Part2-1

The Intern’s Security Practices Part 2: Links and Software

 As Defence Inteligence’s intern, I decided to survey my class at Algonquin College to find out how they protect themselves from digital threats. Here is the next section of the survey results on links and software.

To start, I asked if my classmates open links on various social media sites and in emails. Here is what they said:

Some of these results could be off because they may not have an account on LinkedIn or Twitter. Since all students have an e-mail address and the majority have a Facebook account as well, it’s not surprising that they have the highest percentage. I will open links on any of those platforms if I recognize the sender and it’s something they normally do. This is how I fall into the 67 per cent that open links from known sources.

With that said, I don’t open every link received from someone that I know. I read the text around the link and check Google for any warnings. This habit saved me from a virus spread through Twitter where you received a message from a friend saying they found a picture of you. When you clicked the link it gave you the virus. With 80 per cent of the students saying they don’t open messages that are just a link, it looks like when it comes to links they have an idea of how to act securely.

It surprised me to find that only 65 per cent of the students admitted to downloading music or movies through sharing and torrents. I’m definitely guilty of this from time to time, especially when it comes to movies.

Moving on to software, we wanted to know when students decide to update their software.

It’s interesting to note that one student wrote on the survey that that they check to see how important the update is.

The most surprising results for the survey was that 82 per cent of students said that they don’t have antivirus software on their phones. I would be curious to see how many are iPhone or Andriod users. As an iPhone user I’m not sure I have any antivirus software.

“People fail to realize that their phone is a computer and should be treated as such,” said Keith Murphy Defence Intelligence CEO.

Similarly 35 per cent of students don’t have antivirus software on their computer or laptop, and 22 per cent don’t know if they have any. This was a shock to both Murphy and myself.

“If they don’t know whether they have AV, it’s safe to assume that they don’t,” said Murphy.

With this news, it’s no surprise that 22 per cent admit to discovering a virus on their computer. Of the 43 per cent of the students that have antivirus software on their computer or laptop, 17.5 per cent use McAfee, 12.5 per cent use Symantec/Norton, two per cent use Windows Essentials, seven per cent use Avast, and five per cent use a different type of software.

Stay tuned for our last post concerning the security attitudes of the students.

By Sarah Raphael

90 Minutes to Privacy

In light of this being National Data Privacy Day for the U.S. and Canada, here are eight tips to create safe, online personal security habits. 
Previously we covered best practices when working with passwords,
ensuring your software is up to date, and that you’re working with a decent
anti-virus solution, get ready to start the timer and do what you’ve been
meaning to do for years.
Image representing Google as depicted in Crunc...
Image via CrunchBase
Reconnoiter – 15 Minutes
The first step in securing your privacy is to
find out just what is out there for the world to see.  If you’ve never Googled yourself, now is the
time.  Google searche to check on:
1.   
your name
2.   
your name + your city
3.   
your name + your employer  
4.   
your phone number
5.   
your address
6.   
your email addresses
7.   
screen names
8.   
gamer tags 
Google
search anything that you’ve ever used to identify yourself.  Don’t forget
to do an image search while you’re at it.
You might be surprised to find that your dating
profile, gaming history, forum posts, site memberships, comments, pics from the
office party, etc. are easily uncovered.
Now find out what Google knows about you here
Turn off your Google search history here.  
Get your credit report.  You should know what’s on there, and it’s
easy and free to request it.  Look for
anything suspicious or incorrect and contact the agency immediately if anything
is amiss.

You don’t need to pay for the upgraded service, there is no charge to receive your credit report.

