Everything that is happening now has happened before

While looking through old notebooks, I found this piece that I wrote in 2014 for a book that never got published. Reading it through it surprised me how much we are still facing the same challenges today as we did four years ago. Security awareness and security training are no different…

So, you have just been given responsibility for your company’s information security awareness programme and you have rolled out an off the shelf training product to the company. Job done? Probably not unfortunately, because like so many things in security, there is far more to an education and awareness programme than meets the eye. The following nine areas presented here are intended to give you guidance when establishing or improving your programme. Some may not be relevant to your organisation, some will be very relevant, but all of them are intended to provide ideas and insight into what is often a very emotive and personal subject.


Start at the Top

No business programme, least of all a security awareness one, is going to have any ongoing impact in an organisation if it doesn’t have the full support the senior leadership. Depending upon the type and size of organisation this could be the Board, the senior management team or even the C level executives.

Be wary of them just paying lip service as well, as they are crucial for the ongoing engagement of the company and your programme’s success. If they are the ones that haven’t taken their training then they are not committed to your programme. Senior leadership should be helping to not only communicate the training, but also reinforcing key messages and certainly leading by example.

Finally, make sure you can report back the senior leadership on the value of the training on a regular basis, be it every three, six or twelve months. However you choose to do this, bear in mind that the key purpose is to ensure your awareness programme is aligned with the business goals, and that is seen as a part of your organisations continued success.

Don’t Rely on Compliance

Using compliance as a key driver for acquiring investment for an education programme does work, but it is a short sighted approach that will limit what you can do in the future. This is because compliance is a very specific business problem that awareness addresses, and when the compliance requirement has been met there is no reason for the business to invest more money, investigate alternative approaches or expand the programme. That tick in the box limits the future of your programme.

Instead, use compliance as just one of the many drivers to build your programme, along with profit retention, reputational damage control and a protection against lost billable time for instance. These drivers will help your programme, again, align better with the company’s goals.

Teach Them to Fish

Now onto the content! No training is going to be able to put across the correct response to every single threat, every single implication of regulations and laws, and every single type of social engineering approach. The goal of the training is to arm people with a mindset, not all the answers.

Educating people on the implications of their actions, and not their actions alone is key here. By understanding that clicking on a link could result in something bad happening is more effective than just telling them not to click on links. Helping them appreciate that social engineers use an array of techniques to build a picture of the environment is more important than telling them to mistrust every interaction with every person they interact with.

In your position as an InfoSec professional, how do you know when a link or a question is dangerous? Try to put that across, and you should end up with an awareness programme that educates people not programs them.

Make it Relevant

Off the shelf awareness programmes are often seen as a quick, cost effective and easy approach to educating people. Many of the courses are very good too. However, you should be aware of your own organisational culture. Large, regulated organisations probably couldn’t effectively train through regular lunchtime briefings, and smaller organisations probably wouldn’t receive too well being in a room for three hours and having a PowerPoint shouted at them.

Additionally, there are going to be activities, lexicon and even teams and roles that are unique to your organisation. Try and avoid people having to “translate” the training they are taking to be relevant to their daily lives as much of the impact of the training will be lost.

Make it Useful

Not only should the training be useful in someone’s working lives, but also in their personal lives. In a world of Bring Your Own Device (BYOD) the lines between the workplace and home are increasingly blurred, and home networks, tablets and computers are increasingly being used to deliver into the workplace.

Educating people on how to secure their home network and WiFi, how to use a VPN in a cafe with their personal laptop, and even how to manage their own online lives not only helps secure the workplace, but also gives them a sense of being valued for the contributions they are making to the organisation.

Don’t be Too Serious

Humour is always an awkward subject when it comes to education and awareness, as it is rarely a universally agreed topic. However it is worth bearing in mind that given the often large amounts of “compliance” training often required these days (ethics, anti bribery, harassment etc training) making your course stand out is important.

Wherever possible draw upon the culture of the organisation, use in-house references (so everyone understand them) and try and avoid obscure internet humour as many people in the workplace may not understand it. Never, ever use offensive humour, or even anything that comes close to it. If your grandparents are unlikely to laugh then don’t use it!

