Is there really such a thing or am I dreaming?
For any of you that are involved in security awareness efforts, you know what I am talking about. Security awareness training efforts just do not seem to catch fire or interest anyone, even yourself. So what is one to do? The reason I bring this topic up is that I attended an FS-ISAC Webinar where Lance Spitzner of SANS offered a very interesting idea in regards to security awareness training.
Before I get too deep into security awareness training, a bit of background. Mr. Spitzner pointed out in his presentation that human beings are very bad at judging risk. Worse yet, since most people have a poor understanding of the Internet and technology, that risk judgment gets even worse as most people, even IT professionals, just do not seem to get the risks presented by the Internet. He presented numerous examples of just how bad people are at risk evaluation without information or a frame of reference.
If you think this is a fallacy, go and read peoples’ Facebook and LinkedIn pages. The amount of proprietary and sensitive information that can be gleaned off of social media pages is terrifying. But it is not just social media that creates problems. Organizations do it to themselves all of the time with their own Web sites. In the name of openness and marketing savvy, organizations post amazing amounts of proprietary and sensitive information on their own Web sites. The ready availability of all of this proprietary and sensitive information lends itself to making a successful social engineering attack a foregone conclusion.
As I like to point out in my social engineering presentations, no one walks down the street indiscriminately handing out their business cards to everyone they encounter. The looks I get from that statement are truly amazing. Most of the people in the room do not get it and, unfortunately, probably never will get it until they are breached. However those that do get it usually turn pale as it is usually the first time they realized the seriousness of the situation and the amount of risk to their organization all of that information presents. When you are on the Web, organizations and people post their life stories for anyone and everyone to see. Is it any wonder why the DEF CON “How Strong Is Your Schmooze” social engineering contest is so successful?
I have thought about this situation a lot lately as social engineering becomes more and more one of the tools used to initiate a breach. I keep coming back to what can we do to minimize this disaster? Security awareness training just does not seem to be working and then I run across Lance Spitzner’s presentation to FS-ISAC. Mr. Spitzner states that people are just like any other device in the mix. He points out that Microsoft patches Windows every month on ‘Patch Tuesday’, so why are we not “patching” people at least monthly. What an idea.
Mr. Spitzer stated me to thinking about people as running the human operating system, or hOS as I prefer to now call it (my apologies to Apple). And all of a sudden, viewing people as devices running hOS clarifies security awareness training. Now, I know there are some that will chastise me for dehumanizing people. But I justify my doing that in the fact that it needed to happen so that we can better understand and educate people so they are less at risk.
If you accept the premise that people should be treated no differently than any other device, then you know that security awareness training on hiring or an annual basis is just not often enough. Microsoft issues patches to their software monthly if not more often in emergencies. Since human beings are terrible at judging risk, then how can only annual security awareness training address the issues in hOS? And that is just it, annual training cannot. hOS needs to be regularly “patched” just like every other operating system. That means at least a monthly patching cycle. But doing monthly “patching” is not just all you have to do for hOS, you also need to make the “patching” relevant to hOS.
This is where subscribing to news and information security RSS feeds or listservs to track what the hot issues are for hOS. Just like Microsoft focuses their patching of Windows on the most dangerous vulnerabilities, hOS vulnerabilities also need to be tracked the same as technological vulnerabilities.
By decoupling people from the equation and looking at the security awareness problem as patching another OS, it liberates you to think in new ways. So, what are the steps in patching an OS?
- Identify the vulnerability.
- Determine the risk of the vulnerability.
- Determine what can be done to mitigate or remediate the vulnerability.
- Develop a program to mitigate or remediate the vulnerability.
- Test the mitigation or remediation of the vulnerability.
- Implement the mitigation or remediation of the vulnerability.
Now apply those principles to hOS on a monthly basis. Taking the results of your research you can surely come up with a vulnerability or two that has occurred whether it is a suspicious email with a PDF or spreadsheet attachment or a drive-by attack. Take those as examples, explain their risk, explain how to recognize these attacks, and then put your marketing department to work on developing a message that trains people. There is a reason I recommend the marketing department and that is because you can share this information with your customers as well as your employees.
Send out these messages on a regular basis, preferably monthly but definitely more often than annually. Follow up those messages with ‘lunch and learn’ or similar sessions to further discuss those messages and to ask attendees if they have any security questions or have encountered any threats at work or even at home. These steps should show your customers and fellow employees that security does not require knowledge of technology so much as just using common sense and being skeptical.
Security awareness does not need to be conducted like a TV sitcom, but it can work if you take the approach that you are patching another device and you make that training relevant.