Canada – Equifax [PDF]
              – Transunion

USA – Equifax/Transunion/Experian

Call your doctor and get a copy of your medical
history.  Most people have details about
every oil change they’ve ever paid for but have no clue about their own health
records.
Depending on where you live, you’ve got the
right to access different information that is on file about you.  Insurance companies, payroll companies,
social services, etc. should all supply you with what they know about you.
 Shrink
your footprint – 20 minutes
Haven’t used a Groupon in 6 months but still
getting spammed daily?  Sign up for 5
different streaming radio services but only use Songza? Find your true love but
still have profiles on dating sites? Now is the time to delete any accounts
that you no longer use.  It’s a pain, but
it only takes a minute.  If your myspace
page is still sparkling and blaring music out there, just put it out of its
misery.  As an added bonus, your inbox
will thank you.
Can’t remember all the crap you’ve signed up
for?
Look through your spam folder.
Check your purse or wallet for points cards,
rewards cards, coupons, etc.
Location services – Maybe you love Google’s
location aware search results, but there is no need for most apps to know where
you are.  Similarly, nobody needs the GPS
coordinates of the party you were at last night.  If the app doesn’t need to know where you are
to work, then turn it off.
Delete –
10 minutes
Take ten minutes to go through the files and
folders on your computer.  Delete
anything and everything you can.  Be
merciless.
Tighten
your social media belt – 10 minutes
Adjust your privacy settings.  Facebook is the big transgressor here, but be
sure to check your LinkedIn, Twitter, Foursquare, Pinterest, etc. as well.  Even if you don’t care, your contacts might.
Your privacy settings on sites like Facebook and
LinkedIn don’t only affect you.  Take the
time to make sure that you’re not sharing any data about your friends with
people that you don’t have today.  Why
let strangers creep all of your contacts on LinkedIn and share friend’s data
with third party developers on Facebook?
Go on a
friend diet – 10 minutes
Prune your lists of friends:  Facebook, LinkedIn, Google+, Skype, MSN, ICQ,
AIM, IRC, etc.  If you haven’t talked to
them in the last year, you probably never will. 
If you need to look them up, you can always do so. 
Go on an
app diet – 10 minutes
Look through the apps on your phone.  If you haven’t used it in a month, uninstall
it.  No matter how many times you tell
yourself otherwise, you are never going to use Google Sky.  Bored with Fruit Ninja? Downloaded Layar just
to show off your phone?  Get rid of
them.  You can always install them again
later, even the ones you’ve paid for. 
The same goes for any facebook apps you may be annoying
your friends with.  Ditch them.  Nobody cares about your farm or what you just
played in Words With Friends.
 Create an
alias – 10 minutes
Not just a username, make a whole person.  First name, last name, email address,
birthday, pet.  When you need to sign up
for something non-critical, use your alias. 
If they don’t need your real name, don’t give it to them.  With the birthday/email/pet, you should even
be able to recover your password if you forget it.  Now is your chance to have the supercool name
that you always wanted.  Hello, Mr. Mike
McCool.
Lockdown
– 5 minutes
Make sure you use lockscreens on your phone,
tablet, computer, etc. Set them to lock after 2 minutes.  No exceptions. 
Install Prey or similar tool on your devices
just in case. preyproject.org
Sign out of everything you log into, whether
it’s a site, a program or a computer.
Tell us how you did with the 90 Minute to Privacy Plan. Did it take more or less than 90 minutes? 

Enhanced by Zemanta
chart_2-Sarah-blog-Jan-22-v2

The Intern’s Security Practices Part 1: Passwords

Being the newest addition to the Defence
Intelligence team and having recently been introduced to the world of security,
I’ve been learning some best practices and adjusting my Internet usage habits.
Over the past few weeks I’ve learned that some of my habits, especially when it
comes to passwords, could use some improvement.
We decided to survey a class of first year
public relations students at Algonquin College, in Ottawa, to see how my
practices compared to theirs. The majority of the class is female with an
average age of 21.
We found that 90 per cent of the students
use the same password for multiple accounts. Personally I use different types
of passwords for different types of accounts. I use the same passwords for
social media accounts, another password for my e-mail, and a separate one for
my online banking. I find it difficult to use a different password for
everything because I use a lot of social media sites.
“It’s interesting that this generation has
been called digital natives yet their security practices are very poor. By
using the same password on multiple accounts they are trading their personal
information and security for convenience,” says Keith Murphy the CEO of Defence
Intelligence.

Fifteen per cent of the students said they
change their passwords frequently. For the next survey we will need to define
how often ‘frequently’ is. I only change my passwords if the site prompts me to
or I need to reset my password because I forgot it. I was surprised that 77 per
cent of the students use passwords that have more than eight characters. I tend
to use the minimal allowable amount of characters when I create passwords. I
think that the school’s password standard is seven characters, which could be
why some students are using longer passwords.
With only 45 per cent recording their
passwords in a safe place I’m not surprised that their passwords are changed
often. I’ve trouble finding a place to store passwords. When I discussed this
with Murphy, he said that the best practices were to use encrypted storage or
to write them down. He also recommended to avoid saving passwords in the
browser and on your computer.  The
following article from lifehacker
is very helpful outlining some common mistakes and best practices.  You can also see our tips here.
The following chart shows the type of
characters the students are using to create their passwords:
I’m not surprised that the majority of the
students use upper and lowercases, those are fairly common. What surprises me
is that there is a significant drop when it comes to the use of numbers,
special characters, and punctuation. I didn’t start using special characters
and numbers until Google, Apple, and other sites started showing you the
strength of your password.
In the next blog post we will discuss the
survey results concerning the use of links and security software. 

By Sarah Raphael

Enhanced by Zemanta
ID-100107311

Start Your 2013 Learning and Connecting

Photo image thanks to Keerati at FreeDigitalPhotos.net
Is one of your resolutions for 2013 to remain
current with security information and connected with security professionals? Then
one event you’ll want to include in your schedule is the Canadian Security
Partners’ Forum’s second annual Women in Security Lecture Series. The event will
be hosted in Ottawa, ON at the Hampton Inn and Conference Centre on Thurs Feb 7
at 5:30PM.
The CSPF is committed to creating a meeting place
for all disciplines and domains within security, including national security,
defence, law enforcement, public sector, private sector and public safety. Last
year more than 300 in the security profession came out, with almost an even
split of women (55%) and men (45%).
The confirmed speakers list includes:
  • Dr. Alison Wakefield
  • Senior
    Professor in Security and Risk Management at the Institute of Criminal Justice
    Studies, University of Portsmouth
  • Director
    of the Academic Board at the Security Institute
  • Serves
    on the editorial boards of Security Journal and Police Practice and Research
  • Her
    influential publications on criminology and law enforcement include: Selling
    Security: The Private Policing of Public Space; The
    Sage Dictionary of Policing; and Ethical
    and Social Perspectives on Situational Crime Prevention 

