This blog has moved…

WordPress was a great way to get in to blogging.  One day I’ll probably run it on my own site which is where this blog is now hosted.

www.8thlayersecurity.com

Security Awareness Series: Part Five – Map it Out

Now that we have some topics and some goals in mind we can start mapping out a time line for the first 12 months or so of our awareness program.

You’ll need a calendar, preferably one which shows the entire year on one page, or knock up a spreadsheet to show the entire year on one sheet.  You’ll reference this sheet a lot during the year so it’s a good idea to hang it on the wall. Things will change. Don’t get too precious about scribbling on it. If you can spare a whiteboard for this that’s great, but my preference is to be able to see each day so it would have to be a fairly large whiteboard.

Although I’ve asked you to come up with a bunch of topics, I haven’t (in this series at least) explained why you need so many.  You probably didn’t have too much trouble coming up with a substantial list, so you’ve no doubt figured out that you’re going to have to run quite a number of ‘events’ to cover them all.  You could of course go down the old fashioned route of forcing everyone through a half or even full day course once per year, but oh think of the lost productivity! Plus, unless it’s something quite special, most of the participants will forget 80% of what they saw or heard within a couple of days, especially with so many topics.

A much more educationally sound approach is to space your topics out. One a month is a convenient arbitrary number. You could even do one every couple of months if you are short of resource. The key here is repetition. Constant reminders of  both the requirement for security and the fact that your team is making it easy to comply.

That second comment may come as a shock to some who think the job of security is to lock everything down as tight as possible.  It’s not. Security is there to serve the business. To enable the organisation to perform whatever function it is designed to as best it can. Confidentiality, integrity and availability are just means to an end, not the end itself.  So what you need to do is constantly remind your colleagues outside security that you are there to serve, providing professional and timely service. The goal is to win them over so they feel more inclined to ‘participate’ in your ‘culture of security’ (see the previous post for more on that term).  Think like a marketing manager, not a university lecturer. The lecture paradigm is dead. Need convincing then watch this video now.

Assuming you did watch it, now I’m going to stretch you even further and ask that you replace all those young people in the video with your colleagues. The millennials, gen Y, whatever you want to call them are not just young people anymore.  Facebookers, Tweeters, vloggers come from all generations. The digital culture is here, get with the times.

Right, so now you’re a marketer not a lecturer. What does that mean for your awareness program? It means that the program just became a series of campaigns. Like ad campaigns. And now that you’re in advertising all those tricks and rules apply; repetition, audience metrics, repetition, messaging, repetition, brand placement and repetition.

Repetition however doesn’t mean telling people every month to have strong passwords (although repeating campaigns does have obvious value). Rather it means repetition of security as a service. “We are Information Security, we’re here to help, and by the way please encrypt your USB sticks as per this policy because it [insert reason relevant to organisation purpose and culture here (see part three)]’’.

So you’ve got this spreadsheet/calendar in front of you. To populate it look for:

• Regular corporate newsletters
• Upcoming corporate events
• Key dates in the corporate calendar
• External campaigns (eg privacy awareness week, Cybersecurity month)
• Public holidays
• Etc…

What you are doing is tying your messages to existing communications or events in peoples lives. In the first instance utilising corporate comms means not having to come up with your own delivery vehicle from scratch. It also has the benefit of forcing a schedule on you which can help motivate (or remind) you to get working on the next campaign. And by relating your campaign to a public event you can inject relevance into your campaigns so that they are not messages for messages sake. For example a campaign around Christmas time can focus on scams or dodgy email greeting cards, and even give advice on how staff can do some maintenance work on their home computers over the holiday period such as backups or full system scans.

So with your topics in place, your comms dates lined up and the whole plan on your cubicle wall in front of you, you’re ready to tackle the next task – making your first poster.

The next post will be an overview of how you can use some free tools to create a professional looking poster.

Three simple rules of good security…

I’ve been taking a look at internetevolution recently. They are running an interesting series of ‘lectures’ about all sorts of IT related issues. Security was first up and Richard Stiennon kicked of with a talk called ‘What CXOs consistently fail to grasp about enterprise security’.

