October is National Cyber Security Awareness Month (NCSAM 2016). What's that mean for you, who have already been thinking about on-line security your entire career? Multiple offices within the US Federal government are advising the public at large about cyber-security. Three aspects that might help your own work are:
- the Department of Homeland Security's thematic calendar gives five cyber-security topics that are worth reading, if only to catch any glaring gaps in your own plans;
- The White House is running a "Lock Down Your Login" program to promote migration beyond account-password credentials; and
- you can add "NCSAM Champion" to your résumé with just a little effort.
I've often worked with and for government agencies; I'm well aware of their fallibilities. At the same time, reading the best of their briefings and reports is simply a smart way to keep up with many areas that traditional training doesn't touch. The good ideas and industry connections in the references above will apply long after October has passed.
Millenial workers are particularly hazardous, in Malcolm Harkin's description. They take their work home with them, they "jailbreak their computers" (I confess: I am completely in the dark about whether this is what Harkin means), some "are ambivalent toward corporate regulations", and they check Facebook during the work day.
Harkin has an enlightened response: he proposes that "... companies must adapt to the technological skills and sensibilities of the new workforce and implement comprehensive security programs that ensure security within the expanding boundaries of the modern workplace."
I must not be in Harkin's target audience. Oh, I agree that, for instance, "Employees can create dangerous risks when they store sensitive work material on the same devices they use to download untrusted files and applications." It's Harkin's responsibility to stay on top of such dangers as Chief Security and Trust Officer of Cylance, and they concern me, too. The attempt to correlate these vulnerabilities with the ages of employees loses me utterly, though. My experience is that co-workers of all ages are capable of doing dumb, creative, thoughtless, inspired, or reckless things with their computers. While I've tried repeatedly to figure out some short-cut to work requirements that hinges on discriminating by or just recognizing different ages, I keep failing. My only conclusion: security demands daily vigilance. It never gets easy. We need to adjust and refine our approach and techniques constantly. Real-life employees don't always do what we want or expect; with a little care and training, though, they can do what we need. All that applies whatever the ages of our employees.
Sharing what should be private
I have one other security-related topic that also leaves me feeling out of touch. It popped up most recently in a brief white paper from Keeper Security, Inc. One page mentions "... password rotation also helps maintain security when credentials are shared with vendors ..." and "[p]rovision for management and secure sharing of privileged account passwords is needed".
I know Keeper's a respectable company. I can't come up with any circumstances, though, where I want to promote sharing credentials with vendors. I've occasionally--rarely--told customers that we could short-cut a solution if they chose to dictate a password to me, but I always emphasized to them that we'd solve a problem one way or the other. For the most part--the overwhelming portion of all cases--I emphasize to customers and workers that I don't want them sharing passwords with me, with Support, with spouses, with anyone. Computing changes so fast as to leave us with very few fixed principles. One of the most certain for me, though, is: keep your private parts private.
I asked Keeper about this, and the company clarified that the white paper actually referred to special situations that future versions of the white paper will explain more carefully.
There is one general meaning of "credential-sharing" that's legitimate in my eyes: I'm all for IT and Facilities co-operating so that, for instance, the same smart-card that allows physical access to an office can play a role in multi-factor on-line authentication.
How's the view from where you stand? Do twenty-something employees make your security work particularly hard? Do you know your customers' passwords? Am I unrealistic about how security works in most offices?