We Have Both Types of Teaching Here; Education AND Awareness

Leave a comment

It is an accepted truth (trust me, I am a professional), that security is often seen as just a technical profession; firewalls, DLP, DMARC, SFTP and TLAs (Three Letter Acronyms)are thrown around with gay abandon. Being resilient is a matter of hardening the OS, having a SOC fully staffed, and running the industry’s latest SIEM services. CISOs should be technical and know all of the TPLAs (Three Plus Letter Acronyms) having spent their formative years in their Mother’s basement while they hacked the Pentagon/GCHQ/Kremlin.

It may surprise you that I dislike this approach and viewpoint.

I found a wonderful quote on (where else?) the internet that, unfortunately, I cannot attribute to anyone. So, if you know where this comes from, please do tell me:

“People aren’t the weak link in security; they are the ONLY link.”

(Unknown)

Information security is primarily a people industry. Technology isn’t a panacea but merely an accelerant and amplifier of the existing processes and solutions. Without the people, there is no information to secure in the first place. If we, as CISOs and business leaders, don’t embrace and support our people, we make our jobs so much more problematic when securing the business and helping it do more, sell more, and create more.

So, in my usual style, here are the three things I suggest everyone who has “people” in their business and is responsible for education in one form or another should bear in mind.

Crowd Sourcing

So many of us (I know I did for the longest time) overlook the rather undeniable fact that having many people means they can all carry a small part of the security load. Crowdsourcing works because many people put a small amount of something in to help someone else build something big. You can make this approach work for you in several different ways.

Firstly, approach certain people to be “super contributors” to your infosec crowdsourced campaign. These are the folks that are your primary eyes and ears on the ground, the folks that people go to when they have an immediate problem. Think of them as the cyber first-aiders, if you will, with a few of them dotted around each floor or department.

Give them some face-to-face training if you can or at the least some detailed role briefing notes. They are doing this role because, like first-aiders, they want to help people and be a part of the solution. Reward them with a token monetary compensation, some swag, recognition or whatever fits into your organisational culture.

Secondly, the rest of the people in the organisation can also be encouraged to play a part; connect their ability to spot phishing, social engineering, reporting incidents and breaches to their role in the organisation and its successes. Finally, make it fun (see below), make it engaging and make it educational. 

Doing that is, of course, an essential subject in of itself, but the real message here is to embrace what you might see as your biggest weakness as your biggest strength. Making this leap of faith in your mind means your approach to training, problem-solving, and how you address the people in your organisation changes to positive and collaborative rather than cynical and combative.

Story Telling

 Storyteller is probably the second oldest profession in the world; we can easily imagine stories being told from one generation to the next around the campfire. But, before the written word was used, it was vital before Grandpa died that he told us the secret to successfully hunting that particular breed of rabbit/buffalo/mammoth (depending upon what part of the world you came from).

And yet we can also imagine that after hearing the same story over and over again, night after night, while Grandpa gets slowly drunk on his fermented yak’s milk becomes quite tedious. His tales of daring-do and athletic ardour, as he leapt onto the back of the killer rabbit, became very tiresome after the 954th time. And then last night, as he was getting carried away with the demonstration of his rabbit chokehold, he broke wind. Not only was that the version of the story you passed on to your children, but it was also the birth of the third oldest profession: Comedian (probably).

I am a huge fan of humour in the workplace, especially when it comes to educating people; a good joke conjures up images, feelings, experiences, and smells. But, above all, it is a story. Stories help people create worlds in their minds, relate their experiences to those worlds, and establish a visceral feeling in their bodies, an actual chemical change. Of course, there are few guarantees in this world. Still, one I pass on with a cast-iron guarantee is that no positive, memory-creating chemical changes in any brain anywhere in the world were created by putting people in a room and shouting PowerPoint at them for an hour.

The lesson here is that a good story goes a long way to helping people retain the information; build your message with a strong start, a fantastic middle and a resounding end, and you have the makings of impactful and memorable education.

Don’t Stop

“Oh no, it is that time of year again; we must do our security training”.

Don’t be this company. If you do something once a year because you have to, it becomes an obstacle, something that needs to be completed quickly and with as little effort so you can get on with the fun stuff.

