to consider joining, or just signing up for the weekly security tips newsletter. News In news, we’re starting to see a few new security problems with iPhones. Most of the time they are due to what’s called jailbroken phones, where people essentially hack their own iPhone to make it work on networks other than what it’s supposed to, or they want to enable new features that the iPhone wasn’t configured to do. The problem with doing this is that it requires you to set up a communication channel into the phone’s internals by setting up a tiny server inside the phone that you can send commands to in order to have it change the internal configurations. However, there have been some problems with the security of the server software, which actually allows somebody to break in and do things like steal address books or even hi-jack the entire phone. So, if you have an iPhone, and you decide to jailbreak it, or hire somebody to do it, you should realize that you are bypassing the phone’s supported security features. Seeing as we are getting close to Christmas, it’s a good time to remind people that they should be extra cautious about emails they receive that look like they are from online merchants or shipping companies they may have used for Christmas shopping. These can be very convincing phishing scams. Because so many people use major merchants and shipping companies, when scammers send out a message from BestBuy Customer Service or UPS, it catches a lot of people. The result is stolen credit card numbers or passwords, or even an infected PC. Don’t forget that you can’t rely on antivirus programs to protect you 100% from many of today’s new threats. So, if you can, verify information in these messages before you act on them. Case Study - Open Wi-Fi Hotspot Liabilities http://community.zdnet.co.uk/blog/0,1000000567,10014530o-2000331761b,00.htm?s_cid=260 People are starting to get fined for having an Open Wi-Fi hotspot. Many businesses find it helpful in attracting patrons by operating an open Wi-Fi or wireless networking hotspot, which means that anyone with a laptop computer can come in and use the establishment’s Internet connection. In the UK, a pub was fined 8,000 pounds for allowing patrons to download illegal copies of content like movies and songs from file-sharing networks. It’s not clear that this will be a problem for businesses in other countries, but it is something to think about. When you give others access to the Internet – even by having an open wireless router running at home – you could be enabling a number of risks, including one of liability for the actions of others taken using your connection. If they do something illegal, the authorities may come looking for the internet account used to commit the crime. When they isolate it to your connection, they may not know or believe that it was actually a neighbor or visitor who was the culprit. So, you do have to be cautious about operating a Wi-Fi hotspot. What you should do, if you can, is set up encryption on the device that prevents people from being able to use it without getting permission – and the key or passcode needed to access it. Of course, if the key never changes, then customers can start to realize that, and may start to take advantage of it. Some businesses, like hotels change their Wi-Fi key every day, so they know people have to come to them for a new key. They may even hire a third party service to manage the connection and deal with these types of risks. While this doesn’t always prevent patrons from abusing the service, it can discourage them, and can demonstrate that you are demonstrating some due diligence, if the law does come to you during an investigation. Social Media Security Podcast Notes In the November 21st Social Media Security Podcast with myself and Tom Eston, minus the regular Kevin Johnson, we discussed a lot of Google-related risks. Because Google really is one of the biggest social media services, they get lot of coverage. In fact, there is now a podcast called This Week in Google on the TWIT podcast network at TWIT.tv. They talk about a lot more than just Google, though, for the same reason we do. Social media and Google are really part of a bigger topic called Cloud computing – which, in my view, is really refers to a loose collection of services that offer to store information, or perform helpful services online. Of course, there are many privacy and security issues when you start to put your information into these systems and trust their owners to take care of it. Google Reader - Koobface Risks So, in the Social Media Security podcast, we talked about a new variant of the Koobface worm that is being used to infect people through Google Reader. The Google reader is a news reader that you can use to organize and view feeds from many websites at one time. So, if you get an invitation to view a news feed that somebody else has shared through Google Reader, you might be seeing a phishing attack that tries to get you to accept a Flash video driver upgrade, or it might tell you that you are infected with a virus. As with any phishing or drive-by download attack, you have to be careful not to act on things that pop up without thinking about the risks. Is it YOUR antivirus program that’s giving you the message, or a fictitious one? Is it really FLASH that is telling you you need a Flash video driver upgrade, or is it a fake? So, be careful with popups. Google Dashboard Risks We also talked about Google Dashboard. This is actually a cool facility you can find at www.google.com/dashboard. It shows you all the Google services that you use within your Google account – if you have one. Most people do at this point. The scary thing to realize is that, if your Google password is stolen, the attacker will use Google Dashboard to see what services it gives them access to. It can be dozens of places you may not have thought of. It’s a good reason to use a strong password so it can’t be guessed. But it’s also a good reason to change your Google password often. If you notice strange changes in your Google account, it could be that your password has been stolen and the thief has made some changes to monitor your activity in the account – maybe to collect passwords for other accounts on the Web, or just sensitive information you may keep in your Google account. Isn’t the Cloud wonderful? FourSquare.com Risks There is a new game/service online called Foursquare.com. To me, it looks like an elaborate loyalty program. People compete to be the most frequent patron of real businesses in your community, and every time they go there, they “check in”, which gives them more points. At the same time, it allows their friends to see where they are, where they shop and how close by they are, in case they want to meet up. Like many new web-based business models, it’s a bit hard to understand the attraction, but it is becoming really popular. But keep this in mind. While not everyone can see you, normally, if you choose to connect your Foursquare.com account to something like Twitter, your whereabouts can become pretty widely known. This can be a problem if thieves are targeting your house, or if you have a stalker who wants to find you in a physical location outside your home. I refer to things that happen in the real world as being in “meatspace” as opposed to “Cyberspace”. So, cyber-stalkers can become meatspace stalkers. Featured "Security Views" Blog Post I recently posted a blog article about doing security reviews and audits sooner, rather than later. Here’s the text of the article… Putting off a security review or internal audit because you might find a problem? New Downloadable Streetwise Security Awareness Training - Instructor Pack I just wanted to let people know that I have put a new item into the Streetwise Security Marketplace – my online store. It’s a full-size Powerpoint slide deck for delivering a general security awareness course. It comes in a compressed archive that contains a set of handout workbook questions you can have students fill in as they go along, or during workbreaks. The course usually takes about 2 or 3 hours to deliver, and incorporates some of the concepts of the Streetwise Security Awareness Program, including the Basic Information Security Awareness Guidelines that I use, and a short description of the 5 step Workflow-based Risk Awareness Process, which can be run as an extended workshop. This training package is what I call an Instructor Pack, and is intended for IT Managers who want to get their staff educated. If you can do the presentation, the slide content is all there. Or, you can hire or designate a trainer or presenter who is comfortable with the content. The benefit is that you don’t have to spend the 40 hours that I put into creating a professional set of slides that cover all the latest types of risks people need to be aware of, and how to get them thinking more carefully about what they do on line. If you