Cybersecurity – Rob Medley

An Apple A Day….

Do you own an iPhone or iPad? First thing today, It’s time to update to iOS version 10.3.3.

Why? It’s vulnerable to an exploit that allows an attacker to take over your device. Called BroadPWN, which will be covered in depth by other writers, it’s a critical flaw. Gone are the days when Apple fans could claim invulnerability to the malicious backhand of the Web.

When? Do it now, while having coffee or debating whether or not to call in sick to work. It will take about 15 minutes start to finish to update.

How? Hopefully, this is errata to you by now. If not, we need to talk. Go to ‘Settings’ -> ‘General’ -> ‘Software Update.’

Enjoy your Monday.

Hacking the Irony

By Rob Medley

AlphaBay founder Alexandre Cazes had a bad week. Business on his Dark Web version of eBay was making the Canadian lots of money, literally hand over fist. He didn’t need to worry about the police, his service operated via anonymizing methods such as Tor and I2P. Things were really looking up, until the man found himself in a dank Bangkok jail. It seems, in a veritable twist of irony, that Cazes had fallen victim to the same hacking techniques as millions of individuals and businesses face each day.

“You will never find a more wretched hive of scum and villainy. We must be cautious”

AlphaBay, like Mos Eisley Spaceport in the Star Wars saga, was a bazaar of digital dubiousness. Anything and everything could be found there, from drugs, to arms, to hacking tools with extensive instructions and even customer support. It was a thriving bastion of Capitalism dedicated to the underworld. Unfortunately, the 1% were not getting their cut, so it had to be taken down. The beginning of the end happened simply enough. Police had acquired Cazes’ email address ‘Pimp_alex_91@hotmail.com’ way back in 2014 while monitoring the site. In a fait accompli, Cazes had somehow added his personal email to the new user welcome message; a good thing for legitimate CEO’s, showing that they care, but not so much for something that could land you in a Thai jail.

“Treachery has existed as long as there’s been warfare, and there’s always been a few people that you couldn’t trust.”

General James Mattis, the stalwart symbol of American military prowess, follows the eastern philosophy which teaches knowledge as the key to defeat an enemy. By the same token, any hacker worth his salt can break into a network with just a single piece of information, like an email address. Conducting reconnaissance using the address can reveal social media and financial accounts, domain registration data, and daisy-chain contacts associated with the email. The exploitation process after this can be as easy as sending a compromised link in a phishing email from one of the targets friends, placing malicious code on a site the target is most likely to visit, to planting a rootkit.

“Once you’ve lost your privacy, you realize you’ve lost an extremely valuable thing.”

Billy Graham, the champion of cable TV Christianity, has a net worth of $25 Million. Alexandre Cazes’ net worth, by contrast, was about the same, coming in at $23 Million. When police launched operation ‘Bayonet’, they basically followed the trail from Cazes’ compromised email address to his PayPal account and a front company, EBX Technologies. Eventually, this led them to Cazes himself in Bangkok, Thailand. A raid on the swashbuckling entrepreneurs house procured the laptop Cazes used to run AlphaBay, which was unencrypted and logged into the AlphaBay site at the time of its seizure. The lesson here? Encrypt your hard drive and traffic. Also, have an extremely short inactivity lockout, especially if you are on the wrong side of the law.

“Have no fear of perfection – you’ll never reach it.”

Salvador Dali, mustachioed master of Surrealism, knew that perfection can never be achieved; the same is true in security. Navigating the digital world around us takes caution and a hefty amount of risk acceptance or mitigation. It was not some grand marvel of network subversion that took down AlphaBay, but human carelessness. It is an ironic cautionary tale that those on the wrong side of the light, legally speaking, are just as susceptible to hacking as we are in bountiful lands of the mapped Internet. Basic awareness and caution should be globally embraced by anyone engaged in digital activities, because all it takes, is an email address.

Growing Devil’s Ivy in the Internet of Things.

