A piece in the Redmond Magazine "Protecting Office 365 from Attack" caught my eye today - specifically this chunk on "User-Awareness Training" [sic]:
"One of the most effective but underutilized strategies for defending your network against malware such as Osiris/Locky is user-awareness training. Because it's impossible to catch all malware, your users are the last line of defense for your network, and they should be trained as such. Accordingly, you should implement the following user-awareness training strategies:
Skimming deftly past the fact that "User-Awareness" literally means being aware of users (as in IT users, presumably, but drug users is the usual implication), the author's conflation of training (as in dog-training) with awareness makes this rather lame advice. It's superficial at best, admittedly just a small part of an article about securing Office 365 - Microsoft's answer to Google's online creative/collaborative tools.
Aside from the naive but typical myopic focus on phishing, there are so many other angles to security awareness, even in relation to Office 365 specifically, that it's hard to know where to start. FWIW here's a quick brain dump:
- Security awareness for the managers responsible for enabling and authorizing use of online tools (e.g. helping them understand the risks and opportunities associated with various approaches and tools, the governance implications of using third party information services for business purposes, and how to measure this stuff through appropriate security metrics ...)
- Security awareness for the technologists responsible for the associated technologies, filling-in some of the stuff they probably weren't taught at college (e.g. network security and crypto key management, logging and alerting, cloud insecurity, click-to-run automatic patching and
security awareness ...)
- Security awareness for customers, partners and other interested parties (e.g. how to spot and deal with phishing attacks using the organization's own brands, domains, people's names, project names etc. as lures ...)
- Confidentiality, integrity and availability aspects, including incidents other than "attacks" (e.g. taking care to avoid inadvertent or inappropriate disclosure, privacy aspects such as trans-border processing, typos and outages, spotting and dealing with fraud ...)
- Identification, authentication and access controls (e.g. online passwords, sharing files ...)
- Business continuity (e.g. the pros and cons of online and offline toolsets, identifying critical aspects, ensuring resilience and recovery plus true contingency preparation ...)
- Roles and responsibilities, plus accountabilities, plus compliance ...
- Intellectual property rights, piracy And All That ...
- Collaborative working and social engineering in general ...
- Bugs! plus design flaws, secure development, testing, change-, version- and configuration-management ...
- The rest of malware (just imagine the implications, for instance, if say Office 365, Google Docs and/or other online office services were hijacked by doomsday ransomware that affected all their clients simultaneously - not just individual clients infected with ransomware such as Cerbus ...)