Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Nov 5, 2008

PwC 2008 infosec survey

A key finding from the 2008 information security survey by PwC is that organizations are spending more on security technologies but need to achieve a better balance:
"One of the best ways of improving enterprise-wide visibility into the crucial details of actual security incidents is to match technology investments with an equally robust commitment to the other principal drivers of security’s value: the critical business and security processes that support technology, and the people that administer them."
Technology is a bottomless pit for security investment: one can always spend more on security hardware and software but after the basics (such as antivirus and firewalls) are covered, the returns diminish. Organizations should be complementing their technological investments with security awareness and training.
"What matters, of course, is improving an organization’s ability to defend and prevent attacks on an ongoing basis—without distracting people from the every-day operational needs of the business or incurring the exorbitantly high price tags associated with a reactive response to an unexpected (but foreseeable) crisis. And that requires getting key information about the risks to an organization’s data and systems very quickly from the front row to everyone else in the house. Expanding security awareness at every level of the enterprise is essential."

Nov 4, 2008

Social engineering - exploiting the weakest links

Surveys and news items suggest that social engineering attacks are on the rise in terms of scale and sophistication, as well as number. A new 40-page white paper from ENISA:
  • outlines social engineering methods such as pretexting, phishing, spear phishing and vishing;
  • presents an interview with acknowledged social engineer Kevin Mitnick;
  • discusses three studies portraying how easily naive/untrained users are manipulated;
  • identifies five defence measures; and
  • offers a checklist to fight social engineering based on the mnemonic LIST (Legitimacy, Importance, Source, Timing).
While technical controls can help to some extent for example by identifying emails that might be phishers, research on undergraduates (described in the paper) demonstrates the effectiveness of repeated security awareness/training.