are a professional trainer or consultant, you will find the slide deck useful as another tool in your bag of tricks. I’m allowing this slide deck and associated workbooks to be used by consultants for up to 5 training sessions per year. If you have more than that, please contact me to arrange for a more fair compensation. The whole package costs only $99 US, and you can pay via PayPal or credit card, and download it right away. As with all the information products in The Streetwise Security Marketplace, you get a 30 day money-back guarantee. You can also earn affiliate commissions by referring others to buy the product online. So, go to http://www-streetwise-security-zone.com/marketplace.html and you will find it there, along with other information products related to security awareness. Conclusion So, that’s it for this episode of the Streetwise Security Zone Podcast. If you are interested in getting into podcasting in general, I want to let you know about a new community, created by Bo Bennett, founder of the iGroops hosting service that hosts The Streetwise Security Zone community. Bo’s new community is called www.SoYouThinkYouCanPodcast.com and it looks great. I just joined and am starting to contribute what I know and think about podcasting. So, check it out. How You Can Help If you enjoyed this podcast, please subscribe via iTunes, and I’d appreciate it if you could go there right now and enter a review comment and rating. The ratings on iTunes really do help people to find us. In addition, if I could ask for one last favor in return for providing all the content on my blogs and in this podcast – please use the DONATE button on the bottom left of the Streetwise Security Zone homepage. Once the community is supporting itself from membership fees and sales of downloads and programs, I plan to remove the DONATE button. But for now, every donation is greatly appreciated and allows me to continue to maintain and upgrade the content on the site and in this podcast. If you have comments or questions about this podcast, or would like to send me your favorite security tip that I can put into future podcasts, please contact me at: scott@streetwise-security-zone.com or call me at 1-613-693-0997 and leave a message. I’m Scott Wright, and until next time, stay streetwise! Have you thought lately about how you or your team will get the job done securely? Do you really need to expose your sensitive assets to 400 million strangers on a public social media site? Contact me if you'd like to discuss how you can use modern information sharing technologies without exposing ALL your data and systems to unnecessary risks. Scott Wright The Streetwise Security Coach Join the Streetwise Security Zone at: http://www.streetwise-security-zone.com/join.html Phone: 1-613-693-0997 Email: scott@streetwise-security-zone.com Twitter ID: http://www.twitter.com/streetsec To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
4. Array http://feedproxy.google.com/~r... download (audio/mpeg, 24.23Mb) Description: The Streetwise Security Zone Episode 9 - November 12, 2009 This Episode's Topics - 1 - Moving from isolated software products to offering them as a service (Software as a Service - or SaaS) 2 - Basic considerations for securing services, assurance for customers 3 - Separating data between clients who could be competing with each other 4 - User login security considerations 5 - Who administers users, and who administers the system? 6 - The big picture - communicating new kinds of risks to senior management SHOW NOTES This special episode is dedicated to the single topic of securing Software as a Service, from a Product Manager's point of view. If you are responsible for developing and marketing software products for business use; OR if you are using or looking for an outsourced solution of any kind for your business, this podcast episode is for you. Peter Hanschke is an experienced Product Manager who has been responsible for transitioning what was considered On-Site Enterprise software solutions into the modern realm of outsourcing. It often makes sense to do this - in fact Gartner is telling us it's inevitable for almost every kind of Enterprise software solution. You have to have a SaaS play. But, as Peter points out, this is much easier said than done - especially when it comes to all the security considerations for launching a web-based product offering. It's a whole new world. Product managers will get a new perspective, and hopefully some ideas for strategies, while customers can learn about what questions to ask if you are looking to procure a SaaS solution for your business. In this episode of the podcast, Peter tells us what the challenges are that Product Managers face, and I offer advice on how to deal with them from a security professional's viewpoint. Please listen in as Peter and I spend close to an hour discussing the following issues in more detail... 1 - Moving from isolated software products to offering them as a service (Software as a Service - or SaaS) There are a whole new set of problems for Product Managers when you decide to set it up as an operational system to offer as an outsourced solution for your customers. 2 - Basic considerations for securing services, assurance for customers Securing an operational service requires a great deal of planning for what we call "hardening the environment" - to make sure the bad guys can't break in. They will try, eventually. Customers have to be confident that you can keep their data secure. 3 - Separating data between clients who could be competing with each other How much you have to spend on maintaining logical and physical separation of clients' data depends on its sensitivity, the cost-benefit trade-offs. Customers should be asking things like, "How do I know my data won't be visible to my competitors?" 4 - User login security considerations Again, the sensitivity of data and cost-benefits can be used to determine how strong the user login - or authentication - methods must be for a service. 5 - Who administers users, and who administers the system? User provisioning is often best delegated to the customers, so they can manage the people, and their accounts directly. But system administration must be separated so you can maintain Service Level Agreement (SLA) terms. 6 - The big picture - communicating new kinds of risks to senior management In the end, your service is supposed to be profitable - that's what senior management expects. So, you have to set their expectations on the risks, and the costs to address them - preferably before you commit to service launch dates and budgets. It may help to treat security the same way you treat quality. Obviously, management wants to be proud of the quality solution they are offering. Security flaws are really quality flaws, and they will become very visible, very quickly, if they are significant. You can find Peter's website and contact information at the Ateala Management website: http://www.ateala.com If you found this episode to be useful, please let us know by entering a comment after these show notes on The Streetwise Security Zone website; or you can rate the episode or subscribe to The Streetwise Security Zone Podcast from the website as well. This episode and its show notes have been posted at: http://www.streetwise-security-zone.com/podcasts.html Until next time, stay streetwise... - Scott Have you thought lately about how you or your team will get the job done securely? Do you really need to expose your sensitive assets to 400 million strangers on a public social media site? Contact me if you'd like to discuss how you can use modern information sharing technologies without exposing ALL your data and systems to unnecessary risks. Scott Wright The Streetwise Security Coach Join the Streetwise Security Zone at: http://www.streetwise-security-zone.com/join.html Phone: 1-613-693-0997 Email: scott@streetwise-security-zone.com Twitter ID: http://www.twitter.com/streetsec To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