Natalie Runyon, MBA, CPP
  • Director,
    Global Security, Thomson Reuters
  • Owner
    of CSO Leadership Training
  • Member
    of the ASIS CSO Roundtable and its Leadership Development Committee
  • Former
    Illicit Transactions Analyst for the Office of Global Security, Goldman Sachs
    with the Central Intelligence Agency

Christina Duffey, CPP
  • Vice
    President, Operations, Paragon Security
  • Former
    President, ASIS Professional Certification Board (PCB)
  • Recognized
    expert in the security field with extensive security operations knowledge and
    expertise in asset protection, physical security, and risk management

Sylvia Fraser, CPP, PMP, CRM, CSPM (Moderator)
  • Corporate
    Security Supervisor, City of Toronto – which requires Sylvia to oversee the Business
    Strategies and Risk Management Office
  • 14
    years of experience in the security industry providing security management,
    security system designs and project management across both government and
    private security endeavours
  • Specializes
    in security risk management programs, portfolio management, and critical
    infrastructure

Providing
closing comments to this exemplary list of presenters is Colleen D’Iorio,
Executive Director, Security and Identity Management (Treasury Board of Canada
Secretariat). Previously she held the distinguished roles as Director General
Access and Director General Cyber Protection Communications Security Establishment of Canada
(CSEC).

Defence Intelligence is proud to be a Diamond Level Sponsor for  CSPF’s Women in Security Lecture Series. We hope to see you there. 

Tickets, which include a full meal, are only $70.
Register today, this event is sure to sell out.
For more details and to register visit: http://cspfwomeninsecurity2013.eventbrite.ca/

Enhanced by Zemanta
300px-Monitor_padlock.svg_

The evolution of the CIO and CISO

English: A candidate icon for Portal:Computer ...

The role of the Chief Information Officer
was first created in the 1980s; before that the responsibility of
information security belonged to the Chief Financial Officer.  As technology and society changed over the
years so has the role of the CIO in organizations.
The traditional role of the CIO and CISO is described by Bill Brenner, the senior editor at CIO magazine as “over-glorified
IT security administrators, babysitting the firewalls, arguing with software
vendors over botched antivirus signature updates and cleaning spyware off of
infected laptops.”
Since then the CIO has taken on a more
prominent role and become a central position in business operation. Expected to
be knowledgeable about business and up to date with technology, this makes the
modern day CIO a kind of Superman.  This
explains CIOinsight writer Allan Alter’s discovery that the majority of CIOs
have a mixed background in technology and business. 
Paul McDougall, a writer for Information
Week, discusses how the rise of the Internet economy has created a need for
CIOs to play a central role in organizations. The Internet economy has made IT
departments more central with the added pressure to deliver more results with
fewer resources. In a blog entry on Information Week, Cisco chief technologyofficer Padmasree Warrior explains the new expectations for the IT department:
“CEOs now expect IT to provide profitable growth and
business agility. The role of the CIO is changing.”
This significant shift in thinking is also
being faced with the emerging challenges of mobile integration and cloud
computing placing pressure on the CIOs to integrate more mobility into the
daily operations of the business environment.
With all of these new challenges and
demands it is necessary for the CISOs role to change from reactively responding
to security threats towards a more intelligent and holistic risk management
style.
A study conducted by the IBM Center for
Applied Insights called Finding a strategic voice: Insights from the 2012
IBM Chief Information Security Officer Assessment
, found that security professionals are under intense
pressure to protect the firm’s most valuable assets; money, customer data, and
intellectual property
. IBM created a list of mature security practices of
influencers in a variety of organizations.
  1. Security is
    seen as a business (versus technology) imperative.
  2. The use of data-driven
    decision making and measurement
  3. Sharing
    budgetary responsibilities with the C-Suite

“This data painted a profile of a new
class of CISO leaders who are developing a strategic voice, and paving the way to a more proactive and integrated stance on information security,” said
David Jarvis, author of the report and senior consultant at the IBM Center for
Applied Insights. “The path of the CISO is now maturing in a similar
pattern to the CFO from the 1970s, the CIO from the 1980s – from a technical
one to a strategic business enabler. This demonstrates how integral IT security
has become to organizations.” [v]
The role of the CISO in organizations will
continue to change over the next few years. 
It’s apparent that the CIO and CISO have a crucial role that needs to be
recognized and given proper authority to put into place their in depth security
plans. This will help avoid incidents such as the recent breach at the South
Carolina Department of Revenue. We’ll follow this discussion up in our
subsequent blog. Do you agree that while a good start there is room for improvement? 
By Sarah Raphael 

Enhanced by Zemanta