By Rob Medley

Linux is becoming a larger target for malicious actors these days. If you’re unfamiliar with Linux, it’s a different flavor of operating system, like Windows or MacOS. Don’t think you own anything that runs Linux? Think again. The odds are heavily in favor of you owning a gadget that is connected to the web, otherwise known as the Internet of Things (IoT). Gadgets, like Amazon’s Echo, security cameras, Internet-enabled dimmable lights, and so on, all comprise the IoT.
While the Echo and other high-end gadgets may be less vulnerable to attack, the bargain hunter in us is driving the purchase of cheaper items, those that may do the same thing as the Echo, from places like China. As manufacturers tend to care more about shipping product than the security of the product itself, cheaper does not equal better. Dozens of manufacturers use the same Linux code or stripped down operating systems to make their gadgets work well enough to get it to market. After the fact security support is often left to the user or a poorly manned customer service center.

Devil’s Ivy, the name of an exploitable software flaw discovered by the research company Senrio, is endemic to a Simple Object Access Protocol (SOAP) that allows a gadget to communicate with the network. Companies that use the code in their product are part of the ONVIF consortium, a “forum that provides and promotes standardized interfaces for effective interoperability of IP-based physical security products,” per the ONVIF website. Who are the members? Canon, TP-Link, BAE, Cisco, D-Link, Honeywell, JVC, Mitsubishi, Panasonic, & Samsung are all prominent names on the list of members. As a caveat to prevent a lawsuit, I must add that these companies may provide excellent support and timely security patches; but your TV and security cameras are part of the IoT and, well, you know.

Senrio estimates that the range of vulnerable devices is in the tens of millions, based on the statistics provided by SourceForge indicating that the SOAP development code has been downloaded just under 38,000 times in 2017 alone. Therefore, the odds of having a vulnerable device in your business or home are extremely good.

So, what can you do? Take an inventory of web-connected devices in your home or business (if you haven’t already), then look on each manufacturers support website to see if there is an update available. If an update doesn’t yet exist, you must weigh the risk of running the device on your network, and its impact on other computer resources, should malware use it as a pivot point to attack other nodes behind your firewall. The safer option is to either put your IoT devices on their own subnet (for the technical types) or not use the device until a patch is made available. Now that your attention is on your network, it may also be a good time to enable (sigh) or change those router passwords, as well as update all your operating systems and programs.

Sources:

http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions

Home

https://sourceforge.net/projects/gsoap2/files/stats/timeline?dates=2017-01-01+to+2017-07-12

NIST SP 800-53 Revision Five is Coming

The draft publication of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Systems and Organizations, is on the street.

This exciting publication, at least for us policy-geeks, makes changes to the structure of the controls to allow them to be adaptable to a wide range of missions; for example, mission and business focused enterprises, engineering organizations, those engaged in infrastructure design and their partners. There really is something for everyone.

The major changes to the SP 800-53 Rev 5 include fully integrating security and privacy controls by making them outcome based. Revision 5 clarifies the relationship between security and privacy to address all associated privacy risks. Controls have been consolidated and cross-mapped in tables to create a unified set of controls for easy reference between security and privacy.

Another major undertaking has been to separate the process from the actual controls, which allows organizations to easily adapt a control set to their mission. It comes in handy when engineers need to use a control differently than, say, a software developer, or business owner.

The SP 800-53 Rev 5 now makes it easier to integrate with other risk management and cybersecurity approaches i.e. ISO, ISACA, DOD, and NSS/IC. The various RMF’s are becoming more and more alike, which takes the strain off the beleaguered staff implementing them in complex environments.

Other exciting revisions of the revision include incorporating new ‘state-of-the-practice” controls based on threat intelligence and empirical attack data, controls to strengthen privacy governance and accountability, new guidance on cloud, the Internet of Things, and booting the academic advice and tailoring guidance to other publications in the 800 series. This makes for a leaner, more impactful document.

Acronym-Slaw: GDPR and DPOs

The General Data Protection Regulation (GDPR), the European Union’s answer to strengthening privacy protections across its member states, is set to go into effect on 25 May 2018. As companies across the world doing business in or with EU organizations prepare to adhere to the tenants of the law, there are some controversial portions of the legislation that merit closer inspection. One of the acronyms that will be bouncing around the IT world in the ramp-up to implementation is that of the Data Protection Officer (DPO).

Who is required to have a DPO? If your business has more than 250 staff, you will be required to have one of these in place. Additionally, organizations that have ‘core functions’ of information processing that need consistent monitoring will be required to employ a DPO.

