Security and threat intelligence reports
Vendor released security intelligence reports are a double-edged sword; on one hand they are (usually) provided at no cost, on the other hand they tend to have a reputation to carry a bias towards the business focus of the vendor releasing the report. Personally i think many of the reports are of considerable quality and as long as the reader applies some common sense the information in those reports is of great value to anyone who tries to be proactive about his job/passion. With Verizon’s DBIR and Microsoft’s SIR released the two big hitters are now available and, at least in case of the DBIR, are heavily discussed in the media and among security professionals. Both of these two reports should definitively find their way on your reading list but there are also several other very read-worthy releases from other vendors. Besides providing additional data helping to cross reference findings between reports, reading more than one report can help to crystallize or dismiss trends and lead to a better picture about your (potential) exposure. Below is a short list of noteworthy reports released in the last few weeks;
2011 Verizon Data Breach Investigations Report
Microsoft Security Intelligence Report 2011
2011 Blue Coat Web Security Report
Symantec Internet Security Threat Report (ISTR), Volume 16
Sophos Security Threat Report: 2011
Trustwave’s 2011 Global Security Report
HP/Tippingpoint Cyber Security Risks Report
Arbor Networks Network Infrastructure Security Report
Cisco 2010 Annual Security Report
The list is obviously not an exhaustive compendium but it should give a few starting points.
Security Awareness training vs. Media hype
Security awareness training is an interesting topic; the importance to educate your security challenged employees or family members is generally undisputed but yet there are intense debates whether security awareness training makes any difference and/or is worth the effort put behind it. And it is somewhat discouraging if even industry bigwigs like Schneier and Ranum (Face-Off: Schneier, Ranum debate security awareness training) can’t come to a conclusion whether we are doing the right thing.
Effectiveness of security awareness programs is quite hard to measure and i won’t get into that discussion here (tho i think that we are making a mistake if we are not trying to benefit from the experience of our marketing colleagues on this) but i believe there many factors to consider – positive and negative. And recently i seem to come across one of those negative factors a lot; security professionals who seem to belittle the sparking curiosity of users in information security. It seems as soon as an IT/information security hot topic hits the mainstream media security professionals start to sigh and feel someone stepped on their turf. They are quick to comment “Just another over-hyped story”, “The sky isn’t falling, just the usual media hype” etc. and unfortunately i have to admit i did that myself as well (Conficker April 2009 anyone?). Granted, most stories are hyped in mainstream media and there is no problem to discuss and rant about it with your fellow security professionals, but why oh why would we try to play down relevant security events in front of users? Sure, it makes you look competent to claim “No worries, we got it. Its not that bad.” but in truth i believe we are carelessly undermining our attempts to raise awareness.
Let’s face it – mass media is doing an incredible job relaying information to the wider population in a way that catches their attention; sure they might exaggerate and miss some technical facts, but the important part is that they get the attention and spark interest. I believe we, as security professionals, should grab any chance we get to leverage the exposure of security topics to the, usually uninterested or otherwise occupied, population. Don’t get me wrong, i’m not saying to encourage the hype, but don’t suffocate sparking inquisitiveness by stating ‘don’t worry we got it, that’s our job’. Take the time to speak to your users, answer their questions, use ‘hyped’ security stories as an opportunity to engage with them, make mass media hype a tool in your educational portfolio – it works for celebrities, why not for us? Ask yourself – did my corporate security awareness program do a better job at educating users about encryption of data in transit or did Ashton Kutcher’s faux pas (Ashton Kutcher’s Twitter account gets hacked, Punk’d, at TED Conference) relay that information more efficiently? As mentioned before it’s hard to measure what of your security awareness program ‘sticks’ with the users but realistically I’m a firm believer that mass media, as annoying and inaccurate it might be at times, does a far better job raising awareness than all corporate programs put together.
