We are sad to have our holiday contest come to a close.  We have thoroughly enjoyed seeing the responses (both the serious and sarcastic ) from everyone, and if we had more Kindles to send out, we would keep this rolling through the new year! Thank you to all participants and viewers of the contest on twitter and community.mcafee.com.  We have reached out to the winners via email, so look for this communication in your inbox. 

 

We promised that in addition to the drawing for the Kindles, we would post the 'best of' list of responses for each day's contest, and we have delivered! It was very difficult to select the top entries, so we chose a few for each day.  As mentioned in the contest details, we took all participant names and organizations out prior to posting.  We encourage everyone to keep the discussion flowing on each of these topics, as many participants have some great insight and advice in each of these arenas. 

 

Thank you again for participating in our contest, and please sign up for The Place at McAfee (https://www.mcafeetheplace.com) if you have not already.  The Place is a customer-only community, and our team works to promote and share the stories and best practices of our customers in an effort to increase the security postures of businesses around the world.

 

And with that, in alpha order, here are our favorites!

 

I’m away from home: It is critical to ensure the security and safety of infrastructure and corporate resources during the holidays.  What best-practices do your organizations employ to protect the enterprise from physical or web-based intrusions?

 

1)

Below is our guidelines on the use of social networking sites to our customer using McAfee Security products.

 

Our  organization utilizes state-of-the-art technology and techniques to secure its information and systems, unsafe habits by employees still present risks.  This includes careless social networking.

 

“Our Shared Responsibility” calls upon each of us to practice safe cyber security, including our conduct on social media sites, in our personal and professional lives.

 

Last week, our employees were reminded to recognize threats and attacks using this easy-to-apply approach:  Decide, Help, Suspect.  Apply this approach when enjoying social media sites too:

 

Decide how much information to share. Social networking often exposes sensitive data easily. Remember, the more personal information attackers gather, the more accurately they can craft spear-phishing e-mails and other schemes that target specific systems and users. By design, social networking sites enable users to share personal information. However, when our employees share sensitive information, including details of their job descriptions or their specific responsibilities, work schedules, or internal discussion at the agency, they may disclose sensitive information and expose the organization as well as themselves.

 

Help yourself by learning how to protect information, and use privacy settings offered by social networking sites to restrict access to your profile only to designated colleagues, friends, and family.  The Office of the Chief Information Officer, Information Security Office, publishes guidance for our employees on the use of social networking.  Official policy governing at-work social media use, as well as recommended guidance for safe personal social media use.

 

Suspect and verify Internet sites, links, identities, attachments, offers, and more. Whether at work or home, action without thought presents the most danger and risk online. Safe users maintain skepticism and , verify identities of both Web sites and people before trusting information, URLs, links, attachments, and more.

 

2)

Employing a layered approach to protecting the environment - using not just endpoint and perimeter protection but also other strategies to ensure that there is one layer of protection after another. Also special attention is paid to each potential entry point never assuming that something is trusted even

 

3)

We try and promote strong situational awareness best practices (AKA Operational Security) when we advise our employees about safe social media computing.  When in the field, don't allow applications access to your GPS (no links to geolocation services) to prevent tracking.  We also recommend that our employees create and use work-centric social media accounts (so they don't blend personal and work-related information streams).  It's also a great idea to reinforce the "don't click on anything" best practice, even if it comes from someone you know and trust. 

 

 

Mac Malware- To allow or not to allow, that is the question. What is your organization’s policy on Macs, and why? 

 

1)

Our company allows the use of Apple Products provided they have the latest version of McAfee Virusscan for Mac or McAfee Enterprise Mobility Management installed on their devices to comply with our security posture.

 

2)

We allow MAC’s have almost 500 on the corporate network. We also will be allowing iPAD’s and iPhones issued from the company.   With the ever blurring line between business and home we all desire to be able to have access to both at any time. MAC being a more closed platform provides more security and easier to implement into corporations.

 

3)

We are a Windows only environment. The reason for this is mainly to maximize an efficient use of our time. There are only five people in our IT department and it’s easier to narrow down what the solution to a problem can be when you only have to focus on one operating system.

 

Malicious Mobile Applications - The revolution of apps have made our lives easier and more entertaining to accompany our increased smartphone usage. Do you know where those apps are coming from? How can companies ensure their employees are mobile protected?

 

1)

Install corporate OS images for mobile devices running on the corporate network

Place controls on what applications can be installed by users

 

2)

These apps come from different countries, like China and US. Companies can implement security policies for mobile devices like the Blackberry, in the case of open platforms like Android are more difficult to protect, but still Mcafee have a great antivirus product (Viruscan Mobile Security).

