We can be our own worst enemy, especially when it comes to computer security.  Even the most seasoned officer can fall prey to a hacker.  Everywhere else, the same people have “their head on a swivel” and looking for the next threat axis.  How does that happen?  For one thing, stepping into a new digital environment can turn a veteran into a rookie if he or she hasn’t been trained on what to look for.

The same thing happens all the time in companies such as the one where I work.  After a recent demonstration of digital dumbness, I started looking for the best employee Security Awareness training I could find.  So I went to a source many of you would choose… the FBI web site.

After using their search function, I tunneled my way to a list of public/private projects and found the Center for Information Security Awareness.  Michael Levin is the founder and he agreed to an interview…

LET:  How have law enforcement agencies typically addressed their information security training?

Michael Levin:  Most law enforcement training is done in the initial training academy and after the academy as “in service” training. Unfortunately, information security training is not on the radar for most law enforcement agencies and there is often very little standardized training in this area.

I suspect that the average law enforcement employee receives very little, or no annual information security awareness training.

L.E.T.:  What have you observed to be the three greatest shortfalls in this training?

Michael Levin:  Keeping up with new cyber security trends and the vulnerabilities that occur very rapidly. New scams pop up every day and the law enforcement agencies are always in defense mode and not able to actively train their employees until it becomes a big enough problem.  If an agency is responsible for investigating these types of crimes and has not properly trained their employees they are always behind the curve and playing catch up.

Employees need to be trained on information security policies and they need to understand the risk to the organization if they do not follow policies. Everyone in the agency needs to have a baseline of security awareness training to help with best practices.

L.E.T.:  Of all the data breeches suffered by law enforcement agencies which one sticks out in your mind as the worst?  How much did it cost them? 

Michael Levin:  Whenever there is a law enforcement or government agency breach the biggest loss is public trust and the potential loss of the critical sensitive data that could put the critical infrastructure at risk.

There have been several examples of this type of crime where records have been stolen with laptops that have compromised our borders and critical infrastructure. Many of these past problems have been caused by employees failing to follow or ignoring policy and not understanding the ramifications of poor security practices.

LET:  When assessing threats to law enforcement information systems, how big of a threat is Anonymous?  Foreign terrorists?  Domestic terrorists? Foreign governments?

Michael Levin:  Well I guess it depends on the agency (local, state or federal) and what type of data we are talking about. The federal data could be the most sensitive and would be a target from all of the above groups. Local and state law enforcement could also be targeted but could also be a bigger target for organized crime or hackers just looking for PII or credit card information to commit financial crimes.

LET:  What is typically the weakest link in information security?

Michael Levin:  Human error due to lack of training and bad or non-existent basic security practices. Without basic training for all employees the law enforcement agency creates more risk and opens itself up for a wide variety of problems.

If employees do not follow or ignore security policy, this can cause some of the biggest vulnerabilities. When employees are not trained regularly, it is virtually impossible to hold anyone accountable for these lapses in security.

LET.:  How does a service such as yours address these threats and shortfalls?

Michael Levin:  In our on line training, we have thirteen lessons that will cover all aspects of information security awareness practices. We discuss the importance of employees’ treatment of sensitive data as they would want their own personal data to be handled. We created the lessons with easy to understand explanations of the reasons behind the policies and procedures to help increase employee “buy-in”.

I think it is important for information security awareness training to be conducted for all law enforcement personal including everyone from administrative employees to the highest level of the organization. This is needed to establish a standard knowledge base line in cyber security policies and practices.

These basic security practices should be required for insuring that law enforcement agency personnel safeguard the public’s data and protect the critical infrastructure.

If a law enforcement employee falls for a social engineering scam and does not follow policy this creates the possibility that the “keys to the kingdom” could be handed to the very criminals that the agency is investigating.

Criminals now know that if they can break into the law enforcement agencies computer network they no longer need to bribe law enforcement employees to obtain information. The same information can be hacked or obtained though social engineering.

Many law enforcement agency personnel conduct work from home and have no idea how to protect their home network. This also creates additional vulnerabilities and increased risk for law enforcement.

With our security awareness training we discuss ways to protect your home computer network and we have found that this is of interest and very important to the employees.

LET:  What is your background and how did you become involved in developing this type of training?

Michael Levin:  I started my law enforcement career as a police officer and detective in Mountain View CA for eight years. I then spent twenty two years with the U.S. Secret Service as a special agent.  My first USSS station was in the San Jose Secret Service office when Silicone Valley was just beginning in the early 1980’s.

One of my assignments included working in the Secret Service office in Seattle WA, managing the Electronic Crimes Task Force. I conducted hundreds of computer forensics exams and worked many malicious code and cyber intrusion investigations.

Throughout my career I have received various training in cyber security and computer forensics and eventually managed the Secret Service Electronic Crimes Task Force Program in Headquarters.  My last assignment was detailed to Homeland Security as the Deputy Director at the National Cyber Security Division. I retired from the Secret Service in 2007.

Prior to retiring, I tried to get funding for the government to provide security awareness training. We were never able to get the funding and after I retired, I got together with some other security experts and we put the training together and started this program.

LET.:  I see you use Moodle in your training.  What led you to choose this Learning Management System over others, such as Black Board?

Michael Levin:  I like the idea that Moodle is open source with a very large support network. It is being used by thousands of academic intuitions and the features make it a great choice. There is an amazing network of e-learning experts online and in on-line forums that are always willing to help.

LET:  Your company is part of a public/private partnership with the FBI, correct?  How many affiliated companies are there? 

Michael Levin:  My company is called the Center for Information Security Awareness and we partnered with Infragard several years ago to provide the on line training on our website: www.InfragardAwareness.com.

At InfragardAwarenss.com, we offer free information security awareness training for individuals and we offer a certificate in Information Security Awareness in the Workplace for a fee.

We also provide the o- line information security awareness training to organizations and businesses. We have been and have been doing this since 2007. Our goal is to provide high quality security awareness training to organizations and businesses at a very reasonable price point and we have lots of happy customers.

LET:  What is the number one thing that cops can do to make their own computers secure when they get home tonight?

Michael Levin:  I think they should update their software including the operating system and all of the miscellaneous software they have on their computers. Most of the problems people have with their home computers are caused because they don’t update things like Adobe Reader or Windows this includes the virus checker updates.

These updates are often created to fix a vulnerability or malware and by ignoring the update you are increasing the probability that you will be victimized.

The other thing that they need to do is stop clicking on every email and every link they get or see on line. This is the number one way that computers are infected especially on email and social media sites like Facebook. They need to educate themselves and their families on what to look for and security practices need to be something they do whileonline every day.

Bruce Bremer, MBA is LET’s technology contributor. Bruce retired from the Submarine Service after 21 years of in-depth experience with complex electronic technology. Lately, he is developing a corporate learning management system (Moodle LMS), curricula, and technical documentation for lighter-than-air tethered surveillance craft (aerostats). He has an extensive background in fleet modernization and military analysis. He teaches electronics and alternative energy at a Virginia college. Besides his MBA, Bruce earned a Bachelor of Science degree in computer networking. He has been volunteering in public safety for many years.

Learn more about this article here:

http://www.fbi.gov/news/stories/2010/march/infragard_030810

https://www.infragard.org/

https://www.infragardawareness.com/