• DATE: September 21, 2010
• TIME: 8:00 am – 1:00 pm
• LOCATION: DCS Corp, 46641 Corporate Drive, Lexington Park, MD (There is plenty of free parking available.)

REGISTRATION: You must be registered to attend. Go to http://securesouthmd.eventbrite.com. The Deadline to register is Friday, September 17th. Admission is FREE and open to U.S. Citizens (bring valid photo ID).

SPEAKERS:

Ex-KGB Major General (ret.) Oleg Danilovich Kalugin — former Chief of KGB Foreign Counter-Intelligence whose job it was to penetrate all hostile intelligence and security forces worldwide. Now one of Russia’s “Most Wanted,” General Kalugin just celebrated his 7th year as a U.S. Citizen. He is the ultimate insider, whose fascinating autobiography, SPYMASTER*, documents secrets from his 32-year career.

* Pre-Order your autographed copy of SPYMASTER by September 17 - a limited number of copies are available for personal inscription — an historic takeaway and remarkable value at $20. Proceeds benefit InfraGard Maryland Members Alliance, a MD chartered 501(c)(3) nonprofit, in its mission of public-private partnering for critical infrastructure protection, and programs like these. Ordering & payment details are on the registration site, or contact M. L. Kingsley at MLKingsley@msn.com to arrange your personally inscribed copy. Subject to supply, copies will also be available for purchase by cash or check at the 9/21 event.

Noted Cyber Guru Dr. Gary Warner — voted Nation’s top Cyber-blogger – See http://garwarner.blogspot.com/ “Cyber Crime and Doing Time” – Dr. Warner is the Director of cutting-edge Computer Forensics Research at the University of Alabama, Birmingham.

Plus, representatives from InfraGard, the FBI, MCAC, and RICs will speak on reporting suspicious activity, information sharing ventures and private sector partnerships.

This jointly presented forum represents an unparalleled gathering of public safety, law enforcement & intelligence authorities, to teach the crucial lessons of situational awareness, promote learning and sharing between essential stakeholders using a collaborative process to improve intelligence sharing and, ultimately, to increase our collective ability to predict, prevent, and preempt terrorist activity and manage the consequences of a diverse number of threats.

For more information about InfraGard, and to join, go to www.infragard.net and/or www.infragardmembers.org, or contact Special Agent Lauren Schuler, FBI Baltimore’s InfraGard Coordinator, at 410-265-8080 or Lauren.F.Schuler@infragard.org.

We hope to see you there!

1. What happens to my business if my sensitive business information falls someone else’s possession?
2. What would it cost me to be without some or all of my sensitive business information?
3. Could I recreate lost sensitive business information and what would cost?
4. What would be the implications to my business if I could no longer trust accuracy or completeness of my sensitive business information?

If you can’t answer these questions, then you need this workshop sponsored by the Maryland InfraGard Chapter (IMMA) and the Small Busness Adminstration!!

The NIST Computer Security Division has developed a workshop to the small business owner increase information system security.

Learn how to define information security (IS) for your organization.

Hear examples of common types of threats and understand how determine the extent to which your organization should proactively address threats.

Learn common Best Practices and procedures to operate securely.

Hear a basic explanation of current technologies used in reducing vulnerabilities and learn of resources freely available to organization.

For additional information visit:

Date:  August 20, 2010

   Session I from 8:00 am – 12:00 pm*

   Session II from 1:00 pm – 5:00 pm*

     *50 seats per Session

Location: Baltimore City Community College, 710 East Lombard Street, Room 30, Baltimore, MD

Registration Fee: FREE

Register Online: http://cybersecuritymd.eventbrite.com 

Parking is available nearby at 701 Lombard St. or 55 Market Place, Baltimore, MD for

$13.00 per day.

Questions about registration ?

E-mail Lauren.F.Schuler@infragard.org or call 443-436-7725.

Questions about the class content?

See http://csrc.nist.gov/groups/SMA/sbc/ or contact Richard Kissel at rkissel@nist.gov .

In the report, they published the results of their fifth annual study on the costs of data breaches for U.S.-based companies. They surveyed 45 companies represnting 15 various industry sectors–significant contributors were financial, retail, services and healthcare companies.

Numbers-wise, the companies they interviewed lost between 5,000 and 101,000 records, at a cost range between $750,000 and $31 million.