Go MultiChannel

Taking a leaf out of the book of the marketeers and advertisers, your awareness program should be multichannel and use a number of different approaches to ensure the message gets across. Consider using videos wherever possible, leaflets, internal blogs, “sponsoring” internal events, using town halls and company meetings to present on specific security awareness projects. Poster campaigns are also a useful method of putting core concepts and points across, although a key part to their success is that they get changed on a regular basis to avoid becoming blind to them over time.

Also consider branding items like stickers, pens and pencils with a tagline or advice that ties in with your overall campaign in order to keep your security message in regularly being reviewed. Again this depends very much on the culture of your organisation as to what may seem like a cheap gimmick versus a good idea.

The core concept with this is to constantly engage with people through different means to maintain their attention and recollection of your security training.

Confirm Their Understanding

Making sure people actually understand the fruits of your hard labour goes beyond asking ten banal and blindingly obvious questions at the end of the training. These questions are table stakes when it comes to meeting compliance requirements but do nothing for actually confirming understanding. Conducting social engineering tests, sending false phishing emails (a whole topic in of itself) and even leaving trackable USB sticks lying around are valid ways to test peoples knowledge. The results of these tests can be written up providing even further educational opportunities in articles for the intranet and email updates.

Get Feedback & Start Again

The only way your awareness programme is going to improve over time is to ensure you gather open and honest feedback from all of those that you engage with throughout every phase of your involvement in your security awareness programme. Feedback from all of the recipients of the training, after every talk or awareness session and certainly feedback from the overall programme on an annual basis is an important way of ensuring good elements are enhanced and bad elements are removed.

Gathering feedback however is only half of the story; providing feedback on the effectiveness of the security awareness programme to senior leadership is also important. Consider metrics and the correlation of elements of the training as they roll out over the year to reported security incidents. Wherever possible do you best to monetise the incidents in terms of cost to the business so that over time, as security incidents decline (which they should do!) you can demonstrate the value of the programme and its contribution to the business.

Not all of these may be applicable to you and your organisation, but they should provide some guidance and ideas for you and your security awareness programme.

The Art of the Conference

3CD62A58-7C5E-4117-B427-816FC0F83DEDYes, I know, it has been nearly nine months since I last graced this blog with my presence. What can I say, it has been a busy time… But as they say, if you want me something done, ask a busy person, and eventually they will get around to it. Just ask @hostunknowntv about the podcast I have been preparing for the last eleven months.
One of the reasons I have been busy (apart from the day job that sees me frequently travelling abroad) is that I have been somewhat in demand at conferences and forums. This is a lovely stroke to the ego when asked to keynote somewhere, but also a challenge because I have to come up with a new twist on an existing talk or even a brand new talk. Creating a talk from scratch takes hours and hours, much longer than the 6 CPE hours that (ISC)2 and ISACA allow you to claim. I would estimate anything from 20 to 40 hours for a 25 to 50 minute talk.
I am not complaining mind, the process may be long, but it really helps me form opinions, generate new ideas and even form unique points of view that I can apply to my day job (one of the reasons I always recommend standing up and presenting your ideas to your peers in the industry as a great way to further your own career).
So it frustrates me immensely that after I put this huge amount of effort into producing not a only a presentation, but also a performance for a conference, that the tools I am given to do so are all to often below par. Let me explain;
I like using Apple Keynote; it has a better look and feel to Powerpoint, handles animations better, and allows a finer control of the placement of images and text. I realise this is probably an entirely subjective perspective, but it is one I stand by. I can’t tell you the number of times a conference has insisted that I can’t use my own laptop and have to use PowerPoint. The conversion process not only screws up the formatting, but also the general placement and even the fonts. Those slides I spent hours on look like something from a Dunder Mifflin sales deck.
Secondly, when I can use Keynote or my own laptop, the audio visual teams almost always insist on using VGA;more often than not this messes with the proportions of the main screen, leaving my widescreen presentation stretched into a square shape. Again, I spend hours making sure the images are not distorted, text looks balanced, and then lazy A/V makes my slides look like they are being viewed through a fishbowl. Surely HDMI or even DVI is standard enough now, and the digital signal is far less likely to screw up aspect ratios.
Thirdly, secondary  and tertiary screens are important. The normal “comfort” screen in front of the speaker is starting to become more popular, but more often than not it only displays what is being shown behind me, not the secondary presenters view of the current slide, next slide and timer (the latter of which are rarely used by most conferences…). At RSA in San Francisco I was presenting on their Live TV stage, and they had a comfort screen with the presenter view and at the back of the room a screen with my main presentation on as well. Perfect!
Why is this so important?
I personally feel that the quality of presentations at most conferences, InfoSec or otherwise, is very poor. There is plenty of subject matter expertise, but it is delivered in a poor way (see this video for some heinous examples). Conference organisers should be doing everything they can so that a presenter can deliver as effective a presentation as possible, and not worry about their deck being messed around with by either the A/V or a sub optimal “presentation laptop”, or even having to struggle with their delivery. The easier it is in the speaker, the better the presentation and the more effective and impactful an experience it is for the audience.
Should I be able to stand up and talk without my slides, not rely on comfort screens or even know what slide is coming up next? Yes, of course, in an ideal world, but very few people who speak are professional presenters, have demanding day jobs, and often finish their decks days or hours before the day. Conference organisers, please help us produce the very best performances for the benefit of your audience, and get some of these basics sorted out!
And hopefully that bar will raise just a little bit higher and benefit everyone in the industry and community.