If educational activities in the rest of our lives are continual activities, then why do we not apply this to our infosec training? First, of course, it is not an educational experience that people have opted into, but keeping a cadence to the activities that go beyond just one activity works. Ensuring the format changes and evolves, so it isn’t just posters all year round but lunch and learns, videos, emails, intranet, competitions, and the like means people who struggle to learn in one format can pick it up in another and keeps them on their toes, wondering what the next activity is. It piques their interest and keeps them engaged.

Try creating a 24-month schedule of activities and subjects; it’s not easy, but even having that schedule open and visible allows you to think much more long-term rather than just at a compliance, box-ticking level. Of course, you can still do quizzes (so many auditors and standards require that kind of box-ticking, unfortunately), but by avoiding the one-shot PowerPoint training and ten easy-to-guess questions, you are keeping the content new and fresh. You are also building a reputation as someone who cares about the educational process and the positive outcomes it brings, not just ticks in boxes.

Wrestling Rabbits can be fun AND educational.

Links to other interesting stuff on the web (affiliate links)

Five Key Dark Web Forums to Monitor in 2023

What is Cybersquatting? The Definitive Guide for Detection & Prevention

Seven Questions About Firmware and and Firmware Security

Everything that is happening now has happened before

2 Comments

While looking through old notebooks, I found this piece that I wrote in 2014 for a book that never got published. Reading it through it surprised me how much we are still facing the same challenges today as we did four years ago. Security awareness and security training are no different…

So, you have just been given responsibility for your company’s information security awareness programme and you have rolled out an off the shelf training product to the company. Job done? Probably not unfortunately, because like so many things in security, there is far more to an education and awareness programme than meets the eye. The following nine areas presented here are intended to give you guidance when establishing or improving your programme. Some may not be relevant to your organisation, some will be very relevant, but all of them are intended to provide ideas and insight into what is often a very emotive and personal subject.

 

Start at the Top

No business programme, least of all a security awareness one, is going to have any ongoing impact in an organisation if it doesn’t have the full support the senior leadership. Depending upon the type and size of organisation this could be the Board, the senior management team or even the C level executives.

Be wary of them just paying lip service as well, as they are crucial for the ongoing engagement of the company and your programme’s success. If they are the ones that haven’t taken their training then they are not committed to your programme. Senior leadership should be helping to not only communicate the training, but also reinforcing key messages and certainly leading by example.

Finally, make sure you can report back the senior leadership on the value of the training on a regular basis, be it every three, six or twelve months. However you choose to do this, bear in mind that the key purpose is to ensure your awareness programme is aligned with the business goals, and that is seen as a part of your organisations continued success.

Don’t Rely on Compliance

Using compliance as a key driver for acquiring investment for an education programme does work, but it is a short sighted approach that will limit what you can do in the future. This is because compliance is a very specific business problem that awareness addresses, and when the compliance requirement has been met there is no reason for the business to invest more money, investigate alternative approaches or expand the programme. That tick in the box limits the future of your programme.

Instead, use compliance as just one of the many drivers to build your programme, along with profit retention, reputational damage control and a protection against lost billable time for instance. These drivers will help your programme, again, align better with the company’s goals.

Teach Them to Fish

Now onto the content! No training is going to be able to put across the correct response to every single threat, every single implication of regulations and laws, and every single type of social engineering approach. The goal of the training is to arm people with a mindset, not all the answers.

Educating people on the implications of their actions, and not their actions alone is key here. By understanding that clicking on a link could result in something bad happening is more effective than just telling them not to click on links. Helping them appreciate that social engineers use an array of techniques to build a picture of the environment is more important than telling them to mistrust every interaction with every person they interact with.

In your position as an InfoSec professional, how do you know when a link or a question is dangerous? Try to put that across, and you should end up with an awareness programme that educates people not programs them.

Make it Relevant

Off the shelf awareness programmes are often seen as a quick, cost effective and easy approach to educating people. Many of the courses are very good too. However, you should be aware of your own organisational culture. Large, regulated organisations probably couldn’t effectively train through regular lunchtime briefings, and smaller organisations probably wouldn’t receive too well being in a room for three hours and having a PowerPoint shouted at them.