What was really interesting was that the average per-record cost of the loss was determined to be $204.00–and how many records does your law enforcement/public safety agency hold?

Some factors they considered in computing the cost of the breach included:

• Direct costs - communications costs, investigations and forensics costs and legal costs
• Indirect costs - lost business, public relations, and new customer acquisition costs

The report also lists a number of causes for the data breaches, such as:

• 82% of all breaches involved organizations that had experienced more than one data breach
• 42% of all breaches studied involved errors made by a third party
• 36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices
• 24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).

You can download the full report here: http://www.encryptionreports.com/download/Ponemon_COB_2009_US.pdf

Thoughts and comments welcomed…r/Chuck

1. Funding – Data.gov cannot be another unfunded federal mandate

Federal agencies are already trying their best to respond to a stream of unfunded mandates. Requiring federal agencies to a) expose their raw data as a service and b) collect, analyze, and respond to public comments requires resources. The requirement to make data accessible to (through) Data.gov should be formally established as a component of one of the Federal strategic planning and performance management frameworks (GPRA, OMB PART, PMA) and each agency should be funded (resourced) to help ensure agency commitment towards the Data.gov effort. Without direct linkage to a planning framework and allocation of dedicated resources, success of Data.gov will vary considerably across the federal government.

2. Strategy – Revise CONOP to address the value to American citizens

As currently written, the CONOP only addresses internal activities (means) and doesn’t identify the outcomes (ends) that would result from successful implementation of Data.gov. In paragraph 1 the CONOP states “Data.gov is a flagship Administration initiative intended to allow the public to easily find, access, understand, and use data that are generated by the Federal government.”, yet there is no discussion about “what data” the “public” wants or needs to know about.

The examples given in the document are anecdotal at best and (in my opinion) do not reflect what the average citizen will want to see–all apologies to Aneesh Chopra and Vivek Kundra, but I do not believe (as they spoke in the December 8th webcast) that citizens really care much about things like average airline delay times, visa application wait times, or who visited the Whitehouse yesterday.

In paragraph 1.3 the CONOP states “An important value proposition of Data.gov is that it allows members of the public to leverage Federal data for robust discovery of information, knowledge and innovation,” yet these terms are not defined–what are they to mean to the average citizen (public)? I would suggest the Data.gov effort begin with a dialogue of the ‘public’ they envision using the data feeds on Data.gov; a few questions I would recommend they ask include:

1. What issues about federal agency performance is important to them?
2. What specific questions do they have about those issues?
3. In what format(s) would they like to see the data?

I would also suggest stratifying the “public” into the different categories of potential users, for example:

1. General taxpayer public, non-government employee
2. Government employee seeking data to do their job
3. Government agency with oversight responsibility
4. Commercial/non-profit organization providing voluntary oversight
5. Press, news media, blogs, and mash-ups using data to generate ‘buzz’

3. Key Partnerships – Engage Congress to participate in Data.gov

To some, Data.gov can be viewed as an end-run around the many congressional committees who have official responsibility for oversight of federal agency performance. Aside from general concepts of government transparency, Data.gov could (should) be a very valuable resource to our legislators.

Towards that end, I recommend that Data.gov open a dialogue with Congress to help ensure that Data.gov addresses the data needs of these oversight committees so that Senators and Congressmen alike can make better informed decisions that ultimately affect agency responsibilities, staffing, performance expectations, and funding.

4. Data Quality – Need process for assuring ‘good data’ on Data.gov

On Page 9 of the CONOP, the example of Forbes’ use of Federal data to develop the list of “America’s Safest Cities” brings to light a significant risk associated with providing ‘raw data’ for public consumption. As you are aware, much of the crime data used for that survey is drawn from the Uniformed Crime Reporting effort of the FBI.

As self-reported on the “Crime in the United States” website, “Figures used in this Report are submitted voluntarily by law enforcement agencies throughout the country. Individuals using these tabulations are cautioned against drawing conclusions by making direct comparisons between cities. Comparisons lead to simplistic and/or incomplete analyses that often create misleading perceptions adversely affecting communities and their residents.”

