People Are the First Line of Defense

In my blog post for last week I talked about the effectiveness of phishing attacks and methods to practice that will lessen your chances of becoming a victim.  This week I would like to go over an incident that was more than likely initiated with a phishing attack and identify a security measure that is often not utilized, but when implemented can strengthen an organizations information security program.

In October of 2012 South Carolina State officials released that the South Carolina Department of Revenue experienced a massive data breach.  The attacker responsible for the attack apparently had access to South Carolina Department of Revenue's database for months and was able to obtain 1.9 million social security numbers and 3.3 million bank account numbers (Schwartz, 2012).

The most socking aspect of the South Carolina Department of Revenue data breach incident for me is that the data breach may have been initiated with a phishing attack.  The security firm Mandiant provided a theory as to how the attacker gained access to the Department of Revenue's database.  They found evidence that suggests that a phishing attack, in the form of an e-mail, was sent to multiple Department of Revenue employees.  At least one of the employees clicked on the link that was contained in the e-mail which launched the malicious code that captured the employee's user name and password.  The attacker was now able to use the employee's user name and password to access the user's workstation, manipulate the user's access rights, and access other Department of Revenue systems and databases (Heilman &Glyer, 2012, p. 2-3).

This incident is a perfect example to illustrate that people are the first line of defense when it comes to security.  In order to strengthen that first line of defense, it would be very beneficial for any organization to implement a security education, training, and awareness (SETA) program.  According to Whitman and Mattord (2010), "SETA programs enhance general education and training programs by focusing on information security" (p. 189).  With that being said, it would be interesting to know if the South Carolina Department of Revenue has a SETA program and if they do whether or not the employee that clicked on the link in the malicious e-mail completed any mandated information security training.

Implementing a SETA program is not any easy task.  There are many aspects that have to be analyzed and considered when developing a program.  However, before one begins the momentous task, he or she should first obtain support from management.  This too is not easy to sell, but may be accomplished by informing management of the consequences that could occur by not having a SETA program.  In addition, the benefits can be briefed to management in an attempt to get them to buy into the program.

With cyber threats increasing at a rapid rate it is only logical to invest in the first line of defense.  An effective SETA program will provide employees with the education, training, and awareness that are necessary to fight the cyber security war and mitigate incidents like the South Carolina Department of Revenue data breach from occurring.

Resources

Heilman, M., & Glyer, C. (2012, November 20). South Carolina Department of Revenue public incident response report. Retrieved January 15, 2013, from http://governor.sc.gov/Documents/MANDIANT%20Public%20IR%20Report%20%20Department%20of%20Revenue%20%2011%2020%202012.pdf

Schwartz, M. (2012, November 26). How South Carolina failed to spot hack attack. Retrieved January 15, 2013, from http://www.informationweek.com/security/attacks/how-south-carolina-failed-to-spot-hack-a/240142543

Whitman, M., & Mattord, H. (2010). Management of information security (3rd ed.). Boston, MA: Course Technology Cengage Learning.