Additionally, there are going to be activities, lexicon and even teams and roles that are unique to your organisation. Try and avoid people having to “translate” the training they are taking to be relevant to their daily lives as much of the impact of the training will be lost.

Make it Useful

Not only should the training be useful in someone’s working lives, but also in their personal lives. In a world of Bring Your Own Device (BYOD) the lines between the workplace and home are increasingly blurred, and home networks, tablets and computers are increasingly being used to deliver into the workplace.

Educating people on how to secure their home network and WiFi, how to use a VPN in a cafe with their personal laptop, and even how to manage their own online lives not only helps secure the workplace, but also gives them a sense of being valued for the contributions they are making to the organisation.

Don’t be Too Serious

Humour is always an awkward subject when it comes to education and awareness, as it is rarely a universally agreed topic. However it is worth bearing in mind that given the often large amounts of “compliance” training often required these days (ethics, anti bribery, harassment etc training) making your course stand out is important.

Wherever possible draw upon the culture of the organisation, use in-house references (so everyone understand them) and try and avoid obscure internet humour as many people in the workplace may not understand it. Never, ever use offensive humour, or even anything that comes close to it. If your grandparents are unlikely to laugh then don’t use it!

Go MultiChannel

Taking a leaf out of the book of the marketeers and advertisers, your awareness program should be multichannel and use a number of different approaches to ensure the message gets across. Consider using videos wherever possible, leaflets, internal blogs, “sponsoring” internal events, using town halls and company meetings to present on specific security awareness projects. Poster campaigns are also a useful method of putting core concepts and points across, although a key part to their success is that they get changed on a regular basis to avoid becoming blind to them over time.

Also consider branding items like stickers, pens and pencils with a tagline or advice that ties in with your overall campaign in order to keep your security message in regularly being reviewed. Again this depends very much on the culture of your organisation as to what may seem like a cheap gimmick versus a good idea.

The core concept with this is to constantly engage with people through different means to maintain their attention and recollection of your security training.

Confirm Their Understanding

Making sure people actually understand the fruits of your hard labour goes beyond asking ten banal and blindingly obvious questions at the end of the training. These questions are table stakes when it comes to meeting compliance requirements but do nothing for actually confirming understanding. Conducting social engineering tests, sending false phishing emails (a whole topic in of itself) and even leaving trackable USB sticks lying around are valid ways to test peoples knowledge. The results of these tests can be written up providing even further educational opportunities in articles for the intranet and email updates.

Get Feedback & Start Again

The only way your awareness programme is going to improve over time is to ensure you gather open and honest feedback from all of those that you engage with throughout every phase of your involvement in your security awareness programme. Feedback from all of the recipients of the training, after every talk or awareness session and certainly feedback from the overall programme on an annual basis is an important way of ensuring good elements are enhanced and bad elements are removed.

Gathering feedback however is only half of the story; providing feedback on the effectiveness of the security awareness programme to senior leadership is also important. Consider metrics and the correlation of elements of the training as they roll out over the year to reported security incidents. Wherever possible do you best to monetise the incidents in terms of cost to the business so that over time, as security incidents decline (which they should do!) you can demonstrate the value of the programme and its contribution to the business.

Not all of these may be applicable to you and your organisation, but they should provide some guidance and ideas for you and your security awareness programme.

Ground Control to Major Thom

Leave a comment

I recently finished a book called “Into the Black” by Roland White, charting the birth of the space shuttle from the beginnings of the space race through to it’s untimely retirement. It is a fascinating account of why “space is hard” and exemplifies the need for compromise and balance of risks in even the harshest of environments.

Having seen two shuttles first hand in the last nine months (the Enterprise on USS Intrepid in New York and the Atlanta at Kennedy Space Centre), it boggles my mind that something so big could get into space and back again, to be reused. Facts like the exhaust from each of the three main engines on the shuttle burn hotter than the melting temperature of the metal the engine ‘bells’ are made of (they ingeniously pipe supercooled fuel down the outside of the bells to not only act as an afterburner of sorts but also cool the bells themselves) go to show the kind of engineering challenges that needed to be overcome.