One of his slides is particularly useful. Titled ‘Three simple rules of good security’ it listed:

1. Secure networks assume that hosts are hostile
2. Secure hosts assume the network is hostile
3. Secure applications assume the user is hostile

I couldn’t resist adding a fourth in the comments:

‘Secure users assume the application is hostile.’

Security Awareness Series: Part Four – Leveraging Corporate Culture

Want to create a culture of security? Don’t bother.

If there is one overused phrase when it comes to defining the aims of a security awareness program, it is ‘create a culture of security’. Not only is this phrase a cliche, but it is misguided, demonstrates naivety on the part of a security professional, and how are you going to measure it anyway?

People in the security industry are by and large clever and resourceful. But we’re not organisational culture change experts.  If you think you are, then take a look at the Wikipedia entry for Organizational Culture. It’s 14 pages long when printed. Check out your city library for books on the subject. You might be surprised at just what a large and diverse topic it is.

So anyone who thinks a few posters and a couple of compulsory lectures a year is going to ‘create a culture of security’ then they should think again. Leave culture creation to the experts, the HR strategists and the Organisational Change Managers.

But all is not lost. In fact now that you are freed from that impossible task you can work with what you’ve got.

A culturally specific awareness poster? Click to see a larger version.

Your organisation already has a culture, and believe it or not security already fits in there somewhere. What you need to do is leverage that culture. Find out what it is and use it’s own weight against it. It’s a bit like judo except here we are not trying to subdue an opponent, we want to direct it’s own institutionalised culture to do our bidding.

What do I mean? Okay lets do this in two parts.

First, to make you feel comfortable, go back to first principles. Confidentiality, integrity and availability. The CIA triad. Every security professional knows these. What you need to do is recognise which one is most important to your organisation. Of course they all have their place but if you really think about it one of them will be foremost in the minds of the majority of your colleagues whether they understand it or not.

This is really important. If there are strings to pull then these are the sticks they’re tied to (assuming that whole string pulling metaphor is about marionettes).  If an organisation is a profit driven, customer focused beast then availability is probably the biggest concern – the CRM system needs to be available 24/7.  In a clinical environment, information  integrity will be the most important – doctors need to know the information they’re using is accurate (someone pulled me up on this once and said the main concern for doctors would be privacy but frankly I think any doctor would rather have a live patient with privacy issues than a dead one nobody knew about, medical misadventures excluded).

So knowing which part of the triad is highest in the order of things helps, but it is only half of the story.  The other cultural factor to consider is more about traditional organisational culture. Take a look at that Wikipedia article to get a sense of the various cultures that might exist. There are loads of models. But here is where your own knowledge of your organisation built up through experience counts.

You might identify your organisation as young, edgy, high tech, and commercially focused. Or maybe it’s solid, conservative, and process driven. What’s most important, protecting customers privacy or protecting the bottom line? And why? Are professional reputations at stake, or  jobs, money or even some higher, altruistic purpose? Recognise though that it’s never just about compliance (or shouldn’t be).

These are the cultural aspects to think about. Combined with the security goal (from the CIA triad) you will start to get an idea of what motivates your organisation.

Now for the good news. Your co-workers have already been indoctrinated… so roll with it, not against it.  If you’re lucky there might already be a strong understanding of the need for security. Whatever the case, your task is to show people how good security is going to make it easier for them to do a good job, and for their organisation to thrive.

Still don’t get it?

Okay, to spell out some hypothetical examples:

“Doctors and nurses – Scan your USB sticks because they can carry viruses which can bring down clinical systems, which could impact your patients’ health”

“Sales people – password protect your smartphones. Losing your phone could mean losing your customers and your commission”

“Politicians – Protect the passwords to your social networking tools. Your words could be someone else’s.”

You wouldn’t use these messages ‘as is’ of course. You’d tailor the language, graphics etc to suit your organisation. But hopefully you are starting to see it’s all about leveraging the existing culture, not trying to create a new one.

