Once again it is October, Cybersecurity Awareness Month (CSAM) 2015. Remember the halcyon days of 2014 when the big worry was which credit card we had used to shop at Target? In 2015 things have only gotten worse. Massive security flaws were found in several of the underlying software components built into widely deployed systems. According to The White House, the Chinese hacked OPM, stealing sensitive personal information on virtually everyone with security clearances (after also being blamed for the health care hack on Anthem and others). No doubt they are cross-referencing it to the Ashley Madison lists, where at least we can take comfort that most of the female profiles were bots.
The Russians apparently were behind the IRS hack, gaining access to approximately 300,000 tax returns and exposing those people to potential tax fraud in 2016 and beyond. Somebody seems to be test-driving a massive nation-state cyberattack against the U.S.; in spite of benign-sounding assurances it is hard to believe that the simultaneous failures of the United Airlines reservation system, the New York Stock Exchange and the Wall Street Journal were mere coincidence, especially against a background of continuous attacks against Universities, the power grid, the transportation infrastructure, businesses and their intellectual property and so forth. The one silver lining is that we are apparently mostly past the denial and lack of awareness that was widespread only two years ago, but now what?
These daily Cybersecurity Awareness postings are targeted to a broad, technically astute audience of users, but not necessarily information security specialists. As such, they cover a very broad range of topics, and tend to look at the larger picture rather than details of specific technical issues. Feedback, corrections, and suggestions for additional topics are always welcome. The plan for this month’s postings are as follows:
Tuesdays and Fridays – Back to Basics…how did we get here and what are the issues. Specific topics include computers, software, networks, cloud, encryption, mobile, and the Internet of Things.
Thursdays – Industry verticals…increasingly cybersecurity approaches are targeted to specific industry verticals, since they face different types of threats and issues. These posts will cover Financial, Advanced Manufacturing, Critical Infrastructure, and Government.
Mondays and Wednesdays – general interest topics. Why is Cybersecurity so Hard? What are the threats? Why is identity so important? What does the market look like? How about the emerging technology trends?
One thing has remained constant: people are the weakest link. The vast majority of cyber attack campaigns begin with or include significant components targeted at users, including open source surveillance, phishing, and social engineering, all designed to find out the best ways into an information system and shortcuts to help an attacker get there faster. For example, want to know a user’s password? Try asking them. In one study, 90% of office workers gave away their password in exchange for a cheap pen. Hopefully this blog can play a small part in increasing awareness and understanding of the complex technological world where we all live and work, and help improve our chances of maintaining information technology as a source of knowledge, productivity and freedom rather than a vehicle for theft, deceit and destruction.