5. Array http://feedproxy.google.com/~r... download (audio/mpeg, 11.43Mb) Description: The Streetwise Security Zone Podcast Episode 8– November 9, 2009 This Episode's Topics: 1 - News with timeless observations and guidance 2 - Social Media Security Podcast security brief (Death by Twitter Phishing, Internet Posting Policies, Google Wave's insecurity) 3 - Surviving in the Wild West of the Internet SHOW NOTES I produce this podcast as part of the Streetwise Security Zone. For those of you who don’t know, the SWSZ is a collaborative website that uses social media in many forms to educate people about working securely and efficiently, in the office and at home. In each episode, I usually cover some security news, but not in a way that becomes dated. I try to take at least one recent, real-life news event and give some insight into how the situation can affect you in a business environment – and how to make sure your own workflow can deal with such situations. You can listen to the podcast while viewing this page in The Streetwise Security Zone website by clicking on the "Play" icon in the player widget above, or you can download it by clicking on the "Down Arrow" at the left side of the widget. It's also available through iTunes via the iTunes link in the left hand column in The Streetwise Security Zone Podcast page of the website. Because I’ve started doing the Social Media Security Podcast, which borders on being occasionally technical, I try to interpret our most recent podcast and put it into a more and non-technically oriented security brief that contains information and guidelines that everyone can understand and act on . I also like to cover any industry events I’ve taken part in, and tie them into my mission of helping organizations to get their jobs done more securely and efficiently. News: Worm infects “jailbroken” iPhones, and Twitter spreads the news fast Graham Cluley points out in a Twitter update that if news from security companies travelled that fast, we’d be in a lot less trouble. That’s my vision, actually, that we in the Streetwise Security Zone find and vet news that affects security of businesses and the majority of individuals. The Facebook phishing continues Fake email messages are asking users to follow links, login to Facebook and reset passwords. Unfortunately, the link doesn’t go to Facebook. Instead, it captures your login credentials when you try to log in. A dangerous Firefox bug with general security guidance on security updates and patches A Firefox browser bug was discovered that allows content from one page (loaded in an iframe) to manipulate content seen from a different site’s page. By the time you hear this, the specific bug will probably be fixed in an update. But this acts as a reminder that we need to keep software up to date (turn on automatic updates and allow them to load when requested). Case Study: A University Accidentally Leaks Social Security Numbers to the Web A Hawaii university suffers a breach of web infrastructure exposing 4500 students’ Social Security Numbers. The breach occurred due to human error in putting a sensitive internal report in a publicly accessible web page. If the people involved had been trained in how to handle sensitive information in their jobs, this would have been unlikely to happen. Social Media Security Podcast Security Brief: Social Media Security Podcast #4 is available at http://www.socialmediasecurity.com/category/podcasts Death by Twitter– and other phishing attacks like the IQ test DM - were really a problem in the last week or so. Sensationalized headlines can lead people – even seasoned security professionals – to start spreading the news to others (retweeting in Twitter is too easy to do). The IQ test phishing attack showed up this week as a Direct Message in Twitter, asking you to click a link to take the IQ test. Following this link results in going to a page that asks you to log into Twitter. However, once your credentials are entered, they are used to start attacking your followers via Direct Messaging… and on it goes. It’s not infecting your computer, but once your userid and password are stolen, a lot of bad things can happen without your knowledge. Open Source Intelligence is a complicated term that refers to defensively (or sometimes offensively) monitoring brand and personal data on social networking sites. Tom Eston explains how to use methods like Google Dorks – which are just special search queries, designed to root out posted information about you or your organization. Posting Policies– Cisco policy. Having such a security policy for posting on the Internet can be really useful for marketing or PR departments to provide guidance for employees on what is considered acceptable content for them to post on the Internet about the organization. H also needs to be involved too. Google Wave– What the heck is it? I still don’t know. It’s been called a very cool way of integrating “updates” (like tweets or facebook status updates), personal messages (like email), and multi-media objects (like video), in a Web 2.0 style. Tom and Kevin describe it as a combination of Twitter, Facebook, Email and Instant Messaging. So what’s the problem? – It turns out that making all these things work together with “User Generated Content” in such an unstructured way is inherently insecure. Everything that makes it easy to collaborate this way also makes it easier for the bad guys to post dangerous content that sucks input from users or launches malware attacks on their computers or devices. It’s also another way for data to leak uncontrollably from your domain. While you may not be able to stop data from leaking, or bad software from creeping in, with any technology, education is once again the only way to keep people on track and working within your policies. Google Wave also demonstrates Google’s propensity to design functionality and features first and security later. This approach always causes an endless loop of patches and updates, usually after damage has been done. Recent Events: Small Business Survival in the Wild West of the Internet I recently gave a talk at the Small Business Association of Ottawa on “Small Business Survival in the Wild West of the Internet.” The talk presented an analogy and comparison between today’s business environment and the Wild West. If you’d like a transcript and/or slides of this presentation please email me at scott@streetwise-security-zone.com . The talk, that was supposed to be 20 minutes, but it lasted almost an hour, due to questions. Sorry about that. This demonstrates how thirsty people are for information on how to protect themselves in the Internet based business environment Wrap-up: Feedback is welcome and encouraged. Please rate this podcast on the site, or in iTunes. I’d appreaciate it. And please spread the word to others. The only way we can really gain a handle on securing our work environments is to collaborate – discussing what works, what to watch out for, and where to get trusted information. In fact, if you like what you’ve heard on this podcast or seen on my website, I’d love to be able to provide your team with even more personalized service – whether it’s risk assessments, security audits, security training or virtual Chief Security Officer services – please have somebody from your organization contact me. As a bit of a stimulus for comments, I’d like to ask you to let me know what kind of a security-related book or training tool you think your place of work would be most interested in having as a resource – Would you rather see a hardcopy book, an e-book, an audio book, a set of videos on DVD, or maybe a “play at your own speed” web-based tutorial with audio and slides? All of these things are possible, but I’d like to focus on what you think would be most valuable. As always, you can email me at scott@streetwise-security-zone or call me at 1-613-693-0997. You can even follow me on Twitter at “streetsec”. If you’re not already a member, please join The Streetwise Security Zone at: http://www.streetwise-security-zone.com/members/streetwise/info/ScottWright-join.html You can subscribe to this podcast on iTunes at: http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=298647305 Thanks for listening! Until next time, Stay Streetwise. - Scott Have you thought lately about how you or your team will get the job done securely? Do you really need to expose your sensitive assets to 400 million strangers on a public social media site? Contact me if you'd like to discuss how you can use modern information sharing technologies without exposing ALL your data and systems to unnecessary risks. Scott Wright The Streetwise Security Coach Join the Streetwise Security Zone at: http://www.streetwise-security-zone.com/join.html Phone: 1-613-693-0997 Email: scott@streetwise-security-zone.com Twitter ID: http://www.twitter.com/streetsec To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