Security Awareness Series: Part Three – Choosing Topics

If you and I were to each list ten awareness topics on separate pieces of paper chances are most of those would be the same. To illustrate, grab a piece of paper and list ten topics. Then continue reading…

Here are ten topics off the top of my head. How many match yours?

• passwords
• malware
• phishing
• social engineering
• laptop security
• strangers on site
• clear desktops
• USB Security
• encryption
• data classification

The truth is it is easy to come up with information security awareness topics. The hard part is coming up with topics that are relevant to your organisation.

So, base your topics on drivers that already exist. Not a list like you’ve just written, but clear and present needs. For example:

Audit points – Responding to audit points will not only satisfy the auditors, but will make you look like a security superstar to the powers that be (well at least a competent and co-operative employee) and maybe will even address some genuine security risk.

New policies – Whenever a new security policy is introduced an awareness campaign should accompany it. After all, the best policy will be little more than scrap paper if no one understands it or even knows of its existence.

Existing policies – People need reminding. It’s a fact of life. While the existence of policies that make sense will stick in people’s minds, the details may not. For example everyone knows that they should choose good passwords, but do they know what constitutes a good password as per your policy?

The Information Security team itself – You’re no doubt part of a customer focused, client centered, professional team which is always on hand to answer security related questions from any employee (or at least you should be). Just letting people know you are there will help to raise the profile of security in the minds of your audience.

Incident metrics – Depending on how good your visibility of actual security incidents is, you should of course be using this information to drive topics too.  From experience that visibility isn’t always there so it can be easy to rely on exaggerated media reports or releases from product vendors.  Be careful using this data in your campaigns. Overstating the problem can lead to message fatigue.  To counter this, always provide a solution to the issue you’re covering. Your campaigns will then be remembered for being useful and not just FUD.

What this all boils down to is that your topics need to be relevant. The best clear desktop campaign is pointless if your organisation has no clear desktop policy. In reality you will cover some of the topics from the bulleted list above. When you do, put them into the context of your organisation. The next post will discuss how this is done.

Security Awareness Series: Part Two – Setting Goals for Your Awareness Program

For part two of the series on running an awareness program I am going to focus on setting goals.

Initially in my plan for the series I had this post listed as ‘selecting topics’. After all, how can you set goals when you don’t even know what messages you are going to be delivering?

On the other hand no matter how good your ideas are, if you don’t give yourself at least one goal then anything you do produce will likely be waffle and FUD.

At the end of the day it is up to you to work out the order in which you do things. We’re all different. Some like to see the big picture first (me) while others prefer to dive in to the details (my wife).

To cater for everyone, I’ve devised a planning sheet which I’ve called a Structured Brainstorm.  An oxymoron I know but the idea is that it gets enough of your ideas down on paper, in a logical way.  From there you can flesh out a formal plan. You should work through the sheet from top to bottom because each section loosely relies on the previous – but again that’s just my opinion. I’ll provide a link to the doc at the end of this post.

There are many reasons to set goals. One of the most useful (IMHO) is to motivate. To be motivational, a goal has to be achievable. It also has to be timely, or not too far in the distant future. (think about the old SMART acronym – Specific, Measurable, Achievable,  Relevant, Timely). Remember also that these goals pertain to a program of work which is to contribute to the security of your organisation, and one which you may be expected to report on regularly.

So what type of goals we should be setting.

Quick, easy win goals could be considered operational goals and might include things like ‘make a poster’ or ‘book a date for some internal advertising’.  They should be things you could achieve within the next two weeks. Don’t worry if you don’t know how to make a poster. I’ll be covering that in another post soon.

Medium term goals are called tactical goals. These might be things like ‘have a regular slot in the corporate newsletter’. They will reflect what your awareness program might look like in the next six months. Try and come up with three good ones and remember that they must be SMART too.

