Secure Your People, Secure the Future

Posted on Wed, Dec 30, 2015 @ 09:30 AM

June_Middleton.png   Author: June Middleton, 


Retailers, hospitals, government agencies, and details of their data breach woes continue to appear in news and social media headlines, and the pace of the data breach announcements appears to be speeding up, instead of slowing down. Organizations continue to spend thousands (if not tens of thousands of dollars) on technical security controls (firewalls, intrusion detection/prevention systems, anti-virus/anti-malware programs, encryption, access management, virtual private networks, etc.) to create strong security controls using a defense in depth strategy. In Computerworld’s Annual Forecast survey of 194 Information Technology (IT) executives, 43% of them expected their IT budgets to increase in 20151. Due to the recent high-profile security breaches at a myriad of companies, security spending propelled to the top of their IT priority list for 2015. If organizations have continued to increase IT security spending, then why are the bad guys still getting in? If only I had a dollar for every time I have heard or read ‘the human is the weakest link in IT security’ over the past 12 months.

Human weaknesses are exposed by Social Engineering, which is defined by Wikipedia as the psychological manipulation of people into performing actions or divulging confidential information.2 Social Engineers (aka con men or human hackers), have been around since the beginning of mankind (e.g., the Serpent convincing Eve to eat the fruit from the tree in the middle of the Garden of Eden in Biblical times). Today’s malicious social engineers primarily fall into three categories:

  1. Opportunists with little preparation and little to no budget (a scammer who sends out a customized blanket phishing email);
  2. Well-funded attackers with lots of preparation (corporate espionage, organized crime, politically motivated attacks); and
  3. Trusted Insiders (former NSA employee Edward Snowden).3

Related: Advanced Threat Intelligence: The Future of Online Banking Security

Chris Hadnagy, CEO of Social-Engineer, Inc., in his 2015 book titled Phishing in Dark Waters, mentions that “Analysis of almost all major hacking attacks from the past 12 months reveals that a large majority involved social engineering – a phishing email, a spear phish, or a malicious phone call (vishing).” 4  These are just a few of the many attack vectors social engineers use against organization employees, and other individuals or companies those employees know, to gain their foothold into organizations and steal sensitive/confidential information.  If the human truly is the weakest link in information technology (IT) today, then why are organizations not spending more of their IT budgets, both time and money, on mitigating the human weakness?  While common sense tells us that no organization is 100% protected from the persistent malicious social engineer, it would seem reasonable that organizations must add an additional layer of defense that addresses mitigating the human risk to their IT system security.  A one-size social engineering defense strategy does not fit all, and strengthening this layer of human defense should be three-fold:

  1. Performing periodic social engineering assessments (SEAS) by external professional social engineering penetration testers;
  2. Creating policies and procedures that are tailored to mitigate the organization’s unique social engineering vulnerabilities, as revealed from the periodic SEAS; and
  3. Conducting ongoing social engineering security education and awareness training, with a focus on the lessons learned from the SEAS.5

What is your organization doing today to strengthen its greatest weakness and protect its most valuable assets?


1Collett, S. (2014, November 3). 2015 Forecast: IT spending on an upswing. Retrieved from:

2Social Engineering. In Wikipedia. Retrieved on November 20, 2015, from

3Conheady, S. (2014). Social Engineering in IT Security. New York, NY: McGraw-Hill Education.

 4Hadnagy, C. & Fincher, M. (2015). Phishing in Dark Waters. Indianapolis, IN:  John Wiley & Sons, Inc.

5Conheady, S. (2014). Social Engineering in IT Security. New York, NY: McGraw-Hill Education.


Tags: cybersecurity, security, secure network

Developing an Information Security Wellness Program for your Financial Institution

Posted on Thu, Sep 11, 2014 @ 04:23 PM

KCrumbley Author: Karen Crumbley,

Ask someone how they achieve optimal physical health and you will likely hear about the following three components: exercise, diet, and annual physicals. The combination of these three items provides a straightforward approach to preventing poor health or identifying any warning signs before they have an opportunity to progress. The same principles apply to information security awareness for a financial institution’s (FI’s) stakeholders (employees, board members, and customers). That is, given the same preventative measures, an FI may reduce the number and extent of information security breaches due to fraud. Consider implementing the following three measures in order to achieve information security wellness.

1. Exercise

The FI, much like the human body, needs mental exercise in order to stay fit. One example of exercise for the FI is to periodically assess how well its stakeholders can identify potential signs of fraud. Performing these assessments can help board members and employees avoid the risk of social engineering threats:

  • Do employees know the red flags that would indicate a phishing email vs a legitimate email message? How well would they perform in the event that a fraudster had researched their social media profiles in order to construct a convincing email to ask for non-public information? 
  • If an USB flash drive were planted in the lobby, would a staff member pick it up and plug it into a machine on the FI’s network? 

If there is hesitation in answering these questions, it is important to discover the current health of your FI’s education and awareness program. Measure the base line status in order to assess progress and see what educational methods may impact your FI’s stakeholders. Soliciting a third party to assist in testing behaviors may be beneficial in order to simulate real-world threats and keep staff on their toes by engaging them in regular “exercise” to test their awareness.

