Community

General discussion

Locked

I'm in between a rock and a hard place - can I have some help, please?

By gadgetgirl ·
By way of explanation, a bit of background?..

I was opted onto a group formed within the IT department and given the remit of improving departmental communications. For our sins, we came up with having a bi-monthly team luncheon to catch up with what each of the teams is currently undertaking, which projects are due/completed etc.

This started ok, with the department head giving a talk on the strategy of the ICT department, an update on the National picture, and its associated projects. The Information Management team then did a 10 minute presentation on their part of things, I did 10 minutes on the National Smart Card system, then we had a knowledge quiz after lunch.

Then the bombshell was dropped as to the next few ?ICT Luncheon Sessions?. Each team takes a turn for the next couple of meetings, and presents something FOR TWO AND A HALF FLIPPIN? HOURS on their topic. The parting shot is that whilst all other sessions will be run by teams of at least 6 people, I?m in the unfortunate position of being in a team of one. Me. That?s it, that?s all, just me. And security is one helluva topic to try and make interesting to an IT Department full of techies who already know about security???

So, guys, I need help. I have no problem giving presentations, doing induction sessions etc., and I?m not at all bothered about standing and talking in front of people, with or without making a fool of myself (I have tripped over so many specs of dust on a stage you wouldn?t believe it)

What do I do to fill 2.5 hours? It wouldn?t be as bad if I could give the general Information Security talk, but as these guys hear it twice a year from me anyway, there is absolutely no point, and I think they?d hang me out to dry if I did it again.

How, after I?ve filled those 2.5 hours, do I do a knowledge check on them, without doing a quiz?

I have around six weeks to the Luncheon date; the reason I?m starting now is that I know, because I do incident investigation, that I could be pulled off this particular project at any time, to take control of the response team.

So ? any ideas, silly security stories, powerpoint shows more than gratefully received. I really am at my wits end as to how to fill this void in time.

I know you?ll help if you can, so in advance of all the support I just know I?ll get from here, have a small but meaningful present from me, by clicking on this link?..

http://tinyurl.com/rtv8p


Many, many thanks in advance

GG

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

passwords

by jim.allen1 In reply to I'm in between a rock and ...

Hi Gadget girl

not sure how many members in you presentation group but to do 2.5 hours is over the top...

so a few suggestions

passwords with the histroy of encryption

the security of HCFD's (hand carried floppy disc's) conpaired with the internet.

methods of 'stealing' screen emmisions wire tap and induction loops

methods of stopping theft - never turn the pc on...etc

how much data can be stolen in 2.5 hours! -

data corruption intentional and accidental

Collapse -

More on Passwords (from "Hackers")

by Too Old For IT In reply to passwords

Every time I go into a building where the passwords are on sticky notes on the monitor (machine, domain, AS/400, the bank .. doesn't matter) I recall the scene from "Hackers" where Lord Nikon is delivering flowers, and just has a look around.

How many unsupervised and unverified people do we (you) have just wandering around?

Collapse -

What an opportunity!

by Kevin.Dorrell In reply to I'm in between a rock and ...

GG, It sounds like your management is taking intra- and inter- departmental communication seriously, which has got to be a "Good Thing".

I see your point that 2.5 hours is a long time. With no disrespect to your presentation skills, it will seem a long time for your listeners as well as for you. So here is an idea: why not prepare a presentation lasting about an hour or so, then throw in a few contentious or provokative discussion points near the end. Points that you believe need to be resolved, but which you cannot do entirely within your own remit. Then sit back and watch the ensuing discussion.

Security is often a matter of finding the correct balance between security and convenience. It is sometimes difficult to pin down management to where this balance should be struck. The discussion should give you some valuable indicators.

If your management is really as open and communicative as they seem to be, then they will welcome such an aproach. Judge for yourself.

Good luck!

Collapse -

Several ideas

by fcleroux In reply to What an opportunity!

1) If you work for a large national company, not everyone may know what the biggest security breaches have been in the last two years. Do a recap of the TEN TOP SECURITY BREACHES. What they were, how were they handled. Were they handled properly? Could Changes be made to the process??

2) Current threats! Review current threats that you think are the biggest issues. This is a great chance, what are you not doing properly because of lack of funding???? Point out these areas as security threats (but don't mention money). Let everyone know there is an issue and hope management acts on it.

3) Emerging Threats! Have you pre-planned for emerging trends and threats. Are you ready to tackle a bad RootKit on a system?? Identify these as of yet non-identified issues, spell them out, indicate if there is a plan in place to deal with them, who is responsible for dealing with them, get some input and so on. This needs to be done anyways but may end up causing you more work.

4) Are the products you are using adequate. SpyBot and Ad-aware suck. So does MS Anti Spyware. Should you be using other products?? Is you Anti Virus Software the best you can be using, should you be using something else. How are the Firewalls? Have Security Policies been updated to include new technologies and new threats?? Is SKYPE listed or covered by any of your policies??? Good time to review policies or at least "SET UP A TASK GROUP" to deal with a review. This should kill some time.