 

Mobile Malware- With increases of malware targeted at mobile devices, businesses are taking a number of approaches to prevent infection at an individual and at the corporate level.  How would you recommend an organization manage its security posture for mobile devices (tablets and phones)?

 

1)

Below are our guidelines to our employees and customers concerning security on Smartphones.

 

If a hacker can gain access to a mobile device, they can easily find e-mail addresses, stored passwords, banking information, social media accounts, and phone numbers – allowing them to steal your information, your money, and even your identity. That’s why practicing good cyber habits are so important.

 

You can protect yourself from cyber criminals by following the same safety rules you follow on your computer when using your smartphone.  These include accessing the internet over a secure network, avoiding clicking on unknown links or answering strange questions sent to your mobile device, downloading only trusted applications, keeping anti-virus and malware software up to date and using varying and strong passwords.

 

Additionally putting a lock on your smartphone and a password for your voicemail is highly recommended.

 

2)

Both tablets and phones need to be around the Blackberry or iPhone platform just because of the security of the OS platform.  The biggest risk is the Android platform as it is open and the app market has very loose restrictions and validation of code being uploaded by end-users.

 

3)

Create corporate OS images for mobile devices, place controls on what applications can be installed by users, force user surfing to go through corporate web proxy which has access control in place, deploy IPS for the wireless network, install mobile security software on mobile devices

 

4)

The best way to mitigate the risk is to deny it out right. Since this is not always a practical outlook the use of tools such as EMM and other management options to ensure that tablets and phones adhere to corporate security policies – basically stated; if the device is property of the corporation it will be managed as such, if this device is personal it must adhere to the standards set for by the corporation regardless of the fact that the device is personal and not company property – however the user would have at that point made a conscious decision to store corporate property (email, contacts, etc) on a personal device and it must be controlled properly.

 

Online coupon scam: The down turn of the economy and people’s ever growing appetite to find the best deals has increased the popularity of sites such as Groupon and Living Social. They have firmly taken its place in online couponing and people are increasingly using their work smart phones and company iPADS and tablets to browse through deals. What measures have you taken to help protect your company equipment from connecting to harmful sites?

 

1)

The measures we have taken to protect our organization’s equipment from connecting to harmful sites are moderate Virus Scan Enterprise 8.8 and HIPS 8.0 settings in conjunction with the McAfee Web Gateway (MWG) 7 Anti-Malware engine. Since installing the MWG7 and activating the Anti-Malware engine, we’ve seen a significant drop in helpdesk calls and work orders due to “viruses”.

Phishing Scams: What is your organization doing to prevent phishing attacks to your employees or your customers? Examples could be increased education and awareness, purchasing tangent domains (.com, .net, .org), or investing in an upgraded security solutions. 

 

2)

If you have received a known suspect email or any email you suspect is part of a spear phishing attack, DO NOT click on any links or open any attachments. Forward the email to our security team.

 

Delete the emails and contact your component SOC or help desk and notify the Information Security Systems Officer (ISSO) of any systems you may have accessed that are at risk of infection.

 

The best thing you can do is helping develop the organization’s culture of Cybersecurity awareness and familiarize yourself with the hallmarks of a spear phishing attack.

  • Spoofed or Forged Sender Address - Spear phishing works because the messages are carefully crafted to appear as if they are coming from a trusted individual or service. One tactic used in these attacks is to mask the sender’s email address with one you are likely to be familiar with. If you are using Microsoft Outlook 2007, this can be detected by the presence of the words “On Behalf Of”.
  • Foreign Email or Web Addresses - These attacks also tend to originate from or are relayed through foreign countries. Be aware of emails or messages containing emails or web links with foreign domain suffixes like .ca, .uk, .tv, etc.
  • Awkward Spelling or Language - Disjointed, misspelled, or grammatically awkward language may be the result of translation software used by the email authors.
  • Public presence or targeted position - Consider how your email address might have been publically disclosed or why you may have been targeted. Are you a public figure or post your email to public websites? Do you have a role that may be interesting to the adversary? The content of the email or nature of the ruse may often provide clues to why you may have been targeted.

In general, if you don’t know the sender or did not ask for an attachment, do not open the email.

 

 

3)

The way that I combat the threat of Phishing (and any other forms of social engineering attacks) in my organization is more focused on "whom" as opposed to "what".  When it comes to security awareness training, the folks in our organization that I spend the most time and effort to train are our forward-facing, most visible staff (e.g. non-technical administrative assistants, building receptionists, facilities staff, mail room, etc.).  When an organization truly enables employees at all levels (regardless of their position in the org chart) by directly encouraging and empowering them with the responsibility of actively participating in enterprise security - good things can (and often do) happen.  Every chain is only as strong as it's weakest link; more often then not, some of the lowest paid (and potentially the most overlooked and under-appreciated) staff are firmly fixed in critical "links" that comprise the organization's holistic security.  The irony about many postmortem security breach investigations is that employees often indicate that they would have told someone that something looked "fishy", if only they would have asked (or thought that it was their duty to report it).     