“And the winner is… Compliance!”

real-men-real-men-demotivational-poster-1221782347Disclaimer: My comments below are based upon quotes from both Twitter and The Times of London on the UK’s TalkTalk breach; as a result the subsequent investigation and analysis may find that some of the assertions are in fact incorrect. I will post clarifying statements should this happen to be the case.

I am not normally one to pick over the bones of company A or company B’s breach as there are many people more morbid and qualified than me to do so, and I also hate the feeling of tempting fate. All over the world i would guarantee there are CISOs breathing a sigh of relief and muttering to themselves/psychoanalyst/spouses “thank god it wasn’t us”. Bad things happen to good people, and an industry like ours that tends to measure success on the absence of bad things happening is not a great place to be when those bad things appear to happen far more frequently than ever before.

So it took me a while to decide if I should write up my feelings on TalkTalk’s breach, although I had Tweeted a few comments which were followed up on.

Quentyn W Twitter 1

(that original quote I Tweeted from the Times)

that original quote I Tweeted from the Times dated 25th October 2015

Initially I was shocked that people are still using the same password across so many crucial accounts. After a ten minute rant in the car about it with my wife, she calmly (one of the many reasons I married her) explained that not everyone thinks like me as a security professional, and that I should remember my own quote of “convenience eats security for breakfast”. Having calmed down a little, I was then shocked by something else.  That something else was when the TalkTalk CEO, Dido Harding was on national television looking clearly exhausted (I can only imagine how much sleep she had been getting the last few days) giving out unequivocally bad advice such as “check the from address on your emails, if it has our address it is from us”. Graham Cluley’s short analysis was spot on here:

As if TalkTalk’s customers hadn’t gone through enough, they are then being given shoddy advice from someone in a supposed position of trust that is going to put them at even more risk. The scammers and phishers must have been rubbing their hands with invisible soap and glee as they prepared their emails and phone calls.

Now, the attack it seems did not disclose as much information as was first though, which is good news. So credit card numbers were tokenised and therefore unusable, so no direct fraud could be carried out there (again dependent upon the form of that tokenisation which I am sure there will be more details on in the coming months). Bank details were however disclosed, but again, there is a limited amount of damage that can be done there (there is some I acknowledge, but it takes time and is more noticeable… another time for that discussion). Here is the Problem Number One though; with Harding’s poor advice, many people subsequently (and allegedly) fell for phishing attacks through either phone calls or emails, and lost hundreds of thousands of pounds. TalkTalk’s response? Credit monitoring.

And then we move to Problem Number Two; Why weren’t the bank details stored safely? Why were they not encrypted? Armed with the knowledge of customers bank account details scammers can make a much more convincing case that they are actually from TalkTalk, especially if other account information was also lost (time will tell). TalkTalk’s response?


Dido Harding talking to The Times, 24th October 2015

So TalkTalk was technically compliant? Shouldn’t this kind of thinking be consigned to the same mouldering scrapheap where “we’ve always done it this way” and “we’re here to secure the business, not help it” lay? I sincerely hope that this episode will at the very least highlight that “compliance” and “security” are two very different things and that the former most certainly doesn’t automatically result in the latter. What has transpired is the perfect storm of a breach, unforgivably poor advice, and complacency based upon compliance and resulted in the pain of a lot of people involving large amounts of money.