5) Waste Time. Have food brought in by someone else (some very good Bakery Goodies, cakes or so) with coffee if required half way through your 2.5 hour session. This is usually a very well liked break anyways. Freshens the brain!


Good luck!

Collapse -

Try wardriving

by craig.christine In reply to I'm in between a rock and ...

They will already know loads, but there are loads of good stories of guys with ther pants down never women! and you have the added advantage you could send them out to see how many sites they could pick up in the area, to kill 2 hours perhaps? or get them trying to hack into each others computers, to show how easy it can be, they would love that. You could then sit back "supervising" with a nice coffee. While they test themselves and preen about their results.
Christine

Collapse -

New Technology To Check Out

by quickest2 In reply to I'm in between a rock and ...

PLEASE READ AND RESPONE: THIS IS WHAT WE HAVE ALL NEEDED....

PROTEXX INC. A BRIEF BACKGROUND


Today's technology started development in 1996. Its mission then, as now, was to develop and market encryption software to provide for the safe transmission of sensitive data and to protect the identity of both the sender and the receiver.
During the last five years, the patent pending technology was refined and tested, and Protexx? marketed its first 2048 bit encryption software package, said to be impenetrable by currently available hacker technology. It is designed to be used by organizations and individuals in a wide variety of sensitive fields, including, but not limited to medicine, law, corporate information, government and finance.
Protexx? 2048 bit encryption technology has been reviewed by NSA, Hewlett-Packard, and IBM and is now in use in several high security installations. The software package may be downloaded from the company?s Web site at www.protexxinc.com , and can include a biometric positive identification component which once installed by both sender and receiver, assures complete security for transmission of data over the Internet. The company maintains its own network-operating center [NOC] for use only by authorized subscribers. Each user receives a certificate of authorization, admitting his computer and only his identity to the Protexx? secure transmission system.

~~~~~~~~~~

THE PROBLEM: NAKED IN MACY?S WINDOW

WiFi and the Internet pose a growing threat to personal, medical, legal and corporate information ? just what can be done about it?

Consider the following:

 A Company CEO was instant messaging with the director of personnel about potential layoffs. The IT department ?sniffed? it and information was transmitted throughout the entire corporation before any decisions were made. As a result of the network security intrusion behind the firewall key people were lost.

 Unencrypted diagrams were emailed between a company?s research and development center and its production facility, were intercepted, and as a result, the competition got the product into production first.

 Two soap opera writers were instant messaging each other over WiFi, a tabloid reporter sniffed it, published it, and the show lost audience share.

These are not theoretical possibilities; they actually happened, and they point out the vulnerability of any Internet communication, particularly those that travel over wireless links, to be intercepted.
?Anyone can sit in Panera Bread, or any place with a public WiFi connection, with a sniffer (a software tool) and intercept people?s personal information ? such as credit card numbers ? at will,? says Bill Tabor, Protexx, Inc. Chief Technical Officer. ?With an appropriate antenna, the range of a sniffer can be several miles.? And it gets worse.


Tabor says, ?Even if you are running some sort of encryption ? such as when you connect to the web page for your credit card information or place an order on line ? the most prevalent form of Internet encryption, 128-bit SSL, can be readily cracked with freeware that can be downloaded from a public Web site. Many 256-bit encryption techniques can be cracked as well.?
He adds, ?The bottom line is that most people, and most organizations, don?t realize how incredibly vulnerable their data is when it?s moving over the Internet. Even if you are using commonly available encryption technology, you?re sitting naked in Macy?s window, and you don?t even know it.?
~~~~~~~~~~