Strategic goals are your long term goals, often related to behavioral outcomes such as ‘all users have strong passwords’. These goals will take time, but are the goals that ultimately prove the worth of the awareness program. That said, these goals are unlikely to be attributable solely to your awareness program. Achieving security is a mix of people, process and technology (all the old clichés are coming out now!)

So we’ve broken the problem down, and we’ve also looked at our goals and organised them also into operational, tactical, and strategic goals.  We’re getting closer to developing a workable plan for our awareness program.

What I suggest you do now is download the brainstorm sheet and have a go at completing it. It’s just below in the Scribd frame.  We haven’t covered all aspects of what is on that sheet yet but you might surprise yourself and come up with a great plan before I even write the next post – where we’ll look at topics.

View this document on Scribd

Security Awareness Series: Part One – Break the Problem Down

A few postings back I labeled a post Part One promising to come back with Part Two. Well I still haven’t written Part Two. However I haven’t given up. I’ve decided to try harder and write a series of postings specifically about developing a security awareness program. A kind ‘how to’. So the mythical Part Two will become this series.

Why the title Breaking the Problem Down? Well I realised that the topic was far too big to fit into one post. So now it will span across ten or more.

Developing a security awareness program is not a simple task. It’s not a case of making a few posters or buying an off-the-shelf CBT course.  It requires a modicum of planning, some attention to detail, and a good deal of networking with your colleagues. Because it’s a big task, it makes sense to break it down and deal with various components on an individual basis.

So by way of beginning the task (and craftily linking back to the title of this post) lets take a step back and see how breaking the problem of security awareness down will help us achieve our goal of developing a successful program.

When a CISO is forced to think about security awareness they probably overstate the problem. They might ponder how they can encourage everyone to stop leaving USB sticks in coat pockets that get sent off to the dry cleaners, and in the next thought wrack their brains over how on earth they can get the developers to stop leaving back doors all through their code.

Luckily, all the thinking around this has already been done.  A while back the NIST produced a document called ‘Building an Information Technology Security Awareness and Training Program’. The document is a fair old read and a little dry.  It also presents a very traditional (hit and miss) approach to security awareness. But the best take away from it is one of those ideas that is so brilliant in its simplicity that you’ll think you always knew it.

NIST-SP800-50 defines security awareness as part of a continuum. The first part actually, with the other two being security training and security education in that order.

Without wanting to regurgitate the document, which is only a click away, the three parts are presented like this:

The IT Security Learning Continuum as presented in NIST SP-800-50

Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.

Target – All Staff

Training strives to produce relevant and needed security skills and competencies.

Target – Staff who work with information

Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response.

Target – Security Specialists

So while the awareness program must still reach all staff, the scope of what is to be achieved is far narrower. This if nothing else can have motivational benefits for the designer of the program.

Don’t get me wrong. The training and education components are very important too. But there is a reason awareness comes first. If you hope to change behaviours, you first need to address beliefs and attitudes and that is where a creative awareness program which is designed with a specific organisation in mind can be a lot of fun to implement.

The simple act of framing the concept of security awareness in this way allows the CISO (or whoever the lucky sod is) to hone in on setting some specific and achievable objectives. And that will be the subject of the next post…

Lessons from Advertising

Recently I delivered a seminar on running a security awareness program. One of the ‘principles’ I discussed is that an awareness program needs to consist of regular messages, not a half day course once per year.

I drew a parallel to other behavior change programs the public are exposed to such as drink driving, speeding and smoking. Campaigners in these areas understand that we as humans need to be hit repeatedly with these messages if they are to become embedded in our psyche. So we see campaigns like ‘If you drink then drive you’re a bloody idiot’ repeated and reworked over and over, but with the same message.

I thought it was a nice comparison. Whether these campaigns by themselves actually work or not could be debated but they are part of an overall strategy which also includes legislation and enforcement – as a good security strategy will also include policy and enforcement.

But it dawned on me the other day as I was stuck in front of the box with the flu that there is a better example which is so good we can’t escape. Advertising.