6. Array http://feedproxy.google.com/~r... download (audio/mpeg, 12.66Mb) Description: The Streetwise Security Zone Podcast – Episode #7 for November 1, 2009 This Episode's Topics: 1 - Turning Swiss Cheese Into Hard Candy 2 - Remote Code Execution Threats and Associated Vulnerabilities 3 - Microsoft Security Essentials 4 - Case study of keylogging gone wrong 5 - Feedback You can listen to the podcast while viewing this page in The Streetwise Security Zone website by clicking on the "Play" icon in the player widget above, or you can download it by clicking on the "Down Arrow" at the left side of the widget. It's also available through iTunes via the iTunes link in the left hand column in The Streetwise Security Zone Podcast page of the website. Turning Swiss Cheese Into Hard Candy This past week I delivered a keynote presentation to the Ottawa Chapter of the Information Systems Security Association. The analogy I use harkens back to the days – not too long ago – when security professionals would grudgingly endorse a security strategy that used the very technical term – “Hard crunchy outside, soft gooey inside.” This referred to using firewalls at the perimeter to keep the bad stuff out and the good stuff in. However, due to mobile, wireless, and the UFBP (HTTP over Port 80), we can’t really say that using just a hard perimeter will do an adequate job for security any more So, I refer to our situation now as being like Swiss Cheese. But what we really need is Hard Candy – a crystalline structure that is hard to break through. I use this in the context of security awareness, and how it can be used to harden workflows in an orgnization, to look like a crystal. In addition to the direct security benefits of educating people on a process – not just the gauntlet of risks and tips, I point out the other “quality-related” benefits of an aware workforce. The process I’m referring to is what I now call the “Streetwise Workflow-based Risk Awarness Process” - or WRAP. This is a process I’m now offering in my training courses, which can be delivered in various formats and durations. I can do intensive 3 hour sessions to start the process off; or a series of shorter sessions, followed by a workshop to dig into the various steps in the process, which can lead to some very magical and productive exchanges between management and staff that really do start to change the organizations culture. The basic WRAP process follows these steps: 1 – Know the security awareness fundamentals; things everyone should know 2 – Identify your trusted sources of guidance, whether it’s security policies, IT Helpdesks or managers 3 – Identify your information context; what information, where it comes from, where it goes, who it gets delivered to, etc. 4 – Control your information within your context, and keep it separate from unrelated processes (like web surfing) 5 – Collaborate for security and efficiency Through the learning and repetition of these 5 steps as part of a job performance process, you can change the culture of your organization from that of Swiss Cheese to one of Hard Candy. If you’d like more information on this process, please contact me at scott@streetwise-security-zone.com or call me at 1-613-693-0997. Remote Code Execution Threats and Associated Vulnerabilities If you were to look closely at the ongoing stream of updates from companies like Microsoft, Apple, Adobe, Mozilla and other software suppliers, you’d notice this very technical term being thrown around very matter-of-factly, as though they were doctors talking about ear infections. It always bothers me when we start to take serious problems for granted as being “just the way it is” – this is what we have to live with. For IT Security staff, terms like this are very disturbing, but they are heard so often, the people who are supposed to be dealing with them become desensitized to the risks. You should think of Remote Code Execution as potentially the most serious type of vulnerability you could imagine. Essentially, what it means is that, under the right conditions, an attacker can take over control of your computer from the safety and comfort of their basement. What these vendors are saying when they announce that a Remote Code Execution vulnerability has been found or fixed, is that the conditions exist in the current version of their product that could allow somebody to take over your computer while you are using their software. For example, if an Adobe Acrobat RCE bug exists, then it’s possible that a hacker could send an Acrobat (PDF) file to you that causes your system to hand over control to him when you open the file and launch Acrobat. Consequently, any time a piece of software has a “RCE” vulnerability in it, the vendor tends to call the software that is supposed to fix this vulnerability a “Critical Security Patch.” A patch is simply a quick fix provided by the software vendor; one that wasn’t planned before the vulnerability was found. It’s important for IT operational staff to review and understand the implications of these critical patches. Usually, they will want to deploy them throughout the organization quickly. But there are often other considerations such as whether a patch might have other changes that could affect proper functioning of other software required for the business’s operations. So, you should make sure your IT staff has a “vulnerability management” process for reviewing all the critical patches from vendors, and planning for their deployment in a way that does not disrupt operations, but provides the quickest possible closure of Remote Code Execution vulnerabilities. Microsoft Security Essentials Just a quick note about a new free antivirus product offered by Microsoft called Microsoft Security Essentials. It was really only a matter of time after Microsoft bought an antivirus company a few years ago. People have always said that the operating system vendors need to do a better job of protecting their own software from viruses. There are a lot of benefits to having the operating system vendor supply antivirus software, not the least of which is it’s ability to reduce the “false positives” and mistaken system file removals. This is not to say that the Microsoft AV offering will be perfect, but it is getting good reviews. I haven’t tried it yet, but I intend to. Obviously, being a free product (for PCs, but not for servers), this will tend to put pressure on the big anti-virus makers like McAfee and Norton who make a lot of money from the sale of their AV products. Case Study: Regretful Boyfriend Wishes He Hadn’t Tried to Spy on His Ex-Girlfriend http://pcworld.about.com/od/securit1/Misdirected-Spyware-Infects-Oh.htm In this case study, a 38 year old man in Ohio sent a “keylogging” program to his ex-girlfriend’s email account, so he could secretly find out what she was doing when she was at her computer. He probably told her that the attachment was something that would interest her, so she would click on it. Although he expected her to open it on her home computer, she ended up running it on her computer at work – at an Akron children’s hospital. As a result, several other employees’ actions and personal records were captured, as well as medical records of 62 patients. Needless to say, this is not what he intended to have happen, but the damage was done, and he is facing a penalty of $33,000 for damages. This is also a good story to use as a case study for hospitals and other organizations that allow computers to be shared among employees. While any organization should be concerned about this kind of malware getting on their computers, it’s especially dangerous in hospitals, for obvious reasons. While no anti-malware solutions are 100% effective at catching keyloggers, it is important to have some good defenses in this area. As a layered security strategy, which any good Threat and Risk Assessment would try to recommend, it’s also important for systems with patient records to be separate from systems that can access email. This can be achieved through separate computers, separate non-privileged accounts or separate virtual machines (separate simulated operating systems). Staff should also be educated not to use personal email, or at least not to click on any attachments or links that are not related to business operations while logged into operational systems. Feedback I just wanted to thank one of the Streetwise Security Zone Members – Rob Bell - for commenting on my blog post regarding banking fraud protection mantra – IGNORE, SEPARATE and WATCH. I was referring to a threatpost.com story which quoted the FBI as stating that $46 Million has been lost by SMBs due to online banking fraud. Because the most common fraud method is to get keyloggers onto your computer, and capture your banking credentials, I recommend the following process: 1) IGNORE SPAM 2) SEPARATE Banking from other activities 3) WATCH your bank account balances, preferably using telephone banking Rob’s comment was that the second step of separating activities was interesting and helpful. Thanks for that comment, Rob. Wrap Up Also, if you’ve found this podcast to be valuable, please consider joining The Streetwise Security Zone and trying some of my resources. I’m also interested in hearing from you if you have a need for security awareness training, live on-site or via webcast, or if you are looking for a speaker for your next event or company meeting. You can contact me via the quote form available on my website home page. It's helpful for me to hear how you heard about The Streetwise Security Zone Podcast, what you like about it and how it is helping you; or if it’s not helping you. It doesn’t have to be a positive comment, either. I want to make this podcast useful to as many people as possible, and I value your input. If you’re not already a member, please join The Streetwise Security Zone at: http://www.streetwise-security-zone.com/members/streetwise/info/ScottWright-join.html You can subscribe to this podcast on iTunes at: http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=298647305 Thanks for listening! Until next time, Stay Streetwise. - Scott Have you thought lately about how you or your team will get the job done securely? Do you really need to expose your sensitive assets to 400 million strangers on a public social media site? Contact me if you'd like to discuss how you can use modern information sharing technologies without exposing ALL your data and systems to unnecessary risks. Scott Wright The Streetwise Security Coach Join the Streetwise Security Zone at: http://www.streetwise-security-zone.com/join.html Phone: 1-613-693-0997 Email: scott@streetwise-security-zone.com Twitter ID: http://www.twitter.com/streetsec To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
