A YouTube recommendation for you this week – is a talk given by physical pen tester Jason Street at the 2015 AIDE (Appalachian Institute of Digital Evidence).
The first part focuses on what can happen when you don’t have effective procedures in place to handle security events, using real pen test examples at a bank in Beirut and a US State Treasury to show how even supposedly security-conscious organizations can fall prey to social engineering attacks in the physical world.
Bear in mind that it’s not just high profile, high value organizations that are targets for thieves: pretty much every office has very portable, attractive targets for bad actors who use just these types of approach to get in. Laptops, tables, cellphones, wallets, credit cards, building keys, badges and access tokens, car keys, stock – anything that can be quickly and easily lifted and turned into cash is a target for the opportunist thief, let alone the value of any actual data or placing malware into your systems.
After the scary stories, Mr. Street goes on to explain the “Three Es” of effective security process implementation.
Educate
- Teach employees common dangers they face not only at work but at home as well! Make them security conscious by default, not by policy!
- Drive home the fact that “Stranger Danger” is a good policy no matter how old you are!
- Create teachable events year-round, not an annual exercise in futility!
Empower
- Users are not your problem, they are part of your solution!
- Give your employees a way to be effective then let them know about it!
- Give them opportunities to do the right thing, rewarding them when they succeed and teaching them when they fail.
Enforce
- Do employees see policy being enforced evenly throughout the enterprise?
- Show
real world impact to online incidents! - Visibility is sometimes all that is necessary!
The complete video is one hour and 18 minutes, and worth your time to pick up some examples for your own security initiatives and perhaps worth sharing as part of your security education program as well.
In July 2016, the Kensington IT Security & Laptop theft report (press release here) found that theft of laptop computers from offices accounted for 23% of incidents – almost as high as theft from cars or transportation (25%) – and more than theft in airports/hotels (15%) or restaurants (12%).
The office, especially if there are some security measures, which is usually the case, can leave associates and visitors with a false sense of security – but a security conscious culture doesn’t have to be unwelcoming or oppressive. I’m an infrequent visitor to our own corporate headquarters, so I’m not known to everybody: it’s quite reassuring that people will approach the “unescorted stranger in the office” and ask who I’m looking for. As a visitor, it makes for a welcoming environment and an opportunity to meet colleagues. For anyone who is not supposed to be there, it provides an opportunity to challenge and take further action.