This could be a boon for hiring, adding to the 3 million unfulfilled cybersecurity positions that will exist by 2021. In the immediate future, the GDPR will require about 75,000 DPOs, per the International Association of Privacy Professionals (IAPP). More likely, however, as the industry is constantly minding the bottom-line, this will be added to the many hats security managers already wear.

What are the knowledge, skills, and abilities your DPO will be required to have? He or she must be proficient in managing their employer’s compliance with the rules of the GDPR, train staff in GDPR provisions, as well as work with regulators regarding breaches, organizational performance with respect to risk management frameworks, and data protection measures. The DPO can be internal or external, but must be able to work and report independently to regulators. A DPO is appointed for a period of two years, which ensures job security.

Want to become a DPO? You’ll need to have a strong background knowledge in privacy protection, as well as a certification that meets GDPR specifications, such as IAPPs Certified Information Privacy Professional (CIPP). The CIPP is broken down by region (Asia, Canada, EU, US Gov’t, US Private Sector) and the test to become certified will be updated in August. Information regarding the CIPP is available here:

https://iapp.org/certify/cipp/

Want to take the GDPR for a deep dive? It’s located here:

http://www.eugdpr.org/eugdpr.org.html

A Simply Interesting (Pun Intended) Man-in-the-Middle Attack

I read about an interesting attack today. An Israeli study by Senia Kalma, Bar Magnezi, Hen Porcilan, and Nethanel Gelernter of the College of Management Academic Studies, Israel and a company that Mr. Gelernter works for called Cyberpion, suggests that a version of the Man in the Middle attack exists that traditional countermeasures fail to detect.

The attack, called Password Reset Man in the Middle Attack (PRitM), takes advantage of our curiosity and love of anything ‘free’; or, at least, my love of anything free. This attack, from my perspective, is especially applicable to the cybersecurity profession; wherein tech companies are consistently offering whitepapers or other valuable material in exchange for entering a little bit of data about ourselves. Our curiosity over the latest trend leads us to register for a site in exchange for access to the goodies. Granted, most of us know that the site is collecting the data for marketing and other less nefarious purposes, but do we really think it’s a lapse in security to exchange our email address for a white-paper? The answer is now a resounding “Yes”.

The PRitM attack is particularly beautiful in its simplicity; Malevich, Judd, and Pawson would be honored to have this attributed to them. Typically, a website, let’s say a security website by a new tech company, offers a white-paper that vows to teach us total security our information systems. We can also use, say, a recipe for an awesome desert that is only 10 calories. This is the bait, and our curiosity is the hook. We go to view the file, only to be confronted by a login or registration dialogue. After the initial eye-roll, we reflexively type in our email address.

As soon as the email address hits the website, however, the attack begins. By entering our email, we’ve given the attacker (who has control of the website) the information she needs to begin a password reset on our email account. Once initiated, one of three things will happen:

1) The server will generate a CAPTCHA request to make sure a human is interacting with the service;

2) The server will send an SMS code; or

3) The server will begin the process of a reset via recovery questions.

The beauty in the attack is that all this information is passed on to us as we are registering to download / view that file. For example, if our email provider needs a CAPTCHA answer to initiate a reset, the attacker merely forwards the CAPTCHA to us while we are filling out the information form. The same applies with security questions and SMS two-factor authentication. Using a two or three step sign-up process allows the script the attacker writes to efficiently pass the information between our email provider and ourselves, with minimal overhead.

Who’s affected? The researchers effectively ran their test cases against Google, Facebook, LinkedIn, PayPal, eBay, Baidu, Yahoo, Twitter, and a host of others; so, everybody. Websites that email links to reset passwords were not affected by the PRitM attack.

How do we protect ourselves against the PRitM attack? First, be sure we want to give out our email address, and if we do, use a throw-away address that is not linked to financial or other sensitive accounts. If an attack is in progress using SMS messages, be sure to closely read what the message says, as registering for a site won’t generate a message from our email provider.

