Think before you post. Its not just advice for bloggers like Whole Foods CEO John Mackey. New generations are growing up with an entirely different expectation on what needs to remain private.
While watching TV tonight, I saw a public service announcement (PSA) from cybertipline.com titled “Bulletin Board.” In this PSA, a girl puts here picture on a physical bulletin board but quickly finds that its not so easy to take something back once its been put out there.
Here’s the youtube copy.
More information is available at their website.
The cynical person might make jokes about how hokey this is. “So you’ve had the birds and the bees talk with your kid, but did you make sure they are practicing safe surfing.” I actually thought the PSA was great and was happy to see it get run on TV.
Archive for the ‘Awareness’ Category.
Think Before you Post
More Bad PII practice at JMU
We’ve all heard about the chocolote bar for your password surveys, you’ve probably also heard about the fake credit card application and ID theft for a free t-shirt. What I saw this past weekend was only slightly better.
I was down at my alma mater’s homecoming football game. After the game, I decided to check out old haunts by wandering though the music building. I found a signup envelop for Pep Band. Pep Band pays (very poorly) so people signing up for pep band have to include a University employment application, and a W-4. There was also a request for a copy of the applicants drivers license and Social Security Card.
So here in this unguarded unlocked university building hallway, I found 20-30 Pep Band applications. All of which included Social Security Number, Student ID number and home address. Some applications also had the requested copy of the drivers license and social security card.
Do people have no concept of protecting personally identifiable information?
Authority asked them to do something dangerous with their Personally Identifiable Info, not for a chocolate bar, but as part of the job application process. The paperwork submission process should not leave this information exposed in a hallway.
InfosecMag User Education Point Counterpoint
In the April 2006 Information Security Mag (free subscription required) Marcus Ranum and Bruce Schneier have a Faceoff on User Education. Actually they dont have much of a faceoff since they both agree that security education has not helped.
Ranum, “Security practitioners have shouted themselves hoarse trying to educate users. But has it helped? Obviously, no: Phishing scams are still raking in money, viruses are still spreading, and countless users continue to use their cat’s name as a password for their online bank account. In fact, it looks like the situation is getting worse rather than better.”
Schneier, “I’ve met users, and they’re not fluent in security. They might be fluent in spreadsheets, eBay, or sending jokes over e-mail, but they’re not technologists, let alone security people. Of course, they’re making all sorts of security mistakes. I too have tried educating users, and I agree that it’s largely futile.”
You’d think they’ve have a counterpoint from one of the security awareness companies.
Computer Security Day – Nov 30
Computer Security Day was started in 1988 to help raise awareness of computer related security issues. Our goal is to remind people to protect their computers and information. This annual event is held around the world on November 30th although some organizations choose to have functions on the next business day if it falls on a weekend.
We had an event today, I think it came out fine. Posters in the elevator lobby. Security Awareness newsletter in everyone’s mailbox. And post-it notes with a security related theme.
Computer Security Day
Did you know that November 30th is Computer Security Day? According to their website, Computer Security Day was started in 1988 to help raise awareness of computer related security issues. Their goal is to remind people to protect their computers and information.
I was wondering if any readers currently have a computer security awareness campaign on this date. I’m trying to put something together at my company for this year. As with most companies, its always tough to get something done. Its never too soon to start planning. Computer Security Awareness is an important part of a corporate security program.
I’ve added a countdown in the left hand menu column.
Passwords and Careless Users
A story from Network Security: Private Communication in a Public World by Kaufman, Perlman and Speciner.
At a lecture on computer security, a professor asked, “Are there any advantages of passwords over biometric devices?” A helpful student replied “When you want to let someone use your account, with a password you just give it to them, while with a biometric device you have to go with them until they are logged in.” This is the sort of remark that sends chills down the back of security administrators and makes them think of their users ad adversaries rather than the customers they are trying to protect.
Security people need to remember that most people regard security as a nuisance rather than as needed protection, and left to their own devices they often carelessly give up the security that someone worked so hard to provide. The solution is to educate users on the importance of security, helping them to understand the reasons for the procedures they are asked to follow and making those procedures sufficiently tolerable that they don’t develop contempt for the process.
OneMoreTalk
Ran across a cool article over at cybercrime.gov. It originally appeared in Newsweek last year. In it, the author comments about rites of passage in growing up. Huge effort in training is put into drivers ed. There are sex ed classes. But when it comes to computer security, many parents never have “the talk” with their kids.
Its the same at work. Many employee’s have never been given “the talk.” They think they are too old to be lectured about online safety. So instead they play fast and loose with their privacy giving their email address to every tom dick and harry who has a bag of seed to trade. They download all sorts of unknown games leaving the computer infested with God knows what.
Before you have to take their computer down to the clinic for a shot, give your kids, give your employees THAT talk about safe computing.
NCSA Survey says: Most have no clue how insecure they are
A survey by the National Cyber Security Alliance found that most people have no clue when they last patched or updated antivirus. 30% of people think they have a better chance at hitting the lottery than suffering a computer security problem.
According to the US National Weather Service, Americans have a 0.0000102% chance of being hit by lightning.
By contrast the chances of falling victim to a computer virus, phishing attack, malicious hack attempt or other cyber security dangers are currently running at 70%, according to statistics gathered for the E-Crime Watch Survey.
So what do we need to do? Public security announcements regarding computer security? Required autoupdates?