7. Array http://feedproxy.google.com/~r... download (audio/mpeg, 17.17Mb) Description: After a bit of a hiatus, I'm back with another episode of The Streetwise Security Zone Podcast. In this episode, I review some of the risks and tips covered in more technical detail in the new Social Media Security Podcast that I launched with Tom Eston and Kevin Johnson. I also review a case study from the Security Views blog, and do a quick tour through the Streetwise Security Zone website's home page. You can listen to the podcast while viewing this page in The Streetwise Security Zone website by clicking on the "Play" icon in the player widget above, or you can download it by clicking on the "Down Arrow" at the left side of the widget. It's also available through iTunes via the iTunes link in the left hand column in The Streetwise Security Zone Podcast page of the website. Introduction My News - My recent activities (Europe for Privacy Study of Research Facility, Training and Workshop, Risk assessment for live data in development and testing, Honey Stick presentation for a Government Security Awareness Working Group) Tour of the Streetwise Security Zone website Review of the recent changes in the homepage features, menus and blogs. Case Study A look at how ISPs can spy on you through your Blackberry and iPhone. Sounds a little over-hyped, but it has happened to subscribers of an ISP in the Middle-East. The blog text version of this case can be found by clicking HERE. Social Media Security Podcast - Episode 3 Summary Covers Social Networking phishing invitations (fake invitations), Koobface worm phishing attacks, Protected Twitter updates and Cross-Site Request Forgery attacks that can piggyback on banking and other web sessions that you might stay logged in to. You can find the podcast at: http://socialmediasecurity.com/category/podcasts/ Wrap-Up I invite you to send me an email at scott@streetwise-security-zone.com or call and leave a voicemail message at 613-693-0997 with your comments or questions about security awareness, or any topic you care to discuss. I’m also interested in hearing from you to find out how you heard about The Streetwise Security Zone Podcast, what you like about it and how it is helping you; or if it’s not helping you. It doesn’t have to be a positive comment, either. I want to make this podcast useful to as many people as possible, and I value your input. If you’re not already a member, please join The Streetwise Security Zone at: http://www.streetwise-security-zone.com/members/streetwise/info/ScottWright-join.html You can subscribe to this podcast on iTunes at: http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=298647305 Thanks for listening! (If you'd rather see written transcripts of my audio podcasts, please let me know.) Have you thought lately about how you or your team will get the job done securely? Do you really need to expose your sensitive assets to 400 million strangers on a public social media site? Contact me if you'd like to discuss how you can use modern information sharing technologies without exposing ALL your data and systems to unnecessary risks. Scott Wright The Streetwise Security Coach Join the Streetwise Security Zone at: http://www.streetwise-security-zone.com/join.html Phone: 1-613-693-0997 Email: scott@streetwise-security-zone.com Twitter ID: http://www.twitter.com/streetsec To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
8. Array http://feedproxy.google.com/~r... download (audio/mpeg, 77.37Mb) Description: Get a glimpse into the real-world problems of privacy and security awareness training from this episode’s featured guest, Rebecca Herold, (AKA PrivacyProf on Twitter). The following notes correspond to the content in this episode of The Streetwise Security Zone Podcast. You can listen to the podcast while viewing this page in The Streetwise Security Zone website by clicking on the "Play" icon in the player widget above, or you can download it by clicking on the "Down Arrow" at the left side of the widget. It's also available through iTunes via the iTunes link in the left hand column in The Streetwise Security Zone Podcast page of the website. Note that the times identified below represent absolute times on the timeline, not durations. Editor's note - I apologize in advance for the ambient noise during parts of my interview with Rebecca. This is not the usual sound quality of my podcasts, but I didn't realize it until after we had finished our call. I tried to clean it up, and replaced some of my interview questions with better recordings in some places near the end. Introduction - 0:00 The introduction gives a brief run through the topics covered in this podcast. Today’s show features a discussion with Rebecca Herold, the Privacy Professor. Rebecca does a lot of teaching and consulting on the topics of privacy and security awareness. She’s written a number of books, and has a blog that she posts to on pretty much a daily basis. You can see her latest headlines right from the front page of The Streetwise Security Zone at http://www.streeetwise-security-zone.com Security News - 1:20 Heartland The Heartland credit card breach involved almost 100 million credit cards. That’s more than twice the number involved in the TJX breach of two years ago. Ponemon’s 2008 Annual Report on Costs of Data Breaches The Ponemon Institute recently issued their 2008 report on the Cost of Data Breache in which they studied over 40 companies that had data breaches and did some interesting analysis to determine causes and costs. Whether you think their average cost of just over "$200 per affected data record" is relevant to your business, there are some other bits of information in this report that most certainly are of interest to all of us. Their statistical analysis appears to support my assertion that security awareness is the low-hanging fruit with the best ROI for their security budget. The Ponemon report is worth the read and is free. Here’s a link where you can download the report: http://www.encryptionreports.com/2008cdb.html Streetwise Security Zone site news - 4:15 The Honey Stick Project - We just passed 60% of devices being used. Safe Web Surfing - Audio book available, with deep discount for SWSZ members. Facebook Privacy and Security Guidelines - NEW audio book now available, also discounted for SWSZ members. Risks in the News - 8:20 With tough economic times usually comes a wave of scams that target people who are most in need of hope. Unfortunately, we are seeing a rise in telemarketing scams that try to convince people that they have been approved for a government grant related to the "stimulus package". Of course they charge a “processing fee”, or ask for "personal or private information" that could be used for Identity Theft, which is how they make their money. The hoax -breaking site, www.snopes.com, has a good summary of the things to watch out for. http://www.streetwise-security-zone.com/members/streetwise/comm/READ/00000098/Offers-of-Almost-Free-money-during-a-recession-are-usually-too-good-to-be-true.html Product Review - The Sandisk Cruzer Enterprise secure USB Flash Memory Stick Solution - 9:20 I recently posted a review of the Sandisk Cruzer Enterprise USB Flash Memory at: http://www.streetwise-security-zone.com/members/streetwise/comm/READ/00000088/Secure-USB-Drive---SanDisk-Cruzer-Enterprise.html I found this to be a very strong solution for not only protecting against "data leakage" through the use of hardware-based encryption, but also for managing the lifecycle of mobile data and USB Flash Drives that travel outside the protection of the organization. Q&A Feedback - 11:20 I invite you to send me an email at scott@streetwise-security-zone.com or call and leave a voicemail message at 613-693-0997 with your comments or questions about security awareness, or any topic you care to discuss. I’m also interested in hearing from you to find out how you heard about The Streetwise Security Zone Podcast, what you like about it and how it is helping you; or if it’s not helping