To read more about this interesting attack, a PDF of the study is available below, no sign-up required 😀

Click to access 207.pdf

2017 Cybersecurity Vulnerability Trends

Looking at the state of Cybersecurity by news headlines, one would logically assume that ransomware is all security professionals must worry about in their day-to-day operations. The nemesis of the moment is Petya. Petya is a ransomware variant that is built on the chassis of a leaked National Security Agency exploit called Eternal Blue. The ransomware looks for unpatched Windows machines of all flavors running SMB 1.0.SMB stands for Server Message Block It’s an outmoded application layer file-sharing protocol that has been superseded by Active Directory and later versions of SMB. Petya encrypts your Master Boot Record, so that you can’t do anything while it works to encrypt the rest of your files. The result? You can either pay $300 in Bitcoin to some shadowy Russian hacking group and maybe get a decryption key for your files, or turn off SMB 1.0. To turn off SMB, you’ll need to navigate to your windows features setting, uncheck the offending service, and reboot.

But Ransomware isn’t the nightmare that should keep security professionals up at night. Indeed, a good backup policy mitigates any lapses in patch management. What should keep us up at night is our own state of being human. As humans, we are imperfect creatures. As much as we strive for greatness, there is always that one thing we might not have accomplished while juggling the many tasks of our daily rituals. Statistically, the vulnerabilities we see reflect the state of our profession.

Per the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), the greatest threat of 2017 isn’t Ransomware, it’s buffer-errors, followed by improper access controls, information leaks / disclosure, cross-site scripting, and permission, privileges and access control weaknesses.

Buffer-overflows? Okay, I get it. The development world is complex, and errors are going to happen. One of the beauties of our human condition is that we can always find better ways to do things, or, on the malevolent side, ways to exploit things. Luckily, protections against buffer-overflows are evolving using safe libraries, stack and executable containment strategies.

Cross-site scripting (XSS) has been on the security radar for a while now, yet it has declined from its height of 14.3% of all vulnerabilities in 2009, to its current 9.2%. XSS is a legitimate attack vector, and its decline in prevalence shows that developers and admins have been waging an effective battle against the threat. The industry focus on web threats has led to some interesting countermeasures, including containerization (essentially running a browser in its own virtual machine), JavaScript sandboxing, and Content Security Policies (CSP); all leading to effective mitigation of the threat.

What should give security folks pause, is the rise in threats that stab at the very heart of our job description. Ensuring the confidentiality, integrity, and availability of information resources is what we do for a living. On a personal level, each of us should take offense that vulnerabilities exploiting access controls, permissions, and privileges even exist, let alone rank among the top threats to our networks. To be sure, buffer-overflows can lead to escalation of privilege, but we must not assume that security faults in controls and privileges are solely the result of software weaknesses. Certainly, NIST doesn’t take this approach as they have made buffer-overflows its own category, separate from access and privilege threats.

So, what do we do? First and foremost, we should let go of our ego. Don’t assume that every security detail has been taken care of. Get in the habit of double-checking yourself, make sure those privileges and controls are properly set, and most important, still relevant. If security needs are not being met, double-down on ensuring your settings are up to date. Use those checklists, validate your templates, and adopt habits that put security first.

Let’s make it a community goal to not see security essentials on the NVD vulnerability trends for 2018.

What Hackers Really Want

By Rob Medley

19 June 2016

You’ve spent thousands of dollars on that new Intrusion Detection System, upgraded your firewalls and endpoint security. You kick back, sip your latte and marvel at this titan of security that lies before you. You’re confident that there is absolutely no way to break into the system; let them try.

Two months later, you’re standing in front of the CEO explaining the breach; the CISO sitting glum in a chair, having incurred the boss’s wrath prior to your arrival. “How did the breach occur?”, the boss asks. “It’s not clear”, you say, “but it appears to be a privilege escalation that happened after a third party contractor fell victim to a phishing attack.” A heavy silence falls on the room as the boss studies you, shredding any confidence you had left in getting that raise; you briefly wonder how many boxes you’ll need to clean out your desk.

This scenario plays itself out far too often across corporate America. With the high profile attacks on LinkedIn, MySpace, iMesh, Tumblr, & GitHub, to name a few, it’s hard not to become jaded. In fact, the ease with which hackers are able to penetrate networks and steal passwords is becoming laughable. Just this month it was reported that 45 million passwords were stolen from over 1,100 mainstream websites^{^[1]}. In May, a Russian hacker was selling over a billion, with a ‘B’, passwords from major email providers^{^[2]}. To be fair, it should be mentioned that there were only 272 million unique passwords.

With firms dumping serious cash into network defense, to the tune of 2.3 billion in 2015^{^[3]}, one must wonder why events such as those mentioned above come to fruition. According to a recent Ponemon study, the average cost of cleaning up a data breach is $4 Million; that’s almost a third more than it was in 2013^{^[4]}. Breaking that down further, network downtime is costing firms an average of $300,000 an hour due to incidents^{^[5]}. In comparison, hackers are selling compromised servers for less than $10 dollars^{^[6]}. That’s right, your multimillion dollar security scheme is worth less than the average trip to Starbucks.

If hackers are investing the time to break into systems, then selling the sensitive data therein for the price of a Whopper and fries, one has to wonder, “What do hackers really want?” We all know that the motivation to break into networks and systems is as varied as there are people in the world; but network penetration can generally be grouped into financial motivation, curiosity, or hacktivism. Regardless of the motivation, the psychological underpinning of any action is that the hacker wants a challenge.

Hackers tend to look at accessing resources as a game (Chess, not Call of Duty). The psychological high that comes from winning is the reason most get into the intrusion game in the first place. At the same time, hackers tend to view easy opponents with disdain, feeling that the ‘n00b’ who can’t defend his or her network gets everything they deserve, like publishing their entire user database online. Yet in the hacker heart, they want us to not suck at network defense. They hope defeating us will be more difficult than playing Mortal Combat with their three year old brother.

We defenders must do our part in this virtual chess game! In addition to properly securing those new-fangled firewalls with more features/bling than Kim Kardashians closet, we have (as in really, people) to get our act together with regards to basic security hygiene. Bling is fine after you learn the basics. Let me ask, how long ago did your office update your network security policies? Do you even have them? One in four businesses do not have a basic security policy^{^[7]}. Are you in the same boat as the Federal Government, with languishing policies as old as 2006? Just remember that in 2006 Facebook was new, flip-phones were cool, the iPod (with the wheel) was at its height, & IOS, Android, and Windows Vista were not part of our vocabulary yet.

In addition to updating policies for the present, your organization should stand up a risk management program. The costs of one or two employees (better are consultants – I know one 🙂 to conduct audits of policy controls, NIST, ISO, or whichever framework you use, can save you hundreds of thousands of dollars in downtime. These risk management professionals can also provide staff training to lock down the human aspect of hacking – social engineering (phishing, and whaling). The end goal of all of this is not to suck at network defense.

Let’s face it; all of the technology in the world will not do any good if there are not sound security controls behind it. Things like enforcing mandatory password lengths, expiry dates, lockouts – e.g. the basics of security, which seem to be at the root of these huge breaches, are what is needed. By doing due diligence on these basic things, we make hackers happy. It’s now harder for them to gain access into a system. They are forced to spend more time trying to gain the prize and, conversely, we can spend more time playing with the technology toys that make us happy. Not only will practicing basic security give the cybersecurity chess game renewed vigor; it will give us the respect of hackers. If you haven’t got the respect of your opponent, what’s the point?

^{^[1]} Nicks, D. (2016, June 14). Hackers Steal 45 Million Passwords From Over 1,100 Websites. Retrieved June 18, 2016, from http://time.com/money/4369098/hackers-steal-45-million-passwords/?utm_content=buffere9699

^{^[2]} Wei, W. (2016, May 04). Hacker is Selling 272 Million Email Passwords for Just $1. Retrieved June 18, 2016, from http://thehackernews.com/2016/05/hacked-email-accounts.html

^{^[3]} Reuters. (2015, September 22). Cyber security investing grows, resilient to market turmoil. Retrieved June 19, 2016, from http://fortune.com/2015/09/23/cyber-security-investing/

^{^[4]} Olenick, D. (2016, June 15). Ponemon puts a $4 million price tag placed on mitigating data breaches. Retrieved June 18, 2016, from http://www.scmagazine.com/ponemon-puts-a-4-million-price-tag-placed-on-mitigating-data-breaches/article/503392/

^{^[5]} Firewall Migrations: Five Ways To Maximise Security Resilience & Availability – Information Security Buzz. (2016, June 09). Retrieved June 18, 2016, from http://www.informationsecuritybuzz.com/articles/firewall-migrations-five-ways-maximise-security-resilience-availability/

^{^[6]}Auchard, E. (2016, June 14). Cybercrime market sells servers for as little as $6 to launch attacks. Retrieved June 18, 2016, from http://www.stltoday.com/business/local/cybercrime-market-sells-servers-for-as-little-as-to-launch/article_fd775f99-3a04-5133-921b-feffeebc7f11.html

^{^[7]} Hoffman, S. (2008, October 28). Corporate Security Policies Found Ineffective. Retrieved June 19, 2016, from http://www.crn.com/news/security/211601180/corporate-security-policies-found-ineffective.htm

The Power of Two-Factor Authentication

By Rob Medley
June 11, 2016

With the news of numerous hacks in the last few weeks, it’s not far-fetched to propose that people are worried. Not only is the individual user concerned about theft of personal information and password databases from the likes of Myspace, LinkedIn, Twitter, and the Office of Personnel Management, but business owners, particularly small business owners, are increasingly becoming the victims of hackers.

While it’s become a joke for large corporations to apologize to consumers, hand out 12 months of nearly worthless identity theft protection, then hide behind a phalanx of lawyers, small business owners do not have that luxury. In a recent survey, the Federation of Small Businesses (FSB) reported that 93% of small business owners have some type of cybersecurity initiatives in place[i]. 93% is a good start. Where it becomes troublesome is that two-thirds of these same businesses surveyed have been victims of cyber-crime in the last two years. Two-thirds! Adding the seven percent that is blissfully unaware of the dangerous online environment surrounding them, that’s seven out of every ten business owners being victimized; the rest are just lucky.

At the heart of what we are talking about is basic security hygiene. There are plenty of simple things netizens and businesses can do, yet choose not to, because they are focused on other things, such as meeting production, revenue and other business goals. The security world is still dealing with easily guessed passwords after 30+ years of telling people not to use them. If you look at the news surrounding the LinkedIn and Twitter hacks, the same supremely weak passwords are still showing up, ‘123456’, ‘password’, ‘Redskins’, etc. Some think they are being smarter than the hacker by using number substitution, e.g. ‘10v3’ instead of ‘Love’. Believe me when I say these are just as weak; common automated hacking programs run these variations by default. Indeed there is no truly secure password, but by combining random alphanumeric and special characters, you’ll increase the time to hack the password – meaning you are no longer the low-hanging fruit. The problem? These complex passwords are no longer easy to remember, so they are written down; totally defeating the purpose of the endeavor.

Enter password managers and two-factor authentication. This rock-star duo can make your life much less complicated. By using a password manager such as Last Pass or Dashlane, you can store and sync all of your passwords online. Highly dangerous you say? Dashlane for example prompts you to create a master password, one that if you forget it, you’ll lose access to your account. Since the company uses very strong encryption, and doesn’t have access to your information, neither do hackers. Why? Often the weak point of business architecture is some procedural vulnerability that allows the hacker to access your hashed or (God forbid) data stored in the clear on the company servers. You can also enable text message authentication via mobile phone or access via a smart key, such as Yubi-key. These secondary authentication measures prove much more difficult to circumvent as you are combining something you know with something you have.

A cautionary note on using your mobile number as a second factor of authentication, please log in or call your service provider and add a pin requirement or text message notification of any attempts to change that account information. If you leave it at just a password, a hacker can gain access to your privacy data (name, date of birth, address, social security number, etc.) from other sources, e.g. LinkedIn, Twitter, Facebook, and hijack your phone number. If successful, a hacker can work around the cell phone as a second form of identity verification.

Hackers are very smart people. I respect their knowledge and dedication. However, they are often able to achieve success because of a lapse in policy, procedure, or basic security hygiene principle on the part of the individual or business. While large corporations can absorb the damage and loss of reputation from a breach, the small business and individual cannot. Paying attention to topics such as governance and policy can help save the business heartache down the road. As a business or even an individual, if you are too busy to focus on these areas, people like me are at your disposal. Reaching out to a consultant that can help you overcome these obstacles can save time, money, and reputation down the road.

Rob Medley operates Policy Assured, LLC – a veteran-owned information assurance company.

