Happy Friday, Federal friends. I hope the 2nd full week of FY15 is going well for you. Feels like we have the last 2 warm days of the year coming up this weekend thanks in part to this little graphic from NOAA.
October, one of the nicer month's out of the year is also known as Cybersecurity Awareness month. We talked about it earlier this month in another blog post, but I wanted to highlight it here as well. While this "awareness" month doesn't get the same spotlight as say Zombie Awareness Month (May). or National Honey Month (September) it is just as, if not more important than most awareness campaigns. Think about how this month opened as an example. We kicked off the month with J.P. Morgan announcing a massive breach, then we still had to deal with Shellshock/Bash, and just this week we were introduced to Sandworm & Poodle. Talk about making some headlines!
While most of these get the attention based on how they affect the commercial world, the reality is that all of these have heavy implications across the board. A compromised J.P.Morgan account can allow an attacker to gain the necessary creds to attack an agency network, and this depends heavily on the users personal cyber-hygiene. Password reuse is still way too high and the due-diligence needed to proactively police one's own credentials isn't a high priority to most people (I'm talking to you, mom).The issue here is that due to all the "noise" created by the constant disclosure of breaches and vulnerabilities, with flashy logos & foreboding names, our users might start to get complacent. This is bad for us, good for the attackers. So how do we combat the attacks that happen outside of our network, but still affect our users? Awareness and education.
This month was highlighted to do just that, although personally every month should be Cybersecurity Awareness month. Setting up a Cyber Training program for your organization, and have it required for every employee is a good start. Most org's do that now with Harassment training as an example. While that type of training is inherently important to the health of an organization, Cyber awareness training should be as well, What your employees do inside and outside your networks can ultimately affect the stability of your environment. Remember the perimeter is no longer static but rather very dynamic, and we're all a part of it. The more you can make employees aware of their digital-footprints and how that can be problematic for the organization, the more we can highlight they must be part of the solution.
Another way to do help the cause is through research. There is currently a petition on change.org for DCMA and CFAA Reform. We strongly encourage all of you to sign the form and get the ball rolling!
To break it down even further, I borrowed the below chart from G.I. Joe: