RANT Panel Debate: “Should You Train Your Users on Security Awareness?”

Leave a comment

I spent last night with five eloquent, passionate and above all opinionated colleagues arguing the pros and cons of security awareness training. We were doing this at the monthly Acumin RANT forum to a packed crowd who, as always, were not shy in holding back on their opinions.

The Crowd, who make RANT what it is!

The Crowd, who make RANT what it is!

We had two stand ins replacing Christian Toon and Kai Roer in the form of Bernadette Palmer and Andrew Agnes both of whom bought a huge amount of experience, opinion and humour to the evening. The lineup therefore was:

 For:

(The Award Winning) Javvad Malik, @j4vv4d

Bernadette Palmer

Andrew Agnes @sirjester

Against:

Myself

Geordie Stewart

Rowenna Fielding @infosecgeeklady

We did a standard pre vote just before starting (we garnered no votes and a lot of good natured laughs as expected!) and then we went straight into the standard For and Against cycle with me kicking off. Nobody had briefed me (or perhaps I hadn’t listened…) that we were reducing our standard six minutes each down to three! A quick reshuffle in my head and we were off. The photos may look like I am singing Karaoke, but beneath the entertaining exterior was my serious message!

I have posted my core arguments to this blog before so I won’t rehash them here again but what followed over the next eighty minutes was hugely interactive, passionate, thought provoking and hilarious! With a few dongle and fork gags thrown in this debate had everything! Of course there was no real conclusion but at the closing vote there was a small but very definite swing in our favour, hooray!

The Karaoke King!

The Karaoke King!

What I found the most interesting however was that on the whole our arguments converged; we all acknowledged that information security training as it stands now is simply not working. What we do with it however, was where the real debate lay. Do you throw the whole lot out and start form scratch or do you continue to try and fix what we have? I think this is the dilemma we need to face up to sooner rather than later in the industry, once of course we accept that our training programs don’t work. That part is where the industry needs the most help.

I normally try and stay around after these kinds of events and listen to other peoples opinions, gather feedback and generally mingle. Tonight however I had dinner with a few folks (@jimshout, @j4vv4d, @sirjester, @jee2uu) to discuss an upcoming project. More on that in the next few months but it was a productive and exciting evening overall.

Finally, there was some footage taken of the evening by Gemma of Acumin; like all my footage if it ever sees the light of day I will get it posted here as soon as possible! As always a huge thank you to Gemma, Simon, Chris et al from Acumin for not only making this happen but asking me to be a part of it.

Andrew Agnes

Andrew Agnes

Geordie Stewart

Geordie Stewart

Getting Your Hands Dirty

1 Comment

dirty-handsIn my last post I referred to ensuring that your risk management programme is producing the quality of output to ensure the business information it feeds into is of the highest quality; maintaining the integrity of your programme.

If there is one thing that can be done to improve the integrity of your risk assessments it is simply to get your hands dirty during them. I have had a number of conversations with people who have been on the receiving end of an assessment where the assessor simply sits at the table and asks for evidence in the form of documentation, verbal responses or even just PowerPoint presentations to confirm the effectiveness of the information security programme in question. Personally I have sat in a conference room for one or two days at a time and only left the room for a short thirty minute ‘walkabout’. Quite how the assessor felt they were getting a representative view of what we were doing was beyond me.

There are a number of problems with this hands off approach:

The ability of those being assessed to ‘play’ the assessor increases with their reluctance to physically move around the organisation. Pre-prepared evidences (the so called “audit box” as was once described to me) can be made available, the organisations SME’s can be wheeled in to ensure the right things are said at the right time and the people who never seem able to say the right thing at the right time (and every organisation has them!) can be told to work in a different building that day.

Secondly, unless the assessor is actually looking at the evidence first hand, even down to rifling through the physical pieces of paper or reviewing server logs, there is absolutely no way any kind of discrepancy will ever be found. Of course this is a sampling exercise, and of course there is no way every single piece of evidence, paper or electronic can be reviewed, but some kind of benefit can be gleaned from going though them. Quite apart form anything else it gives the clear impression that “no stone is unturned” during the assessment process. I have come up with a surprising number of findings from simply taking a few minutes to look through large piles of paper records.

Finally, and perhaps slightly more esoterically, the action of a walkabout can give a very good “feel” for a place. If the presence of the auditor brings hurried and furtive glances everywhere they go, it may give the indication of nervousness or unwillingness regarding the assessment (or of course just a healthy distrust of strangers). If there are rows of empty desks that are obviously normally in use but seem to be vacated for the day this may give the indication that special plans have been laid on for the assessment (or that the sales team are in a meeting). This last point is not so clear cut as the other two, and should only be used as an indicator of what is already coming out of your assessment, but it is a useful one nonetheless.