 

Phony Facebook Promo- With the explosion of social networking in organizations, many organizations are finding the need to strike a balance between work and personal use of social media. Does your organization encourage you to participate in social media and have they provided any guidelines for social media awareness?

 

1)

The organization where I work strictly forbids users to visit  all social networking sites, unless written permission has been given by a user’s supervisor. Our guidelines are broad and express that “occasional, limited, appropriate personal use of the computer and electronic communications system is permitted if the use does not (1) interfere with user’s work performance; (2) interfere with any other user’s work performance; (3) compromise the integrity of the computer and electronic communications system.

 

2)

The use of all social media sites is restricted to all employees 80K+ with the exception of employees you have access to perform their job duties. In turn their systems have more restrictive security in place like. More frequent scans real alerting of any malware of unauthorized applications.   This is managed by Web Gateway while on the network and SiteAdvisor off the network. If a user has an exception and they are off the network they are required to make a VPN connection to get access to social media sites.

 

3)

We try and promote strong situational awareness best practices (AKA Operational Security) when we advise our employees about safe social media computing.  When in the field, don't allow applications access to your GPS (no links to geolocation services) to prevent tracking.  We also recommend that our employees create and use work-centric social media accounts (so they don't blend personal and work-related information streams).  It's also a great idea to reinforce the "don't click on anything" best practice, even if it comes from someone you know and trust. 

 

4)

Social media is an attack vector routinely exploited by cyber criminals. This may expose our company to unacceptable risk. Additionally, social network activity consumes bandwidth that can negatively impact employee productivity. Our company prohibits access to social media from company owned equipment except for employees that utilize it for company business.

 

Scareware: Do you ever feel like your computer isn’t as secure as it could be? Do you know where your security warnings come from? How can you tell if they are real and how does your company keep you safe?

 

1)

Even security professionals aren't able to separate real from fake messages (at least at first sight ;-)

Therefore, users should never see such a message. Security updates must be *transparently* managed by the IT department. Users must *trust* that the IT department does this right! If they do, they'll remember this can't be right and they will report such incidents as requested during IT security training.

 

2)

Our Security warnings come from legitimate departments within our company with valid company e-mail addresses.

 

Our users have been educated to look for certain characteristics of scareware software which are listed below.

 

  • Unknown icons on the desktop and start menu
  • AV-like scanner software with an interface that seems to report an unreasonably high number of infections
  • AV-like scanner software that shows only infections but requires registration to clean the infections
  • AV-like scanner software that has no trial period. Indications that the only way to clean your machine is to register and pay for the software
  • Constant pop-ups, balloon messages, and other alerts that indicate an infection
  • Constant interruption of work due to the requests to “register” a product in spite of any user requests to stay “unprotected”
  • Absence of a EULA. If there appears to be a EULA, no “cancel” option or the software installs anyway.
  • Hijacking the browser while surfing
  • Preventing normal applications from working
  • Linking to a registration site that has no advertisements and sells only one product—the rogue application. The website has only limited content and every page has a link that takes you to the purchase page. From the purchase page there is no link to go to any other page.

 

 

3)

Use of Site-Advisor prevents from getting web pages not secure or with scareware.

Also via McAfee Email and Webgateway it can be establish an alert for pop-up messages, or prevent download of exe, com or compressed files.

 

Social Engineering: Social Engineering is identified by Wikipedia as the art of manipulating people into performing actions of divulging confidential information. Chances are you’ve been a victim of social engineering and didn’t know it.  Ever had anyone call you at work looking for an individual that does not exist in the directory and then ask you to confirm who you are and what department you’re in? What type of awareness and prevention has your company done in dealing with social engineering?

 

1)

Set up mandatory online training course for Security Awareness (including social engineering), every employee has to pass the course.

Simplify procedure for reporting any suspicious calls, spam, phishing

 

2)

Do not give in to alarmist or threatening tones, often suggesting that you are under investigation or have a very large bill.

Creditors are required by law to send paper bills.

Never give out your PIN or passwords over the telephone or via a text message.

 

3)

Very good mechanism to implement its to record incoming calls on a service desk entity before the caller contact the person, another thing is to send regular email to employees with information of new scams available. Another is to implement a company wide policy that prohibits to give sensitive information, like passwords, accounts, etc., and just authorize some key people in management level to give this information.