THE GOOD NEWS

Recognizing the growing need to protect medical, legal, financial, insurance, corporate, and personal data as it travels the Internet, Protexx Inc. has created a fully portable encryption system for ensuring the integrity and protection of data.
Here is how it works. Suppose you want to check your credit card account from a public WiFi connection, but want to do so securely. Assuming you have already downloaded the Protexx encryption software from www.protexxinc.com and installed the authentication certificate, simply double-click on the two red Protexx? VPN icons in the taskbar icon tray. This establishes a connection with the Protexx? server at its Tier One protected facility. The Protexx software on the server does a handshake with the software that is on your computer. Your computer and the Protexx server exchange public encryption keys, and this starts a 2048-bit encryption system that has a rotating key.
From the point of the first handshake, all communication between your computer and the Protexx server is essentially invisible to prying eyes. From there, you can sign into any Internet location, knowing that the wireless portion of your communication is now intrusion proof.
HP Storage Security Executive Summary Document #5982-5975EN, 05/2004, Page 14: "A very long key, for example, 1000 bits, has far too many possibilities to try in a million years using all the computers in existence"
For two people to establish secure Internet communication between them ? for example if a research and development center wanted to email plans to a production facility ? all that?s required is for both parties to authenticate by signing into the Protexx? server and then email normally between them. The information will be automatically encrypted at the sender?s computer, travel securely over the Internet, and will be automatically decrypted at the recipient?s machine.
Protexx encryption technology, which is built around open source, has been under development for five years, has been extensively tested for the past two years, and now is available to users throughout the United States. The cost for an individual user is $4.95 per month subscription, and corporate clients can pay much less per user, based on the number of monthly subscribers.
Protexx? provides mission critical systems with much needed bulletproof security layer from hacking software.
Protexx is real-time security technology that secures your all of your data in motion.

~~~~~~~~~~

THE SOLUTION

For further information about Protexx or its 2048 bit encryption software package, call, write or e-mail company president Peter Letizia, Protexx, Inc., 10784 Crescendo Circle, Boca Raton, Florida 33498-4871. PLetizia@ProtexxInc.com

Protexx, Inc. also has offices at, 35 Evergreen Parkway, Westport Connecticut 06880. Contact Mark L Myers, Chairman, 203 682 6436. MMyers@ProtexxInc.com

Collapse -

Security, what is there to be afraid of?

by VytautasB In reply to I'm in between a rock and ...

To keep an audience's attention for 2.5 hours (I suggest you try to shorten it to 1 hour) it might help to make use of real life examples to illustrate a security concept. A real case history is more likely to keep people's attention than some theoretical presentation (especially during a lunch or shortly after). There must be many examples in the news to choose from. Have up to 10 examples (perhaps you can pick something that happened in your institution?) of what went wrong, present them, and perhaps ask the audience for ideas on what could have been done from a seecurity standpoint. You probably won't need to go over all the examples and topics based upon how your audience responds. Best wishes for your presentation.

Collapse -

Out of the box

by billphillips In reply to I'm in between a rock and ...

GG - Good luck with your presentation whichever way you choose, but it could be a golden opportunity for you rather than a millstone.

Have you considered going down a different route. They are getting communicated to about technical advances which they would rather
(a) Not know
or
(b) Find out themeselves in their own time and manner.
Your initial remit was to improve departmental communications, therefore what about highlighting communication skills.
Show information flow, and causes of blocks (Personalities, politics, different communication skills and approaches).
You could present this, then go into communication "skill" games between departments, or better still, with mixed members - Techies love these challenges.
You could finalise with a discussion on how people felt about the succcesses and challenges and the importance of ongoing communications.

It gets them thinking about, and understanding the root cause of communications problems - US !!

Collapse -

Out of the Box - What's a square

by Goodwisj In reply to I'm in between a rock and ...

ISO 17799 is as dull as ditchwater and extremely important..... So find some important people who aren't dull and subcontract the thing to them....

Suggestion 1:
Get a psychologist to present on Maslow and then get the team to relate it to IT Infrastructure and IT Security

Suggestion 2:
Get a locksmith to come in with a Safe containing an Easter egg (timing should just about work, I think). Get the team to try and crack the safe... then crack their heads with the confidential information that you have managed to scavenge from their desks, their bins, their phone conversations overheard even from their blogs and websites. Show them that security doesn't necessarily require technology, rather dedication - a way of life.

Suggestion 3:
You are bound to have a contact in the security community who could come in and talk cyber-crime to them for you.... again rewards are good - IT teams and chocolate really are made for eachother. Depending on which end of the UK you are, I may have someone you could try for this..... mail me if needed.

I know I'm probably teaching you to suck eggs.... however it is normally the simple stuff that catches us out....... for example some police forces are concerned that a radio with encryption may fall into the hands of undesirables.... yet they have the audio blaring out of vehicle radios, portable radios and over speaker systems in Police Stations...... Their systems are designed to be high availability, maintain integrity and yet are not confidential......

Fourth and final - how about identifying the real risks to security and potential compromise - more information is probably at risk due to people becoming vulnerable to pressure because of debt, embarrassing personal information, or secrets than is due to hacking and high-tech crime (again, ask some police buddies about the background checks that they have to do for contractors, etc). Get people thinking about CIA in their lives rather than in their work.......

So a slightly different and not very technical approach to security; but I know that this can work - I've had to present on Information Security to a room full of seasoned security professionals - strangely, I have used at least one of the techniques above - now decrypt which one it is......

Speaking of which - why not get a kid's book of codemaking/breaking and get them to send messages to and fro.......... get them thinking about all the different layers in a network and the encryption and compression that is used and get them to risk assess an installation that they know well - perhaps even CRAMM them....

Enough, I'm going into meltdown...... hope you find a useful answer to your quest - between all of us there should be at least one good nugget out there.....

cheers

Steve

Collapse -

subject for you

by ka2sph In reply to I'm in between a rock and ...

I would like to suggest, as a topic, how people with handicaps work hard, graduate from college with good to excellent grades only to find out that there is a term, "you lack proper experience". This term is the way companies and their HR people get rid of handicapped people as prospective employees.
I am legally blind, have a spinal cord injury so while I walk with braces and crutches I am looked at by HR people like some sort of freak. I graduated in 1982 from a top college in New Jersey with a cumulative average of 3.79. I put in 90 hours a week between classes, homework, and required work (25 hours minimum)in the computer center, and that was not good enough as experience? I worked part time in a corporate computer center under work/study but that too meant nothing. I finally caught on. The Americans With Disabilities Act means nothing to businesses. They never got the message beyond how to make sure handicapped people like me never got into their companies since we were not "beautiful people".

Related Discussions

Related Forums