you. It doesn’t have to be a positive comment, either. I want to make this podcast useful to as many people as possible, and I value your input. Conversation with Rebecca Herold - 12:30 - Introduction to Rebecca Herold, The Privacy Professor. - The disturbing trend of cutbacks leading to greater risks. - The need to do initial organizational assessments before applying security controls - Security inadequacies stemming from a “compliance” mentality - How technology-oriented business drivers are leaving security and privacy considerations behind - Why off the shelf products require increased focus on security awareness - Economic influences on employee likelihood of becoming insider threats - What types of cutbacks are organizations making that are potentially dangerous? - Rationalizing security as a “foundation” investment instead of an unnecessary expense - Compliance with regulations is not sufficient for most businesses - How are the most regulated industries doing with security and privacy? - How awareness affects quality and mistakes - How management's skepticism about training becomes a self-fulfilling prophecy if they skimp on quality - How training quality can be improved - How much can you expect people to remember from a single class? - How to make training content stick over time - Why measurement of student retention is important in getting good results - How the Honey Stick Project relates to measuring security awareness - Rebecca’s “Protecting Information” newsletter’s metrics tips - The impact of being able to show metrics - What about the new US government’s position on information security and privacy going forward? - Should Obama be able to keep his Blackberry? - Electronic Health Records (EHR) and Medical identity theft - Rebecca’s eye-opening experience, and the importance of “knowing your audience’s motivations and objectives” when talking about security - Why executives aren’t hearing IT people’s messages about security - Innovative approaches to security training that have provided good results for Rebecca - When is effective training not considered training? - Contacting Rebecca www.theprivacyprofessor.com www.privacyguidance.com www.realtime-itcompliance.com www.twitter.com/privacyprof - on Twitter Conclusion 64:00 Thanks to Rebecca for joining us and giving us some insights into what she's seeing in the world of privacy and security awareness training. I'm hoping we can work together in future to create some great content for members of our community. If you’re not already a member, please join The Streetwise Security Zone at: http://www.streetwise-security-zone.com/members/streetwise/info/ScottWright-join.html You can subscribe to this podcast on iTunes at: http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=298647305 Thanks for listening! (If you'd rather see written transcripts of my audio podcasts, please let me know.) Have you thought lately about how you or your team will get the job done securely? Do you really need to expose your sensitive assets to 400 million strangers on a public social media site? Contact me if you'd like to discuss how you can use modern information sharing technologies without exposing ALL your data and systems to unnecessary risks. Scott Wright The Streetwise Security Coach Join the Streetwise Security Zone at: http://www.streetwise-security-zone.com/join.html Phone: 1-613-693-0997 Email: scott@streetwise-security-zone.com Twitter ID: http://www.twitter.com/streetsec To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
9. Array http://feedproxy.google.com/~r... download (audio/mpeg, 68.37Mb) Description: Episode 4 of SWSZP has a great, business-oriented, educational discussion of information security in Small Businesses, that is also very relevant for larger enterprises. I conduct an interview (about 50 minutes) with David Kelleher, a security expert with GFI, a leading security software provider for Small and Medium-sized Businesses (SMB), based in Europe. David and I discuss a wide range of security topics, to help convey the important issues that can and must be addressed, initially, through education and communication within the organization. GFI (at http://www.gfi.com) has a range of security software offerings for SMB’s, which gives David a good perspective on these issues. Our discussion in this audio podcast can be used as a way of initially presenting security education, policy and resource requirements to management. Streetwise Security Zone Podcast - Episode 4, January 28, 2009 (Show Notes) Small and Medium-sized Business (SMB) Security To listen directly on the website, just click on the Play button above. The numbers you see beside the headings below mark the approximate times in the audio program timeline. To download this audio as an MP3 file, click on the “down arrow” on the left side of the player bar at the top of this page. You can also subscribe via iTunes or stay up to date on this series using the options and links on the left side of the page. Introduction 0:00 Just a quick introduction to this episode. Risks in the News A particularly bad computer virus (this one’s actually called a worm), called “Downadup” or “Conficker”, is estimated to have infected almost 1 out of every 9 computers in the world to date. This is an extremely virulent and ubiquitous bug. Your computer ends up downloading a bunch of other dangerous software, and likely steals your information and makes it part of a “Botnet”. This could be controlled by the remote master, directing it to do various illicit things for the hacker. The bottom line is that your computers could be used to commit computer crimes without your knowledge. It spreads by three possible means: Attacking Windows computers that have not been updated since before October 2008;Attacking administrative accounts for computers nearby on the same network as the infected computerSpreading through the use of USB Flash Drives and other removable media The best way to prevent it, if you aren’t already infected, is to turn on Microsoft automatic updates, and make sure your version of Windows is up to date. Also, make sure that ALL of your computers’ accounts, especially any with administrative privileges, have complex passwords that are not easy to guess; and if possible, turn off any “auto-run” or “auto-play” options on removable media or CD drives. If you think your system is already infected, you will have to download Microsoft’s "Malicious Software Removal Tool" (MSRT) - not an anti-virus product, but it is able to clean up some known infections. If you are having trouble reaching Microsoft, or your anti-virus program is behaving strangely, that could be a sign that you are already infected, and you may need professional help in restoring the system to it’s normal state. More information on this malware threat is available by clicking HERE for a detailed Computerworld article. Oh, by the way, there’s another virus threat that’s been growing, and takes the form of a Valentines Day or other greeting. Sadly, online greeting card messages are one of the biggest virus threats. So, be careful by turning off HTML and previewing in your email program, and don't click on links or attachments in emails. It's best to type out the URLs directly, and only go to reputable sites. I also like to use McAfee SiteAdvisor to screen dangerous sites. Yay! - The Streetwise Security Zone reaches 60 members. Thanks again to all who joined! Current SWSZ member benefits include the ability to download a free audio training program on a new security topic, as well as other benefits like access to our monthly Live Netcasts where you can ask questions or give comments on security topics. I’ll be adding new value on an ongoing basis, but free memberships will be ending after we reach 100 members. So, please join now and get one year of free membership. Free Features now available in The Streetwise Security Zone- 6:00 The Streetwise Security Awareness Non-Trivia Quiz- 6:25 This is a little Powerpoint presentation I created that emulates the movie theatre trivia quizzes you see before the movie trailers start. It’s a great way to educate people and keep them engaged, at the same time. Use it any time you have a meeting where you have a computer and/or a projector. This version, with 6 trivia questions, runs for about 5 minutes on its own, and repeats in a loop. The file is available for direct download (no email or registration is required), and Creative Commons copyright licensing is included which grants you the right to use, modify and distribute. I plan to produce larger versions with current security awareness news. So, contact me if you are interested in obtaining one to your specifications. The free download, and more information, is available at: http://www.streetwise-security-zone.com/freequiz.html Free Honey Stick Testing Trial for Security Awareness Measurement - 7:50 I am offering a limited version of my Honey Stick