A common strategy by advertisers is to repeat advertisements. Short installments at prime time seem to be the most favored. But the key is that there are repeat screenings, hammering home the message ‘you need this product’. Sure we ignore a lot of these ads because we tune out at ad time, but so persistent are they that eventually you will tune in. From that point whether the ad is successful depends largely on the quality of the ad itself. To hold your attention the advertisers use an array of techniques, humour, colour, jingles, sex, and always…stories.

In security we need to be more like the advertisers and less like public health campaigns.

Lets face it health campaigns are boring and easily ignored. They always use shock tactics and our great human brain says ‘it’ll never happen to me’.

In your awareness campaigns, get edgy, use humour, make them exciting and a little offbeat, use a variety of media. Show your audience that security will make their lives better. Make the user DESIRE your product.

And part of doing this is to tell them again, and again, and again.

Don’t get caught by Tabnapping

Aza Raskin has written about a cunning new phishing attack he’s dubbed Tabnapping.

Basically it’s a scripting attack which can be installed on your own website or used with cross-site scripting on a target website.  It relies on the user switching away from the infected site to another browser tab. When the infected page registers it has lost focus for a short period the page changes to a login screen (fake of course) of another site such as Gmail, Twitter, or any other site the attacker wants to grab user credentials for. This happens ‘unnoticed’ by the user as they are busy on another tab.

Eventually the user will notice the tab, which now has the Gmail etc favicon displayed. When they navigate back to it they’ll think they’ve been logged out and try to log back in.  Credentials Pwnd! The fake site will then pass the credentials on to the real site, logging the user in who is none the wiser.

There are of course problems with this attack. The user may notice the change, the page displayed may be for a site the user doesn’t use, the user may have Noscript installed and so on.  But as with most phishing the attacker doesn’t require success in every attack.

It got me thinking about who might be vulnerable to an attack like this.  For my part, yes I could get tricked, but old habits mean I don’t tend to keep a lot of tabs open.

Rationing safeguards your data too!

I began using the web in the days of dial-up and machines with 32MB RAM. I was running a network of machines with Windows 3.11 and every program I opened slowed the machine down considerably. My home machine is now quite old and struggles along on 500MB. If one of the kids (or the wife) double clicks instead of single clicks then the browser tries to open twice grinding the machine to a halt for a minute or more.

Consequently I’m perhaps overly paranoid about memory loss. I rarely run more than two programs simultaneously, and tend to close tabs rather than just opening extra ones. I don’t even like having too many icons on my desktop.

Sometimes I feel like an old timer who still remembers rationing.

Yet I have colleagues (younger and older) who either have never needed to ‘ration’ resources or who have forgotten what it was like in the bad old days of 32MB ram modules.  These are the same people that lose stuff on their screen and stay logged in to their webmail accounts all day.

Complexity is the enemy of security. Perhaps clutter is too?

Try Harder

A few months ago I completed the Offensive Security Pentesting with Backtrack course. This is an online course which covers an incredible amount of content. The course takes you through penetration testing methodology from start to finish, and provides an online virtual lab for you to test out your new found knowledge.

As a linux newbie, and not coming from a purely technical background I found the course extremely challenging, but at the same time immensely interesting and engaging.

The course facilitators have a saying which they trot out whenever they feel you’re asking for help too quickly or when, I suspect, they don’t have a suitable answer to your query. ‘Try harder!’.

I think this slogan should be applied to the security industry in when it comes to dealing with the people part of the people, process, technology triangle.

An article in Computerworld raised my ire regarding this very topic. The reporter was explaining how the cleaning staff at a hotel he was staying at left a master key in his room by accident. The response from a ‘senior security  veteran’ he told was that the chief problem in security has remained the same for decades — educating stupid users. I couldn’t help responding and you can read my response here.

I can forgive the Offensive Security crowd for telling me to try harder. I was swimming out of my depth doing their course and being told to try harder was sometimes the encouragement I needed to solve the problem presented.

So I’m going to give the same advice to security experts who think they’re dealing with stupid users…

If your security is too hard for your users, try harder.