2. Diet

Information Security awareness is the “diet” for an FI and commonly FIs approach information security awareness and education strictly as an annual event. Additionally, Gramm-Leach-Bliley Act compliance for protecting customer information is not new, but that does not have to mean that educational content cannot be fresh. Ideally, there should be a well-balanced stream of information throughout the year to address the latest threats to non-public information or cyber security within the organization. Helping employees to recognize the signs of fraud and respond appropriately is a process. As an alternative to the annual binge, try feeding information to your FI staff on current topics and the latest threats to non-public information throughout the year. Understand that the criticality to stay ahead of the curve is an important best practice. One contributing factor for a regular diet of information security focus is the increased pressure from regulatory agencies on cyber security directives.

3. Annual Physicals

Annual physicals are essentially a series of tests to assess the current state of wellness. One methodology for measuring effectiveness of the FI’s information security awareness is to administer tests that measure results through a web-based training course. This allows employees to take all they have learned throughout the year and apply it. Unlike watching a video or hanging up posters, web-based testing will quantify results, track activity, and yield findings where there is a common thread. Perhaps there are areas of weakness that need additional attention. Identifying these areas will drive the diet and exercise regimen for the FI going forward and get everyone into SHAPE (StakeHolder Awareness Program Engagement).

All FIs can achieve information security awareness wellness and health by continuing these three basic initiatives throughout the year. The goal is for the FI to adapt and respond to the dynamic threats that exist. These strategies apply to all stakeholders in your organization. New employees will need to be educated and more seasoned employees will need to have accordant reminders and reinforcement. What can you do to improve your FI’s information security awareness health?

Tags: security awareness training, Information Security & Risk Management, security, security controls, information security monitoring

Virtualization: Not just for testing anymore

Posted on Wed, Nov 16, 2011 @ 07:18 AM

ChrisSutherland  Author: Chris Sutherland,

A question was recently asked of me as follows, “I am familiar with the concept of VM (Virtual Machine) which IBM invented back in the early 1970’s. How would using VM provide greater security? And why would a bank customer want this?”  

Let me begin my response by saying there are a number of good reasons to choose virtualization that make sense from a business standpoint (you can refer to my blog post, Is Virtualization the Right Choice for your Financial Institution?”) With the appropriate setup and VMware’s virtualization solution, you get a secure and robust solution that has both the technology and the processes to ensure that the high standard is maintained in all current and future products. VMware virtualization gives you the following:

• Secure Architecture and Design: Based on its streamlined and purpose-built architecture, vSphere (the VMware Hypervisor) is considered by many experts as the most secure virtualization platform.
• Third-party Validation of Security Standards: VMware has validated the security of its software against standards set by Common Criteria, NIST, and other organizations.
• Proven Technology: More than 250,000 customers – including all of the Fortune 100 as well as military and government installations – trust VMware to virtualize their mission-critical applications.

Because VMware uses what is called a “Bare-Metal Virtualization,” meaning that the hypervisor (virtual machine manager) resides on the physical server, there is no dependency on an operating system that could add a layer of insecurity as well.

Another point to consider is the “Thin Virtualization” concept. “Thin” virtualization was started with VMware’s release of ESXi 3.5 and continues to improve and dramatically strengthen security and manageability as follows:
• Reduced size makes the attack surface much smaller and reduces the potential for vulnerabilities.
• Independence from the parent partition or console based on a general-purpose Operating System means far fewer interfaces to exploit and less malware threats, which is especially important given the path of device drivers from the Virtual Machine to the physical hardware.
• Unstructured, console-based interaction from administration is replaced by authenticated and audited interfaces.

As an added point for securing the environment VMware has a security suite of software called vShield. The vShield Product Family is the foundation for trusted cloud infrastructures.  vShield enables adaptive and cost-effective security services within a single management framework. Three of the benefits are:

1. Reduce Complexity with Unified Security Policy Framework for the Cloud. vShield provides a comprehensive set of services for securing the datacenter at any level – host, network, applications, data and endpoints, in a single management tool integrated with vCenter Servers.
2. Secure Applications and Data with Adaptive Trust Zones. vShield allows organizations deploying cloud infrastructure to create adaptive trust zones that securely isolate applications with different trust levels and also quarantine applications that may have been compromised.
3. Accelerate Compliance and Automate Remediation. Exposure or leakage of such data – for example stolen credit card information – can cost an enterprise millions of dollars and/or harm its reputation. VMware vShield also provides organizations with the ability to identify sensitive business information and ensure it is protected. This includes over 80 pre-built templates for the most common standards of protecting sensitive data.

So what have we concluded? The reasons we have cited here, plus the fact that many companies (including financial institutions) are using virtualization in production environments lead us to the realization that virtualization is not only good for testing, but it is secure and makes sense in everyday production environments for business-critical applications, as well as servers.

Tags: virtualization, VMware, security

Subscribe to Email Updates