If an example like this does not spur you into doing more as regards your own security awareness activities, then please go back to the beginning and start again. Why? I have been accused of “victim blaming” somewhat (see the above Tweets), but if individuals had an ounce of sense or training they wouldn’t have fallen for the subsequent scams and been more careful when responding to email supposedly from TalkTalk. I will leave the last word to Quentin Taylor, and as you carry on with your internet residencies, don’t forget you need to wear protective clothing at all times.

Quentyn W 2

The Consistency of Plastique

51lIxdlS2nL._SX300_As I said in my last post I have been travelling quite extensively recently, but this weekend I was able to take a long weekend in Oslo with my wife just before the Nordic CSA Summit where I was invited to speak on “the CISO Perspective”. As a gift for speaking, each of us was given a block of Norwgian cheese, in a roughly square shape, that really did seem to have the consistancy, weight and look of a lump of plastique (I imagine…). It did occur to me that in the spirit of all good 44CON prizes, it was intended to get you stopped at the airport.

On my return home yesterday, I was pret sure my bag would be picked up for secondary screening given the presence of this lump of cheesy explosive in my bag (although apparently @digininja tells me a malt loaf has the same effect as well). Sure enough, my bag was selected, I presented to the good natured security folks the block of cheese, and with a wry smile they let my bag through. The same could not be said of my carry on bag though.

5piecelockpicktoolI was asked quite curtly if I had a penknife or similar in this bag; now I am getting more forgetful, but I was pretty sure I hadn’t. The security guy really did not look like he believed me, so we started to empty my bag. Then I remembered, I had a pick lock set that I had put into  zipped pocket in my bag about nine months ago, intending to give it to my good friend Akash in Boston who had expressed an interest in that particular art. Remember I just said I am getting forgetful? That’s why it has been in my bag for so long having seen Akash many times this last nine months. Oh well.

But it also occurred to me that I had been through about ten different airports in that time, and this was the first time it had been picked up, let alone even identified as a possible penknife (understandable as the picks fold into the main body).

This underscores to me the inconsistency of the security scanning at virtually every airport. Shoes on or off? Belts on or off? IPads as well as laptops taken out? Kindles, in the bag or out? My bag of cables that you tell me to keep in my bag at one airport, and then getting admonished for not pulling it out of the bag at the next? As an end user of these services (and I am fully supportive of them despite this I must say) it is extremely frustrating. There seem to be too many exceptions in place without clear reason, and without tying back to a singular way of doing things. The shoe bomber, Richard Reid, saw to it we have to take our shoes off going through security… except of course when you don’t.

Consistency in an information security programme is obviously key. But sometimes the pendulum swings too far the other way. Any policy that ends with “There are no exceptions to this policy” is asinine at best,  and crippling to the business at worst. There will always be a need for an exception in order to ensure business can be carried out effectively. As long as the risks are understood and communicated effectively, then move on and do it.

It certainly doesn’t mean that the exception can be used as an excuse to carry on working like that. There is no concept of precedence in this case. If there was the natural end state would be complete mayhem as every exception is used to the point where there is no policy left. An exception is just what it says on the tin, a one off easing off the rules for business to to operate effectively and efficiently. It should be time based, must be reviewed regularly, and where possible repealed if alternative approaches have come to light.

Consistency is important when applying policies, especially across a large organisation, but for goodness sake, don’t forget that change is an important part of business and needs to be embraced. But please do a better job of managing that change, and the subsequent exceptions, than airport security does.

Conferences and Presentations

What with InfoSec Europe, BSides, RSA Unplugged and the just attended Nordic CSA Summer conference it has been busy on the presentation front again. I have a few more presentation to upload to this site as well as some footage. I am hoping to make it to Blackhat in Vegas for the first time this year, and speak on behalf of friendly vendor who I have always enjoyed working with.


Diligently preparing for the conference

As I also mentioned in my last post, my employer became a sponsor of the European Security Blogger Awards, something I hope we will be for future events as well. Unfortunately I lost my best personal blogger award crown this year to Lee Munson of Security faq’s. I can’t help but feel that if I have to lose to someone, Lee would be top of my list as he consistently outshines me in both quality and volume of blogging. As a community we are lucky to have someone like Lee and if you haven’t already done so please do reach out to him and congratulate him.