Because Data.gov seeks to make raw data available to a broad set of potential users; How will Data.gov address the issue of data quality within the feeds provided through Data.gov? Currently, federal agency Annual Performance Reports required under the Government Performance and Results Act (GPRA) of 1993 require some assurance of data accuracy of the data reported; will there be a similar process for federal agency data made accessible through Data.gov? If not, what measures will be put in-place to ensure that conclusions drawn from the Data.gov data sources reflect the risks associated with ‘raw’ data? And, how will we know that the data made available through Data.gov is accurate and up-to-date?

5. Measuring success of Data.gov – a suggested (simple) framework

The OMB Open Government Directive published on December 8, 2009 includes what are (in my opinion) some undefined terms and very unrealistic expectations and deadlines for federal agency compliance with the directive. It also did not include any method for assessing progress towards the spirit and intent of the stated objectives.

I would like to offer a simple framework that the Data.gov effort can use to work (collaboratively) with federal agencies to help achieve the objectives laid out in the directive. The framework includes the following five questions:

1. Are we are clear about the performance questions that we want to answer with data to be made available from each of the contributing federal agencies?
2. Have we identified the availability of the desired data and have we appropriately addressed security and privacy risks or concerns related to making that data available through Data.gov?
3. Do we understand the burden (level of effort) required to make each of the desired data streams available through Data.gov and is the funding available (either internally or externally) to make the effort a success?
4. Do we understand how the various data consumer groups (the ‘public’) will want to see or access the data and does the infrastructure exist to make the data available in the desired format?
5. Do we (Data.gov and the federal agency involved) have a documented and agreed to strategy that prepares us to digest and respond to public feedback, ideas for innovation, etc., received as a result of making data available through Data.gov?

I would recommend this framework be included in the next version of the Data.gov CONOP so as to provide a way for everyone involved to a) measure progress towards the objectives of the OMB directive and b) provide a tool for facilitating the dialogue with federal agencies and Congress that will be required to make Data.gov a success.

What does it mean to practice safe web surfing?  Here are seven points I adapted from a poster that my colleagues at the NewYork City Metro InfraGard chapter developed to comunicate what you should do to practice “safe web surfing.” 

1. Use passwords that have at least eight characters, and mix it up a bit–lowercase, uppercase, numbers and special symbols. Here’s an example: rather than “amysmith” as a password, use “@mySm1th”…get it?  For more information on strong passwords, click here: Strong Passwords.  To generate r-e-a-l-l-y strong passwords, use this tool: Password Generator
2. Contrary to what you’ve heard before, write your passwords down and store them (somewhere other than under the keyboard on your desk).  There is a greater chance that an easy to remember password will be cracked than there is for someone to break into your house or office and steal that sticky you wrote them down on.  Bruce Scheiner talks about this in his blog here: Write Down your Passwords
3. Use virus scanning and spyware software–Microsoft has a free one available.  Also, make sure your virus scanning software is turned ON and that it’s signature files are up-to-date.
4. Only open email attachments from people you know.  No matter how enticing they appear to be…Free Cell Phone…Make Your (whatever) Bigger (or Smaller)…Verify Your Bank Account! …DO NOT open the attachment.
5. Do NOT click on any web links in emails from people you do not know–if there’s a web address you want to go to, type web address directly into your browser–www.goodsite.commay actually take you to a malicous website.
6. Parents can use the administrative capabilities of Microsoft Windows to lockdown sites/domains you don;t want you kids to visit. See instructions for doing this here: Block a Website
7. Be very careful downloading and installing toolbars from non-reputable sources. They might offer you all kinds of need smiley faces and cool tools, but they could also be stealing your personal information and doing other nefarious things.  Here’s one article that talks about a fake toolbar for a very well known website: Dangerous Toolbar

Let me know if you have other ideas I should add to this list…comments and thoughts welcomed..r/Chuck

Chuck Georgo
chuck@nowheretohide.org

LANL has implemented measures to enhance its information security controls, but significant weaknesses remain in protecting the confidentiality, integrity, and availability of information stored on and transmitted over its classified computer network. The laboratory’s classified computer network had vulnerabilities in several critical areas, including (1) uniquely identifying and authenticating the identity of users, (2) authorizing user access, (3) encrypting classified information, (4) monitoring and auditing compliance with security policies, and (5) maintaining software configuration assurance.

While LANL got slammed for losing information on its  ”classified” network…what about all of the unclassified information that’s floating around out there? I feel it is just as important to make sure all of the sensitive but unclassified case information, organization proprietary information, or intelligence data that contains Personally Identifiable Information (PII) is protected as well–would you want to be the person explaining to their boss what data was just lost on that USB drive you left at the airport restaurant?