There was one incident however that really struck me regarding the relationship between the crew onboard and the crew on the ground. On the Shuttle’s maiden flight into space, STS-1 also known as Columbia carried out 37 orbits of the earth with two crew on board, mission commander John W. Young and pilot Robert L. Crippen. Once orbit was achieved an inspection of the critical heat tiles on the underside of the shuttle showed some potential damage. If the damage was too extensive the return to earth would (as later events in the Shuttle’s history proved) be fatal.

The crew however were tasked with a variety of other activities, including fixing problems onboard they could address. They left the task of assessing and calculating the damage to those on the ground who were better equipped and experienced to deal with the situation. This they duly did and as we know Columbia landed safely just over two days later.

It struck me that this reflects well the way information Security professionals should treat the individuals we are tasked with supporting. There is much that individuals can do to help of course, and that is why training and awareness efforts are so important, but too often it is the case that “we would be secure if it wasn’t for the dumb users”. The sole purpose of the Columbia ground crew was to support and ensure the safe return of those on board STS-1 so that they could get on with their jobs in space. Ours is the same.

Just because te crew had extensive training to deal with issues as they arose, the best use of their time was to focus on the job in hand and let ground crew worry about other problems. The people we support should also be trained to deal with security issues, but sometimes they really need to just get on with the deliverables at hand and let us deal with the security issue. They might be trained and capable, but we need to identify when the best course of action is to deal with their security issues for them, freeing them to do their work.

Never forget that we support our organisations/businesses to do their jobs. We provide tools to allow them to be more effective in their end goals but it is still our responsibility to do the heavy lifting when the time comes. Except in very rare cases we are there because of them, not in spite of them.

(Photo courtesy of William Lau @lausecurity)

Direct Hit, Near Miss or Remote Miss? Why you are more confident than you should be.

20 Comments

_39166788_blitz416_gettyIn the years running up to the beginning of the second world war the British government was extremely concerned that in the event of hostilities breaking out, the german Luftwaffe would launch significant attacks against Britain and especially London. With an estimated 250,000 casualties in the first week alone, the consensus was that millions of Londoners would flee, leaving the industrial war engine to grind to a halt. Several psychiatric hospitals were even set up on the outskirts of London to handle the huge numbers of casualties psychologically affected by the bombing.

History tells us this was not the case, despite horrific numbers of casualties and extensive damage to homes, property and businesses throughout London.

A Canadian psychiatrist, J. T. MacCurdy, in his book The Structure of Morale postulated this was because the effect of a bomb falling on a population splits them into three groups:

1. The people killed by the bomb. As MacCurdy puts it

the morale of the community depends on the reaction of the survivors, so from that point of view, the killed do not matter. Put this way the fact is obvious, corpses do not run about spreading panic.

Harsh, but true in this model.

2. The Near Misses, the ones that

feel the blast, … see the destruction… but they survive, deeply impressed. It may result in ‘shock’…and a preoccupation with he horrors that have been witnessed.

3. The Remote Misses. These are the people who hear the sirens, the bombs explode, watch the aircraft overhead, but the bombs explode down the street. For them the experience of the bombing is that they survived easily, unlike the Near Miss group. The emotion as a result of the attack…

is a feeling of excitement with a flavor of invulnerability.

Near miss = trauma, remote miss = invulnerability.

Diaries and recollections of the period certainly support these theories. For instance, when a laborer was asked if he wanted to be evacuated to the countryside (after being bombed out of his house twice) he replied;

What, and miss all this? Not for all the tea in China!

The reason for this attitude, the sense of invulnerability, is that they have been through the very worst of time… and survived. They had faced their fears, and realized they were not as bad as they thought they were going to be, and in fact the result of surviving had given them a sense of elation that made them feel even more alive than before.

This is a very long way of saying that we may very easily view security incidents and breaches like this. Sony (perhaps) are the ones right at the centre of the blast. they are affected directly, and don’t even run around spreading panic because they are too busy dealing with the incident itself.

The near misses, Sony’s vendors, suppliers and partners are probably reeling from the near miss and are probably doing all they can to ensure it doesn’t happen to them. in short why are traumatized.