I have a colleague who every time he enters a “serious” meeting, he undoes his cufflinks and rolls up his cuffs a couple of times; this is his way of mentally preparing for the challenge ahead by literally rolling up his sleeves. When it comes to risk assessments that is exactly what you need to do, and then prepare yourself to get your hands dirty.

eCrime and Information Security Congress

2 Comments

IMG_0002I presented at the eCrime and Information Security Congress on Wednesday, and had a terrific time presenting on my thoughts around making risk assessments more effective for the business. It was probably the largest audience I have presented to, and the stage and AV set up was suitably impressive. I had the support of two fine upstanding members of the infosec community (as well as @j4vv4d and @sirjester…) throughout the day and was fortunate enough to get some great feedback from both the organisers (in the form of @jonhawes) and Javvad after the event.

The key points I was making were:

  1. Ensure your risk management programme is producing the quality data that subsequently becomes business information.
  2. Know how to present your information in a compelling manner to ensure your message (and business information) gets across to the right people.
  3. Understand the connection between your activities and your organisations primary purpose, whatever that may be.

The presentation ran to just under twenty minutes but unfortunately the house style appeared to be not to field questions at the end. I felt I engaged well with the audience and had some unsolicited feedback to that effect afterwards, but I would have welcomed the opportunity to chat around the ideas and cocepts I was putting forwards. If anybody who watched the presentation reads this post please don’t hesitate to ask something!

IMG_0001

As usual I have posted the slides below; I also intend to post a movie of the slides with a voiceover, but those of you who are still waiting for the footage from an event I did in September will know how prompt I am in creating these film. Javvad I am not!

The event itself appeared to be very well attended by both the public and sponsors, in fact a huge number of sponsors compared to even RSA Europe last year. The break out session were apparently very useful (I was unable to attend any as i arrived only for the last half of the second day, but heard good things about them), and above all the food was excellent!

Thanks to the folks at AKJ Associates for inviting me to speak, and especially to Jon Hawes. With a bit of luck I will be doing more of this in the coming months.

CIA Triangle eCrimes Congress PDF

Probably not a serious breach, but definitely a serious failure

Leave a comment

The Twitterverse, online and traditional media worlds were if not alight then certainly smouldering with the news of a security breach as a result of pictures being published showing the Prince in a normal day at the office. At first I couldn’t work out why the press was saying that username and passwords were at risk, especially as the main photograph showed the Prince at a computer screen. Surely passwords are always obscured at a login prompt? Even the MOD can’t have such bespoke systems that they clearly show passwords on a screen? I even Tweeted that surely this must have been, therefore, a Post It fail rather than technology fail. Thankfully there were further Tweets and further analysis of the situation, and it was the Naked Software blog that finally made sense of it all.

Unbelievably it was a Post It fail… or at least a piece of A4 taped to the wall fail. 

My personal analysis of this may be a little different from most infosec professionals, in that what was exposed was probably not that serious. A username and password was effectively leaked for what was probably an unclassified part of the MOD network (or whatever the correct terminology is). This physical network is probably behind fences and locks and soldiers with guns (or heaven forbid, the MOD Police), and probably didn’t even have anything interesting on it. I do of course think those in charge were right to change the password and username though, as that is obviously  sensible precaution, but after that point, so what?

That said, what i think this does highlight is a dreadful failure of the security “attitude test” by the personnel and leadership of that base. How on earth it could have been deemed as acceptable to have a username and password, of any description, taped to a wall, no matter how secure the environment, is beyond me. Firstly, this means that a generic account is in use, a fundamental no-no in anyone’s book, but also it indicates that it is acceptable to do other things born of convenience. Share files on a USB between here and home – no problems! Carry printed flight rosters and contact details in your manilla envelope out of the base – of course! The mere act of allowing this to happen means there are already shoddy security practises at work in this base and their head of security should investigate immediately (and be slightly ashamed. As an aside I was also surprised at the Prince to be honest; here is someone who must have had security training to the nth degree given his position, and he is stood, smiling, right next to the picture.

It reminds me of why I make such a big deal of using lock leads in the office. The actual risk of having a laptop stolen from your own office in the middle of the day is fairly low (overnight the risk rises of course, but we don’t leave laptops out overnight do we?!). I often cite the example of a fire alarm and subsequent evacuation, and laptops being removed/stolen by the last person on the floor, but again, this is an unlikely event. my main driver for the lock lead is because the very physical act of attaching your laptop to a lock lead first thing in the morning is a strong reminder of the need for security, and puts that person into a more security aware frame of mind. If they take their laptop into a meeting room, again the act of unlocking it is a reminder again. I have argued before that security awareness training does not interact with people often enough to influence their behaviour in any measurable way, but if we can encourage the use of lock leads throughout the organisation much of the battle is won.