While I was at the International Association of Chiefs of Police Conference in Denver last month, I ran across a security item that really caught my eye–it was a standard, run of the mill 4GB USB thumb drive, but this one was unique–it had a built in PIN keypad, encrypted all data with AES encryption, and you didn’t have to plug it in to the computer first before unlocking it.  I got to thinking…if every law enforcement officer and intelligence analyst who had a legal, bonafied reason for copying sensitive data  onto portable media like CD-ROMs, SD cards, or unsecured thumb drives had one of these, they could sleep better at night knowing that the information on the thumb drive wouldn’t be compromised if it were lost or stolen, or than an unauthorized person who happend to get access to the drive couldn’t stick it in their computer and access the information it holds.

The item is called the Classified Secure Flash Drive. It’s a 4GB thumb drive with a built in 5-key keypad for entering a 1-10 digit PIN.  There is NO software required on the desktop/laptop to create or enter the PIN and all data on it is secured with 256 bit AES encryption. Those of you who know me know that I do not want to become another big IT vendor; however, I have decided to make these (and other innovative, niche technologies) available to agencies through NOWHERETOHIDE.ORG.  For Federal agencies; the manufacturer has developed a FIPS 140-2 compliant version with a built in 10-key keypad; they are in the midst of the validation process now.

• Chester Ho, a naturalized U.S. citizens, was arrested after stealing the plant cell culture technology from Bristol-Myers Squibb–nearly $15 million loss
• Hwei-Chen Yang was arrested after stealing adhesive trade secrets from Avery Denison–nearly $60 million loss
• Yonggang Min walked out the door of Dupont with more than 16,000 documents from DuPont’s electronic library–nearly $600 million loss

While the Rosenbergs, Ames and Hanssen were guilty of National Security Espionage, Ho, Yang and Min were clearly engaged in Economic Espionage, or “the act of theft or misappropriation of (commercial) trade secrets.” What makes this particularly significant is the fact that the potential for economic espionage exists in virtually every corner of our way of life–government agencies, small companies, large corporations, colleges, universities, overseas research and development laboratories, and economic espionage is largely driven by one of three motives:

1. Profit;
2. Patriotism to home country; or
3. Desire to achieve academic/scientific notoriety.

While the majority of the threat can come from any of the 108 countries actively seeking to collect information about American innovations, and (a sub-set) of the 30,000,000 non-immigrant visitors to our nation every year, the threat can also come from within; companies in like sectors would love to know what the others in that sector are working on–new prescription drug? Next Ipod? Alternative fuel technologies?

So, who can threaten your innovations and intellectual property?

• Insider threats–people working for you;
• People and companies that you partner with;
• Subcontractors providing services
• University students doing research for you;
• Visitors that have an interest in what you do; or
• Competitors who seek to do you harm.

Interesting side note:  75% of the 40 proprietary and confidential information thefts studied between 1996 and 2002 by Carnegie Mellon’s CERT program in a July 2006 study were committed by current employees. Of those current employees committing intellectual property thefts, 45% had already accepted a job offer with another company. “In between the time they have another offer and the time they leave is when they take the information”

At the end of the day, you (and your organization’s leaders) are responsible for the survival of your organization, and only you can really know “Who’s in Your House” and what they are doing. The other way to put it is that if something bad happens, only you will be standing there explaining to your board of directors and shareholders what happened.

So what can you do to protect yourself? I suggest five key strategies:

• Ask the right questions;
• Do the math;
• Trust, but verify;
• Use the velvet rope and black cloth; and
• Educate, communicate and reward.

1. Ask the Right Questions

Corporate presidents and CEOs should regularly ask their security officers the following five questions:

1. What technologies/projects are most at risk?
2. Why are others interested in it?
3. Who are the specific threats?
4. Where are the vulnerabilities?
5. How are we stopping them from getting it?

Establish a good idea of what an adversary might be after, why they’re after it, and what your organization is doing to protect it from compromise. For larger organizations, with many projects, you should go through this exercise with each program/product.

2. Do the Math

You cannot protect everything, so develop a strategy to identify and protect those projects and technologies that can cause the most dire consequences to your bottom line. I suggest dividing up your organization’s projects/products into three piles.