Testing service for free to anyone who joins The Streetwise Security Zone. If you aren’t familiar with Honey Stick Testing, check out my Honey Stick Project blog at http://www.streetwise-security-zone.com/honeystickblog.html . It’s a way of measuring real human risk decisions in a simulated threat environment that uses specially configured, but safe, USB Flash Drives. This type of metric can tell you if your organization is ONE CLICK AWAY from having your employees bring down your operational information systems. You can learn more about the free limited testing service by following the link on the home page of The Streetwise Security Zone after you join. Small and Medium-sized Business Security - Interview with David Kelleher of GFI Introducing David Kelleher - 10:00 Introducing GFI - 12:00 Content security - Server security, Email security, Web monitoring Messaging - Fax server, Email archiving Network security - Vulnerability management, Event log management for larger SMB companies. Endpoint security - Data leakage prevention Network server monitoring - Server availability monitoring Taking the time for employee security awareness in the office - 16:00 When “dumbing down” security guidance isn’t really a dumb thing to do - 19:30 Why IT security people need to be able to speak to different audiences - 23:30 Have you communicated the simplest of policies, like password complexity? - 24:00 How lack of simple security fundamentals have caused high profile problems in major corporations around the world - 27:00 What are the trade-offs between denying all employee access to the Internet and accepting risks of Internet sites? - 29:00 What are the benefits of separating operational information systems from employees’ Internet accessible computers (Least Privilege)? - 32:00 A little bit of employee knowledge and a little bit of IT staff security knowledge is a dangerous combination (Vicarious Liability) - 36:00 What can be monitored by administrators to detect violations and risks? - 38:00 What should you do when monitoring tools identify violations? - 40:30 What can the volumes of data traveling on the network tell you? - 43:00 What other organizations may have access to your data, and are they taking care of it properly? - 45:30 Mandating your USB sticks for business use only (Endpoint security) - 47:00 Watching out for Drive-By Downloads” triggered by email, portable devices, web forums, etc. (Not just floppy disks any more) - 48:30 Putting your team’s heads together to discuss key areas where layers of security should be focused - 50:00 How can you approach budgeting for security? - 51:30 What is the first thing you can spend money on that can make the way ahead more easy to justify and navigate? - 55:00 The fallacy of “Security by Historical Good Fortune” (It hasn’t happened to us in the past, so it’s unlikely to happen in the future...) 56:00 Why SMB's can be as much of a target as any other organization... nobody is immune - 57:30 Wrapping up - 58:30 Conclusion If you enjoyed this podcast, don’t forget to submit a rating in iTunes. You can get there by clicking on the subscribe via iTunes link above. You can also rate this podcast by clicking on the Star rating system below this text. Thanks for listening! (If you'd rather see written transcripts of my audio podcasts, please let me know.) Have you thought lately about how you or your team will get the job done securely? Do you really need to expose your sensitive assets to 400 million strangers on a public social media site? Contact me if you'd like to discuss how you can use modern information sharing technologies without exposing ALL your data and systems to unnecessary risks. Scott Wright The Streetwise Security Coach Join the Streetwise Security Zone at: http://www.streetwise-security-zone.com/join.html Phone: 1-613-693-0997 Email: scott@streetwise-security-zone.com Twitter ID: http://www.twitter.com/streetsec To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
10. Array http://feedproxy.google.com/~r... download (audio/mpeg, 65.57Mb) Description: In the audio podcast (about 57 minutes) that goes with this post, I have an interview with Tom Eston, a well-known security professional, blogger and podcaster. Tom is an expert on Facebook security and privacy, and shares his views on the risks of using social media sites like Facebook, MySpace and Twitter. Tom has some great stories and advice. I'm very glad we were able to do this interview! >To download this audio as an MP3 file, click on the "down arrow" on the left side of the player bar at the top of this page. Introduction 0:00 Just a quick introduction to this episode. News SSL Vulnerability isn’t the end of the world. - 1:25 The Streetwise Security Zone reaches 50 members. Thanks! - 4:10 Book Review: "The Groundswell" by Charlene Li and Josh Bernoff (of Forrester Research) - 5:30 This is a great book for learning about how businesses should view the explosion in social media tools such as Facebook, Wiki’s, MySpace, Twitter, etc. I got some great ideas for how we can make use of the tools available in The Streetwise Security Zone. Of course, I wish it mentioned more about the operational risks of these tools. But that’s what we’re here for. Interview: Avoiding the Landmines in Social Media Sites Like Facebook and Twitter - 7:30 Tom Eston and I discuss some of the key points that Tom likes to make people aware of when using tools Internet sites like Facebook. We discuss some really good examples and ideas in this interview. Tom’s Introduction - 8:00 Tom’s blog: http://www.spylogic.net (social media, penetration testing, etc.) Tom’s podcast: Security Justice (http://securityjustice.com - live discussion of hot security topics, recorded in an Irish pub in Cleveland) Scott’s Background - 11:00 The Honey Stick Project - 12:30 Tom’s Experience With Measuring Security Awareness - 17:00 Security Awareness Strategies - 21:00 Social Media and Business - 25:00 Social Media Risks and Stories 26:00 Why You Might Be Trusting Sites Too Much - 29:00 Building Security Into Products and Service Technology - 31:00 Facebook Experiences - 33:00 Tom’s Guidelines at a 50,000 Foot View - 34:00 Why Selecting "Private" Doesn’t Mean Information Won’t Be Divulged - 38:30 Read Privacy Policies - 30:00 Why Sites Don’t Promote Privacy - 39:30 The MySpace Suicide Story - 40:00 Sites Want to be Common Carriers With No Liability - 42:00 Link-Whoring (Accepting Friend Requests From Strangers) - 42:30 Facebook Application Risks - 44:00 Why You Should Choose Passwords Different From Other Application Accounts - 48:30 How Easy It Is To Find Identity Information From Facebook - 51:00 Sarah Palin’s Yahoo ID Theft Enabled by Wikipedia - 53:00 Based on this discussion, we know there is a lot more guidance that would be valuable to people. So, Tom and I plan to do another session focusing strictly on how to set Facebook privacy settings, and why. Stay tuned for more! If you enjoyed this podcast, don’t forget to submit a rating in iTunes. You can get there by clicking on the subscribe via iTunes link above. You can also rate this podcast by clicking on the Star rating system below this text. Thanks for listening! (If you'd rather see written transcripts of my audio podcasts, please let me know.) Have you thought lately about how you or your team will get the job done securely? Do you really need to expose your sensitive assets to 400 million strangers on a public social media site? Contact me if you'd like to discuss how you can use modern information sharing technologies without exposing ALL your data and systems to unnecessary risks. Scott Wright The Streetwise Security Coach Join the Streetwise Security Zone at: http://www.streetwise-security-zone.com/join.html Phone: 1-613-693-0997 Email: scott@streetwise-security-zone.com Twitter ID: http://www.twitter.com/streetsec To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