Really, if the MOD gets this wrong, what hope is there for the rest of us?

 

 

RSA 2012 Debate – Should You Train Your Employees On Information Security?

Leave a comment

Below are the slides, my argument and some photographs from the debate session at RSA that I was involved in alongside Acumin, Christian Toon, Geordie Stewart, Kai Roer, Rowenna Fielding and Javvad Malik. Obviously by posting it here I am only presenting one side of the argument, but if nothing else I hope to at least stir up the conversation as in reality there is no clear cut answer on this topic. The text itself was my first draft notes and attempt to build an argument; I presented it from memory on the day, so it is obviously not an exact duplicate. I felt I was in a challenging position of not only opening up the argument, but also had no one to put a rebuttal against… at least that is my excuse!

I would very much welcome your thoughts on this somewhat hot topic as well as hear about how you do things differently to ensure the effectiveness of your training programmes.


Being asked to open a debate of this nature is probably challenging enough, but having to tell people that their information security awareness programs don’t work is a bit like telling them that they have an ugly baby; however much it may be true it is not something you can get away with saying very often before someone takes offence… or you get asked to justify yourself in a large public forum.

My colleagues will be presenting their cases far more eruditely than I am about to do so, and given what I suspect the prevailing attitudes in this room are I would therefore ask that you keep an open mind, and ask yourself the awkward questions that our arguments will pose. My arguments stem from the perspective of a poacher turned gamekeeper, so I can confidently vouch for their truthfulness from observations on both sides of the table.

So why am I against information security awareness training? Well, I think the actual term itself is outmoded, and the mechanism by which it is delivered more so. I strongly believe there are three key behaviours that stop the effectiveness of security awareness in its tracks.

Fatigue


Ethics training, anti bribery training, how to submit expenses training, how to work the training system training and goodness knows how many other trainings, and all of these have to be done every year, and more often than not within the same few months during “compliance season”. Is it any surprise that the CBT’s are completed whilst listening to iPod’s, that the “time per slide” statistic is never more than a few seconds and that when it comes to the obligatory questions at the end the cheat sheets get handed out amongst people. People simply can’t take any more!

Do your reported security incidents really go up after your training? Because they should as people become more aware of theirs and others security practices. Or do you still continue to see the same number of malware breakouts, lost USB sticks and laptops “left on the train”, all of the stuff that was happening before. Take a closer look, and see what you can find.

Memory


And with all of this training going on, it would take a full time job to remember it all, let alone trying to retain it in conjunction with their day job. Any kind of training that is carried out needs to be reinforced through regular practice of what has been learnt. But how often do people consciously “practice” their security skills? How often do you hear at the water cooler “I stopped a virus today!”?

Even when this training is put into supposedly professional training packages aimed at companies, they bizarrely even admit that they are not going to be fully successful; in a previous talk I referenced a company that proudly declared that their course would reduce phishing click throughs by 75%. Their course, by their own admittance is ineffective in 25% of cases.

The information security industry has a habit of streaming facts, rules, laws and requirements at people, throwing questions at them and then expecting them to put into their daily work lives. If they are lucky they might get the odd article or even get talked at by someone from IT Security rather wishing they were somewhere else. The marketing and advertising industries clocked onto this years ago, and produce smart, impactful and “sticky” bite sized pieces of information., why haven’t we?

Around, Through and Under


So we now have a picture of people tired of taking yet another training, can barely remember what the training was about anyway, but are also continually under pressure to get their day job done on time and on budget. With these pressures, people are going to be doing whatever it takes to get the job done.

Transferring a large data file to a client at 10 o’clock at night and the IT department have gone home? USB stick or drop box. Having to deal with hundreds of emails day in and day out? Snow blindness to clever phishing emails. Constantly changing workforce due to rapid growth  (or contraction)? Let them in, they need to get their job done just like me. Printers constantly going offline because of under investment? Just keep sending that confidential print job to a different printer until it works, someone else can clear up the spare prints.

Unless their environment is stable, and helps control their actions, or asks them the questions they need to be asked to make an informed decision, people will do whatever it takes to get their job done; the consequences can, and will, be dealt with tomorrow.

In Summary

Until such a time as companies and the security training industry cotton onto this, all your thousands of pounds, dollars or rubles spent on training courses will buy you one thing and one thing only, a tick in the box of your compliance checklist. Is that enough for you, or do you want more

This slideshow requires JavaScript.

(Photos courtesy of David Turner)