• Pile One = those projects that the future of your company rests on or those that you risk jail time for compromise;
• Pile Two = Those projects that are important, but expendable; and
• Pile Three = Those projects that are commodities or already in the open source.

 Here is some sample criteria to help you decide which pile a project may belong in:

Sample Criteria for Pile One

• Classified or sensitive national security project
• New research and development effort
• Loss would mean significant loss of revenue and new CEO

Sample Criteria for Pile Two

• Company future doesn’t hinge on product survival
• No significant IP or trade secrets involved
• Product at the middle of “S” curve

Sample Criteria for Pile Three

• No IP or trade secrets involved
• Commodity type product or service; top of the “S” curve
• Already in the public domain

Remember: Focus on Pile One FIRST–do not be tempted to go after the low-hanging furit in piles two or three.

To be continued…In Part 2 of 2, I’ll finish with Key Strategies 3, 4 and 5.

As always, comments and houghts are welcome.

Chuck Georgo, chuck@nowheretohide.org

Chuck has served as a strategic planner, business analyst, and technologist for the National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, Naval Criminal Investigative Service, Naval Security Group, Illinois State Police, and many other public and private sector organizations. He helped these agencies to develop meaningful strategies, to implement innovative technologies, and to assess their success towards achievement of desired public safety and homeland security results. He currently serves as Executive Director for NOWHERETOHIDE.ORG, First Vice President of the InfraGard Maryland Members Alliance, and Chairman, IJIS Institute Security and Privacy Committee.

I did a quick check of four online appliactions that I use–Zoho, Windows Live, MySpace and Google Apps–here’s what I found.

1. ZoHo’s terms of use states:“We store and maintain files, documents, to-do lists, emails and other data stored in your Account at our facilities in the United States or any other country. Use of Zoho Services signifies your consent to such transfer of your data outside of your country.  In order to prevent loss of data due to errors or system failures, we also keep backup copies of data including the contents of your Account. Hence your files and data may remain on our servers even after deletion or termination of your Account.”
   
2. Windows Live had a different twist:
   “Microsoft does not claim ownership of the materials you provide to Microsoft (including feedback and suggestions) or post, upload, input or submit to any Services or its associated services for review by the general public, or by the members of any public or private community, (each a “Submission” and collectively “Submissions”).  However, by posting, uploading, inputting, providing or submitting (“Posting”) your Submission you are granting Microsoft, its affiliated companies and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses (including, without limitation, all Microsoft Services), including, without limitation, the license rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Submission; to publish your name in connection with your Submission; and the right to sublicense such rights to any supplier of the Services.”
3. MySpace pretty much mirrors Microsoft’s terms:
   “After posting your Content to the MySpace Services, you continue to retain any such rights that you may have in your Content, subject to the limited license herein. By displaying or publishing (“posting”) any Content on or through the MySpace Services, you hereby grant to MySpace a limited license to use, modify, delete from, add to, publicly perform, publicly display, reproduce, and distribute such Content solely on or through the MySpace Services, including without limitation distributing part or all of the MySpace Website in any media formats and through any media channels, except Content marked “private” will not be distributed outside the MySpace Website.”
4. Google had the best (or worst) of all worlds: It’s Privacy Policy states “Google processes personal information on our servers in the United States of America and in other countries. In some cases, we process personal information on a server outside your own country. We may process personal information to provide our own services. In some cases, we may process personal information on behalf of and according to the instructions of a third party, such as our advertising partners.”It’s Google Apps terms of service states “Information collected by Google may be stored and processed in the United States or any other country in which Google or its agents maintain facilities.”It’s general terms of service states “You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This licence is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services..You agree that this licence includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.You understand that Google, in performing the required technical steps to provide the Services to our users, may (a) transmit or distribute your Content over various public networks and in various media; and (b) make such changes to your Content as are necessary to conform and adapt that Content to the technical requirements of connecting networks, devices, services or media. You agree that this licence shall permit Google to take these actions. You confirm and warrant to Google that you have all the rights, power and authority necessary to grant the above licence.”