[i] Small businesses bearing the brunt of cyber-crime. (2016, June 10). Retrieved June 11, 2016, from http://www.fsb.org.uk/media-centre/latest-news/2016/06/10/small-businesses-bearing-the-brunt-of-cyber-crime

That Was Refreshing! – A New Spin on Cybersecurity Training

By Rob Medley
June 6, 2016

Mention deadlines for completing yearly security awareness Computer Based Training (CBT) and you will undoubtedly get the eye-roll from staff. “It’s boring”, “it’s the same thing every year”, “employees have more important things to do”, and “how about those deadlines” are the excuses you will encounter in attempting to teach security to your organization. Worse, you may run into the invariable excuse that it’s not their job to practice security; rather, it’s your job to protect them. This attitude often leads to an adversarial relationship between IT staff and operations; impacts security, unit cohesiveness and the bottom line.

In 2015, Kaspersky Labs, an antivirus solution vendor, detected 121,262,075[i] malicious threats, e.g. viruses, scripts, exploits, etc. The number in itself, 121 million, is staggering, but let’s put it into perspective – that’s one antivirus vendor. I can think of at least six others off the top of my head, and conducting more research would triple that figure; adjusting for overlapping discoveries by the different vendors. A vast majority of these threats come from phishing and emailed malware (links, documents, or programs). What’s the common thread here? That’s right – people.

So what can we, as IT managers, do to increase success outcomes of our yearly training? How do we prevent the very things that operational staff seems hell-bent on doing? Or are we doomed to failure? Fortunately, there are things that we can do in order to spice up our programs and on-board the requisite knowledge to reluctant learners. Heck, if we do it right we can even make security awareness training fun!

Don’t Throw Out the Bath Water – Add More Bubbles!

First and foremost, our CBT’s can’t be boring or tedious. Ask staff why they roll their eyes at you when you ask if they’ve completed the training, and they’ll say it’s too academic or robotic. If you must use CBT’s, some things you can do to mitigate this apathy are to change the content each year. Don’t have a voice-over, which you can’t disable, reading a slide saying the same thing. Through reading, the brain can process this information much faster. A better choice would be to have that voice-over giving information that is not on the slide. This technique increases the complexity of the teaching, and engages the learner’s multi-tasking capabilities. After all, we’re not first-graders. Next, challenge the learner’s ego by giving them a test-out option at the beginning of each module. Let them know that if they’ve got a firm grasp on the information, they can bypass the module, thereby completing the training faster, and being able to get back to making that sale; or surfing the Net. As a rule, however, make the test-out option hard; you must make sure they really know the information.

Moving beyond the CBT, there is a world of creative ways to excite employees to practice better security hygiene.

Storm the Bastille – Replace the CBT

Have you thought about replacing the CBT altogether? One way of doing this is to have brown bag lunches, out of office lunches and / or coffee dates with groups of employees. This requires the IT training team to become effective facilitators and storytellers. Step one in this approach is to use a scaffolding technique[ii] wherein the facilitator holds an informal talk highlighting the security issues that most impact the organization. He or she then gradually facilitates the other members of the group to share their experiences within the context of the discussion; thereby reinforcing the information, using their experience as a basis to teach[iii], and showing them the respect they deserve as adult learners.

Don’t Be the Boring IT Guy

People hate things that aren’t exciting, and people too. They’ll tune out and move on in their head as to what they’ll eat for lunch or who they’ll meet for Happy Hour. A way to not be boring is to tell stories. Storytelling techniques[iv] are the most effective teaching and learning strategy a person will encounter. Effective storytelling will help your audience categorize and retain the information you are providing, as well as incite them to action. Using humor along with storytelling techniques can help a person retain that information for even longer. Literally, it’s the difference between watching an ‘Austin Powers’ movie and ‘C-Span’.

Here’s a Mountain – Compliments of Management

A powerful motivation tool is to give someone something. If you stimulate their natural competitiveness and desire for free stuff, you can motivate them to learn. A cheap way an organization can do this is by holding monthly security trivia contests – with prizes, such as free movie tickets or a dinner for two. “What?” you say, “Give them something for something they should be doing already?” Sure. If you publish the security topics you wish to stress each month in trivia form, thereby making security an ongoing, relevant topic; and make it worth their while by moving the mountain to them, employees will respond positively to the initiative. In fact, they will look forward to the next month’s topic, maybe even engaging in research on their own, to win those prizes. At the least, $360 a year in free stuff is better than a $60,000 dollar incident clean-up.

