Cyber security awareness month is almost over, but before it ends we’ve got some advice from infosec pros to pass on that hopefully will be useful in your work.
First, from Tim Helming, director of product management at DomainTools, a service for searching behind domain names and IP addresses, comes a suggestion on getting help for the security team: Use employees.
“My philosophy is security and secure practices need to be absolutely baked into the culture of an organization and everything they do,” he said in an interview. There are two really big ways employees can be an incredible asset. One way is by them practicing good security so they don’t click on stuff they shouldn’t. The other big way is by being your sensors on the network to tell you about things that are going on.”
For example, not only spotting spear phishing but also bring it to the attention or or sending to the security team. “A phishing email can be a tremendously valuable forensic artifact,” says Helming, because security might not have seen it, it might not have triggered an alert.”
So when an employee is onboarded it should be emphasized they are part of the security team. It doesn’t mean they have to be a security expert, among the regular security training they should be told to but here are some things to pass on to staff and security when they discover suspicious messages, or if someone tries to give them a USB drive.
Helming also a big supporter of gamification as part of awareness training – for example, as part of a phishing test giving coffee shop coupons for those who alert the security team. As the tests get harder, up the value of the coupon.
As for infosec pros, Helming urges them to build a library of online resources they can turn to and build their security knowledge or use in an emergency Among those he likes:
Cisco Systems’ Talos threat research blog, which he says is usually free of vendor puffery and has information on new vulnerabilities and how to break them down;
The OWASP Top Ten Project, a regularly updated list of the top cyber threats and guidance on how to avoid them;
The SANS Institute resource page, a huge source of information on a wide number of topics on security, awareness training and leadership;
SANS has information on industrial controllers, but there’s also the American-based ICS-CERT, which issues alerts and has this recommended practices page;
For those who want to dig into the technical aspects of malware, he favours Malware Must Die and Kahu Security.
Finally, if you’re bored and want a dancing graphical representation of what malware is doing around the globe, see Kaskpersky’s cybermap.