So, what’s the moral to this story?  Three things…

1. Take the time to read the fine print; make yourself and others aware of the privacy and terms of service conditions for these and other (free or fee-based) online appliacations;
2. If your federal, state or law enforcement agency, fusion center, or other government agency are using any of these services, make sure you have written policies about what can and cannot be posted, stored, or shared through these services; and
3. Assume anything you do post or share will a) make its way outside of the United States and b) reused in some way for marketing or advertising purposes.

Play it safe; don’t assume your information posted to these services will remain private. Remember, once out, that privacy genie will be nearly impossible to get back in the bottle.

As always, your thoughts and comments are welcomed…r/Chuck

While I disagree with their assertion that “legal limits” are the answer (we already have lots of laws governing the protection of personal privacy and civil liberties), I do think that more can be done by fusion center directors to prove to groups such as the ACLU that they are in-fact operating in a lawful and proper manner.

To help a fusion center director determine their level of lawful operation, I’ve prepared the following ten question quiz.  This quiz is meant to be criterion based, meaning that ALL ten questions must be answered “yes” to pass the test; any “no” answer puts that fusion center at risk for criticism or legal action.

Fusion Center Privacy and Security Quiz

1. Is every fusion center analyst and officer instructed to comply with that fusion center’s documented policy regarding what information can and cannot be collected, stored, and shared with other agencies?
2. Does the fusion center employ a documented process to establish validated requirements for intelligence collection operations, based on documented public safety concerns?
3. Does the fusion center document specific criminal predicate for every piece of intelligence information it collects and retains from open source, confidential informant, or public venues?
4. Is collected intelligence marked to indicate source and content reliability of that information?
5. Is all collected intelligence retained in a centralized system with robust capabilities for enforcing federal, state or municipal intelligence retention policies?
6. Does that same system provide the means to control and document all disseminations of collected intelligence (electronic, voice, paper, fax, etc.)?
7. Does the fusion center regularly review retained intelligence with the purpose of documenting reasons for continued retention or purging of outdated or unnecessary intelligence (as appropriate) per standing retention policies?
8. Does the fusion center director provide hands-on executive oversight of the intelligence review process, to include establishment of approved intelligence retention criteria?
9. Are there formally documented, and enforced consequences for any analyst or officer that violates standing fusion center intelligence collection or dissemination policies?
10. Finally, does the fusion center Director actively promote transparency of its lawful operations to  external stakeholders, privacy advocates, and community leaders?

Together, these ten points form a nice set of “Factors for Transparency” that any fusion center director can use to proactively demonstrate to groups like the ACLU that they are operating their fusion center in a lawful and proper manner. 

As always, your thoughts and comments are welcomed…r/Chuck

In a March 5, 2009 article entitled “Spammers retool for a renewed assault” they lay out a very scary explanation for the recent drop in spam and paint a not so comfortable description about what spammers are planning–here’s a quote:

While spammers will continue to react and adapt to whatever tecnical means we have to prevent their attacks from harming our systems and data, there are three simple and very effective things you can do to thwart these evil doers:

1. SPAM/VIRUS SCANNING TOOLS:  This is your agency’s first line of defense against spam-initiated virus, spyware, and trojan attacks.  While it’s hard to find an agency that is not using virus and spam scanning tools, periodically check to a) make sure your users have not turned off those tools, and b) that their tool definitions are up to date.  On the network side, make sure your enterprise scanning tools are configured for maximum protection and that definitions are kept up to date with current spammer tactics.
    
2. PERSONAL REMINDERS:  You hear it all the time, 80-90% of information security issues are because of what “people” do (or fail to do).  And, I hope you’re not counting on your agency’s annual IT security training to get them to protect themselves and your systems.  An old adage frommy Navy training days used to say “if you want them to listen, you gotta tell’em seven times, in seven different ways.” This continues to be good advice.  You are going to have to continually remind users to not open any attachments or click on any links in emails from people they do not know.  Some ways include: a short email to all your users once every 30-45 days and include an example of a targeted spam email; place a note in agency newsletters; or have leadership mention it at stand-ups/watch turnover.
    
3. OUTBOUND SCANNING AND IP BLOCKING:  While most agencies are filtering inbound spam email and IP addresses, i’d guess that many of them are NOT doing the same on OUTBOUND emails and IP addresses.  A good layered defense takes into account the chance that something may get past your inbound scanners.  It’s a good practice to also scan and filter OUTBOUND emails and IP connections to make sure that trojan isn’t “calling home”; there are a number of websites out there to help you set this up.