No, Really It’s Your Job – How Security Affects Them

You will always have the intractable staff-member who believes it really isn’t in their job description to practice security hygiene. To break through to this employee, it is essential to relate to them how their behavior impacts their performance, their reputation, and the company bottom line. It’s necessary to do this in a way that won’t alienate the employee – as we’ll talk about in the next section – but to appeal to their need to do a good job. Everyone wants to be good at what they do, right? It’s a basic tenet of Maslow’s Hierarchy of Needs[v]. By engaging in security best practices, they fulfill their basic need for a job (proving shelter, food, and stability), their need for belonging to something (the group, their team-mates & co-workers), as well as esteem and self-actualization needs (doing a great job, not costing the company tons of money to fix an incident).

On Trust and Alliances – and Burning Tires

A critical step in the process is to eliminate the perception that non-IT staff are threats, and telegraph that to them. By patronizing staff and reprimanding them when they click on that link or do something otherwise regrettable, we IT staffers must make it known that there won’t be reprisals. The worst thing one can do is to establish a culture of fear in the organization. By doing this, employees will be more reluctant to mention that they made a mistake, or that they noticed something weird when they opened that PDF or Word document. By embracing a forgiving policy, employees are no longer considered part of the threat environment; rather, they are a layer of defense. Of course this attitude requires your IT staff to be on top of their game, which they already should be, in order to investigate and mitigate any reported activity that bears out an actual threat. Think of your security environment like it’s Mogadishu in the early 1990’s, when the Somali warlords used a network of spies to let them know when the Americans were coming to the Bakara Market district[vi] – your users are your spies burning tires in the streets to alert you to malware intrusions.

What have you done besides gaining an ally when you treat users with respect and tolerance? You get employees curious. Curious employees ask questions, asking questions sparks the fires of learning, resulting in deeper engagement[vii]. When you give constructive feedback to a user that fell victim to the phishing email or clicked on that link, you get them asking the questions:

“Why did I make this mistake?”

“What is working well in training and what could be better?”

“What can I do better in the future?”

“How does this mistake impact the team?”

Parting Thoughts

As an IT manager and training staffer, you have to think out of the box. Traditional techniques of conveying security awareness are faltering in the face of increasing malicious activity on the triple ‘W’. Keeping your non-IT staff engaged, proactive, and learning about emerging exploitative techniques and their countermeasures, you directly impact the bottom line of your organization. By selling the C-Suite and investors on your efforts and results, you also improve your rock-star image in the enterprise.

[i] Namestnikov, Y., Ivanov, A., Makrushin, D., Van Der Wiel, J., & Garnaeva, M. (2015, December 15). Kaspersky Security Bulletin 2015. Overall statistics for 2015. Retrieved June 06, 2016, from https://securelist.com/analysis/kaspersky-security-bulletin/73038/kaspersky-security-bulletin-2015-overall-statistics-for-2015/

[ii] Successful Strategies for Teaching Students with Learning Disabilities. (2013, October 14). Retrieved June 06, 2016, from http://ldaamerica.org/successful-strategies-for-teaching-students-with-learning-disabilities/

[iii] Strang, T. (2014, August 20). Teaching Techniques that Motivate Adult Learners. Retrieved June 06, 2016, from http://blog.cengage.com/teaching-techniques-motivate-adult-learners/

[iv] Franconeri, S., Choy, E., & Buck, M. (2015, October 12). Podcast: The Power of Persuasive Storytelling. Retrieved June 06, 2016, from http://insight.kellogg.northwestern.edu/article/the-power-of-persuasive-storytelling/?utm_source=lal

[v] McLeod, S. (2014). Maslow’s Hierarchy of Needs. Retrieved June 06, 2016, from http://www.simplypsychology.org/maslow.html

[vi] Alexander, P. (2013, October 3). Fallout from Somalia still haunts US policy 20 years later. Retrieved June 06, 2016, from http://www.stripes.com/news/fallout-from-somalia-still-haunts-us-policy-20-years-later-1.244957

[vii] Rose, C. (n.d.). 10 habits of successful learners. Retrieved June 06, 2016, from http://acceleratedlearning.com/ali/10-habits-of-successful-learners/