Finally, there is the rest of us. Yeah baby! Another breach, and it wasn’t us! We are invincible! We don’t need to do anything different at all, because we are survivors!

I think I see an issue here. Every time we are not breached, we become more confidant that we will not be breached, and become over confident and convinced we are having the time of our lives doing great stuff in the infosec world and not being breached. let’s hope that bomb doesn’t drop too close to home to burst that bubble, otherwise Careers is So over ceases to be a funny industry joke and very much a reality. Take the precautions now, take the threat seriously, and do what you can now, before it is too late.

I would strongly recommend reading the Book David & Goliath by Malcolm Gladwell if you would like to read more about this concept as well as others along the same lines.

A personal note…

PubGr_logoI am now under new employment as a result of an acquisition of my previous employer, and I have been fortunate enough to be elevated to Group CISO of the acquiring company. Unsurprisingly this has resulted in a massive new workload, travel schedule and responsibilities, and hence my distinct lack of posts this last few months. Despite this I have still been nominated for European Personal Security Blog 2015 in this years Blogger Awards; thank you!

Additionally, I am so proud to say that not only is my new employer keen to promote this blog internally in the new company, but also thrilled to say we have become the newest sponsor of the European Security Blogger Network.

Finally, I have been on the road a huge amount the last few weeks, including at RSA USA where I was very happy with my presentation at the RSA Studio; I spoke about how we have changed our approach to security awareness, and the use of the Restricted Intelligence product to catalyse it.

There were also talks at Munich Identity Management Conference, although the talks are not public yet.

Next week, Bsides London, InfoSec Europe, European Blogger Awards and RSA Unplugged. I am mentoring a rookie at Bsides, Speaking at infoSec, as well as at the Tripwire booth, sponsoring (and nominated!) at the Blogger Awards, and just watching at RSA Unplugged.

It’s has been a busy few months!

Getting Ahead in Information Security

Leave a comment

getting ahead

(Originally Posted on the VIA Resources Blog here.)

Advancing your career in information security, let alone getting a job in it in the first place is challenging and sometimes overwhelming at best. It can often feel like an exclusive club that is hard to break into, and the “elder statesmen” of the community distant and aloof. With these kind of barriers where do you even start to try and network and make contact with people who could not only progress your career but also start it?
The real answer at first appears flippant; if you want to be a part of a community you need to engage with it and join in. Obviously, that is harder than it seems, so here are three ways you can help yourself to getting ahead in Information Security:

1. Start attending the many free events that are held every week.
There are plenty of these around, you just have to look for them, such as (ISC)2 and ISACA events, plenty of sponsor driven events and community driven events. Europe’s largest information security event, Infosecurity Europe is a free three day event which not only gives you access to all of the vendors out there, but also an excellent education programme. Traditionally on the same week there is also BSides London, a free one days event, although this one is ticketed. Not in London? Then consider BSides ManchesterSteelCon and SecuriTay. Seek them out and you will find them. Not in the UK, then Google is your friend.

2. Attend some of the bigger, paid for conferences.
Obviously this is not always easy, especially given the price of the tickets and the whole reason you are reading this is that you need a job! All of these conferences require a huge amount of effort and willpower to get them to run smoothly on the day, and many of them require… volunteers. 44CON has one of the best volunteer crew programmes I have come across, with plenty of perks available. By volunteering for these events you are not only showing yourself to be a stand-up member of the community, willing to help out and contribute, but you will also get unprecedented access to the attendees, speakers and organisers. They are yours for the networking!

3. Contribute to the community.
This could be anything from volunteering (above), blogging, tweeting, offering to speak, writing articles for the various community news outlets, in fact anything that gets your name out there. Submit in the variety of Call for Papers (CfP) and you normally get a free ticket, and sometimes travel expenses paid too. Depending upon your grammatical and public speaking skills, this could be very tough but who said progressing your career was easy? Being able to articulate your personal opinions on the often very contentious issues in the industry is an excellent way of improving your ability to assimilate, process and form your own opinions and views for the benefit of the community. What better way of getting known in the industry?

All of the above require time dedication and effort, but since this is your career we are talking about, are these too much to ask?