Direct Hit, Near Miss or Remote Miss? Why you are more confident than you should be.

_39166788_blitz416_gettyIn the years running up to the beginning of the second world war the British government was extremely concerned that in the event of hostilities breaking out, the german Luftwaffe would launch significant attacks against Britain and especially London. With an estimated 250,000 casualties in the first week alone, the consensus was that millions of Londoners would flee, leaving the industrial war engine to grind to a halt. Several psychiatric hospitals were even set up on the outskirts of London to handle the huge numbers of casualties psychologically affected by the bombing.

History tells us this was not the case, despite horrific numbers of casualties and extensive damage to homes, property and businesses throughout London.

A Canadian psychiatrist, J. T. MacCurdy, in his book The Structure of Morale postulated this was because the effect of a bomb falling on a population splits them into three groups:

1. The people killed by the bomb. As MacCurdy puts it

the morale of the community depends on the reaction of the survivors, so from that point of view, the killed do not matter. Put this way the fact is obvious, corpses do not run about spreading panic.

Harsh, but true in this model.

2. The Near Misses, the ones that

feel the blast, … see the destruction… but they survive, deeply impressed. It may result in ‘shock’…and a preoccupation with he horrors that have been witnessed.

3. The Remote Misses. These are the people who hear the sirens, the bombs explode, watch the aircraft overhead, but the bombs explode down the street. For them the experience of the bombing is that they survived easily, unlike the Near Miss group. The emotion as a result of the attack…

is a feeling of excitement with a flavor of invulnerability.

Near miss = trauma, remote miss = invulnerability.

Diaries and recollections of the period certainly support these theories. For instance, when a laborer was asked if he wanted to be evacuated to the countryside (after being bombed out of his house twice) he replied;

What, and miss all this? Not for all the tea in China!

The reason for this attitude, the sense of invulnerability, is that they have been through the very worst of time… and survived. They had faced their fears, and realized they were not as bad as they thought they were going to be, and in fact the result of surviving had given them a sense of elation that made them feel even more alive than before.

This is a very long way of saying that we may very easily view security incidents and breaches like this. Sony (perhaps) are the ones right at the centre of the blast. they are affected directly, and don’t even run around spreading panic because they are too busy dealing with the incident itself.

The near misses, Sony’s vendors, suppliers and partners are probably reeling from the near miss and are probably doing all they can to ensure it doesn’t happen to them. in short why are traumatized.

Finally, there is the rest of us. Yeah baby! Another breach, and it wasn’t us! We are invincible! We don’t need to do anything different at all, because we are survivors!

I think I see an issue here. Every time we are not breached, we become more confidant that we will not be breached, and become over confident and convinced we are having the time of our lives doing great stuff in the infosec world and not being breached. let’s hope that bomb doesn’t drop too close to home to burst that bubble, otherwise Careers is So over ceases to be a funny industry joke and very much a reality. Take the precautions now, take the threat seriously, and do what you can now, before it is too late.

I would strongly recommend reading the Book David & Goliath by Malcolm Gladwell if you would like to read more about this concept as well as others along the same lines.

A personal note…

PubGr_logoI am now under new employment as a result of an acquisition of my previous employer, and I have been fortunate enough to be elevated to Group CISO of the acquiring company. Unsurprisingly this has resulted in a massive new workload, travel schedule and responsibilities, and hence my distinct lack of posts this last few months. Despite this I have still been nominated for European Personal Security Blog 2015 in this years Blogger Awards; thank you!

Additionally, I am so proud to say that not only is my new employer keen to promote this blog internally in the new company, but also thrilled to say we have become the newest sponsor of the European Security Blogger Network.

Finally, I have been on the road a huge amount the last few weeks, including at RSA USA where I was very happy with my presentation at the RSA Studio; I spoke about how we have changed our approach to security awareness, and the use of the Restricted Intelligence product to catalyse it.

There were also talks at Munich Identity Management Conference, although the talks are not public yet.

Next week, Bsides London, InfoSec Europe, European Blogger Awards and RSA Unplugged. I am mentoring a rookie at Bsides, Speaking at infoSec, as well as at the Tripwire booth, sponsoring (and nominated!) at the Blogger Awards, and just watching at RSA Unplugged.

It’s has been a busy few months!