11. Array http://feedproxy.google.com/~r... download (audio/mpeg, 16.26Mb) Description: In the audio podcast that goes with this post, I cover a lot of content that illustrates the interesting and important security issues that you should be staying in tune with. I hope you'll find good value in it. So, I'd appreciate any feedback you have on the audio content, structure or length. (To download the entire audio file now to your computer, instead of listening from this page, click the "down-arrow" in the audio control bar above.) The following notes correspond to the content in this episode of The Streetwise Security Zone Podcast. Note that the times identified below represent absolute times on the timeline, not durations. Introduction - 0:00 The introduction gives a brief run through the topics covered in this podcast. The podcast is primarily oriented toward security training and education to empower employees to protect their information from social engineering, hackers, phishing attacks and other risks on the Internet. Live Netcasts Announcement for Tuesday December 23rd, 2008 - 1:45 The first Live Netcast in The Streetwise Security Zone is set for December 23rd, 2008 at noon eastern time. You will have the chance to participate via live Text Chat to ask me questions and direct the focus of the session. You’ll need to join The Streetwise Security Zone as a Full Member (currently free, as of December 2008, but will eventually require a paid membership). Click HERE to get to the Netcast page. Overview of "Governance by Graffiti" model - 4:40 Although Governance by Graffiti was a vague notion in my mind for the past year, it's only been recently that I've been able to articulate it in terms of a simple model. The general idea is that we need a way to empower people to exercise good information security and risk management at the personal level, in their jobs and at home. Policies will never be able to address what people should do in every situation they will encounter. At some point, we have to trust them to make good risk decisions. But they need tools to stay current with threats in a way that keeps them engaged and in a way that builds momentum among co-workers and business partners. The concepts include Contingency, Trusted Connections, Personal Context, Input and Output Controls and Collaboration. Structured in this way, the model can be easily taught and used, and provides a "self-perpetuating" aspect that allows for empowerment from the ground up. Security News - 9:15 1) Google Browser Security Handbook for Web application developers. Click HERE for more information. 2) Phishing Emails and Spam (observations from Scott) - 10:10 3) Ponemon Survey of Risky Internet Application Use in the Enterprise - 12:20 The report is available for download by clicking HERE. But you will have to register at the site to download the report. However, I recommend first reading the post in The Streetwise Security Zone forums under "Risks in the News" available by clicking HERE. 4) The Honey Stick Project - 14:05. Is your organization one click away from having its information systems griding to a halt due to risky decisions by your staff? Check out the latest notes and results at http://www.honeystickproject.com Risks in the News - 16:15 1) I'd like to thank Natasha Woods for posting an article by GFI's David Keller about the risks of using social networking in the enterprise. I hope to get Dave into a podcast discussion, but didn't have sufficient time in this episode to put it into the audio this week. But please check out the article by clicking HERE. Stay tuned for more in a future episode. 2) Microsoft recently announced a large surge in attacks on the Internet Explorer browser and has published a set of guidelines for protecting yourself. Click HERE for an overview article. The critical patch is still worth downloading, even if you have Microsoft Update turned on. You'll need to find your version at the Microsoft link below: http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx I also recommend switching to the firefox browser at http://www.firefox.com and use the NoScript plug-in, also available at the Firefox site. Let me know if you have trouble finding them. Product Research - 21:30 Just a mention here that I plan to cover some of the interesting security solutions available for mobile data security, specifically USB Flash Drive security solutions. So, stay tuned for more focus on these topics in future podcasts. Q&A Feedback - 22:15 "Are you a parcel mule?", contributed by Andrew Codrington. Don't be duped into helping criminals just because you could use a few bucks. You can view his post in the forum by clicking HERE. The Lighter Side of Security - 24:35 This isn't really that funny, but it does seem a bit comical. McCain and Palin's campaign staff auctioned off Blackberry phones with all the data still on them. This, and other tidbits I found entertaining, are available by clicking HERE. Also, the famed "Stop Shooting, I'm Just the Security Guy" coffee mug is now available. Learn more by clicking HERE. Reading Recommendations - 26:45 Tribes: We Need You to Lead Us , by Seth Godin, is a great read for anyone who is not happy with the Status Quo for anything important to you. With the tools available now, it is very easy. But it does require some thought and planning. Into the Breach, by Michael Santarcangelo, is a must read for executives and security professionals. Michael's work is the inspiration for much of my thinking. This book complements the Governance by Graffiti model very well. Empowerment Tips - 31:30 Start taking note of the kinds of information assets you work with on a daily basis, and try to understand their importance to you and your organization. Consider Joining Toastmasters - 33:00 If you really want to make a difference, and become the go-to person for security awareness or any subject that you are passionate about, it's important to be able to communicate verbally. Toastmasters is not just the "after-dinner speech" club. There are a lot of good things about this organization that can help you to not just overcome a fear of speaking, but to become a professional communicator and leader. Conclusion 34:20 If you’re not already a member, please join The Streetwise Security Zone by clicking HERE. You'll find discussion forums, articles and tools to provide personal and job-level security training ranging from social engineering to contingency planning, to help protect your information assets against today's threats. You can subscribe to this podcast on iTunes by clicking HERE. Thanks for listening! (If you'd rather see written transcripts of my audio podcasts, please let me know.) If you enjoyed this audio program, please consider clicking HERE to subscribe via iTunes, and click on the "Write a Review" link at the bottom of the cover page. Have you thought lately about how you or your team will get the job done securely? Do you really need to expose your sensitive assets to 400 million strangers on a public social media site? Contact me if you'd like to discuss how you can use modern information sharing technologies without exposing ALL your data and systems to unnecessary risks. Scott Wright The Streetwise Security Coach Join the Streetwise Security Zone at: http://www.streetwise-security-zone.com/join.html Phone: 1-613-693-0997 Email: scott@streetwise-security-zone.com Twitter ID: http://www.twitter.com/streetsec To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
12. Array http://feedproxy.google.com/~r... download (audio/mpeg, 11.16Mb) Description: Hi, I'm Scott Wright, The Streetwise Security Coach, author of Scott Wright's Security Views website and creator of the Honey Stick Project for security awareness measurement research. This is the inaugural episode of The Streetwise Security Zone Podcast. The SWSZ Podcast provides guidance for making serious improvements in how you secure your sensitive information with people and technology. In this podcast I explain my vision for The Streetwise Security Zone, and how you can make use of it, no matter what your situation. It's the ideal platform for empowering yourself and your team with "Governance by Graffiti" - using your knowledge, combined with best practices and advice from others in the community, to find ways of improving security and productivity in your job. As inspiration for future SWSZ podcast content, here's a question for you: What's your favorite story about "passwords"? It can be anything - rules that are too strict, passwords getting stolen or good strategies for remembering 20 different passwords. I'd like to hear from you. If you have comments on any of the site or podcast's contents, I encourage you to enter them below. Or, if you have an opinion you'd like me to comment on, please contact me by email at scott@streetwise-security-zone.com or you can call and leave a voicemail message at 1-613-693-0997. I will be airing selected email and voicemail messages with your comments or questions in future episodes. If you would like to subscribe to the Streetwise Security Zone Podcast, click HERE to go straight to the iTunes feed. Once iTunes opens, simply click on the Subscribe button under the podcast name. Finally, if you like this podcast, please take a moment while you're in the iTunes store to enter a review for it. Have you thought lately about how you or your team will get the job done securely? Do you really need to expose your sensitive assets to 400 million strangers on a public social media site? Contact me if you'd like to discuss how you can use modern information sharing technologies without exposing ALL your data and systems to unnecessary risks. Scott Wright The Streetwise Security Coach Join the Streetwise Security Zone at: http://www.streetwise-security-zone.com/join.html Phone: 1-613-693-0997 Email: scott@streetwise-security-zone.com Twitter ID: http://www.twitter.com/streetsec To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.