Vulnerabilities / Threats
5/5/2014
12:10 PM
50%
50%

Dress Like A Gnome: 6 Security Training Essentials

Offer home security clinics, make security messages fit for Twitter, and don't be afraid to dress up, say Infosecurity Europe presenters.

LONDON -- Infosecurity Europe 2014 -- System security is getting better, so attackers are going after a softer target -- people.

Security awareness was a key theme at the Infosecurity conference last week, as speakers and other experts offered their views on how to improve training and education programs.

"What's happened over the last 10 years is the operating system that the adversary is going after has really changed," Eric Cole, chief scientist at Secure Anchor Consulting and a SANS Institute instructor, said Thursday during his induction ceremony into the Infosecurity Europe Hall Of Fame. "If you put enough energy and effort in, you can secure those operating systems -- lock them down, turn off services, patch them -- and we've done a good job of that.

"Now, what operating system is the adversary targeting?" he said. "It's very hard to secure... and hard to patch."

That predicament has led some information security experts, such as Bruce Schneier, to propose more drastic measures, arguing that security training simply isn't salient for nonsecurity experts, because they won't ever really learn. From a big-picture standpoint, furthermore, Schneier has argued that, if engineers designed their software better, people wouldn't have to learn.

Until that happens, information security professionals are left with a triage situation, as many speakers at last week's conference readily acknowledged. To help, they offered the following six strategies:

1. Seek Twitter-like brevity.
Participants from both sides of the pond agreed that attempting to educate users, and to keep them extra vigilant about the types of social engineering attacks that continue to compromise so many organizations, remains challenging. For starters, Andy Jones, CISO of the global container company Maersk Line, said during a panel discussion that effective security messages must find ways to be both direct and brief. "I want my message [to be relayed] in 140 characters. I want a Twitter-type awareness."

2. Unleash the gnomes.
One creative -- and reportedly successful -- user-education approach practiced by Lee Barney, head of information security for Home Retail Group, a leading UK home and merchandising retailer, has been to dress up his information security staffers as gnomes.

Barney said these security gnomes are then placed at strategic locations around the office and used to deliver this line: "Hi, we're from security, talk to us." Cue a training opportunity -- for example, how to spot and avoid phishing attacks. After trying this approach, Barney said, his company launched a fake phishing attack spot test, and no one fell for it. "We had a 100% success rate," he said. "Not right away, but a few weeks later."

(Source: InfoSecurity Europe 2014)
(Source: InfoSecurity Europe 2014)

3. Offer drop-in home security clinics.
On the user-education front, Michael Colao, head of security for the investment firm AXA UK, recommended during a panel discussion that information security departments hold regular sessions for employees to pose personal information security questions, such as those pertaining to home security or "parental controls that your 12-year-old can't get past in four minutes."

The bigger benefit, he said, is that this type of computer security transfers to people's day jobs. "If you are talking about the steps you have to take to protect your home computer, it's weird, but it's actually quite similar to the steps you have to take to protect your work computer."

4. Play big brother to developers.
Security training can also be supplied to in-house IT staff, of course. For example, it can help developers write more secure code. According to research recently conducted by White Hat, however, inside organizations that emphasized secure coding practices, training alone didn't result in web application developers writing more secure code. Developers needed to know that their managers would also be reviewing the code they wrote, White Hat founder and interim CEO Jeremiah Grossman said in an interview at the conference.

"It came down to accountability. If the developers were accountable for the code they wrote, then they'd get something out of training," he said.

5. Rethink business questions.
Per Schneier's comment, the best approach to security awareness and training is to design security systems that don't require users to think about security. To help make that happen, AXA UK's Colao said, information security teams must take security-related requests from the business side of the house and then extrapolate the question that would have asked if they'd been security experts.

For example, at an investment bank for which he used to provide security, and which had a small number of customers, the business team asked the security group what password policies it should use to allow partners to log into the investment bank's systems. Taking a step back, Colao said, his group proposed and then implemented a system based on digital certificates.

What was the benefit? "I went once to one of our partners, and there on the wall were all of the main investment banks, and the company's passwords [for logging on to each one], except for ours, because they had a certificate instead," he said. "But if we'd answered the question that the business had originally asked... we would never have gotten there."

6. Lock down Office.
The reality today is that the security of so many systems still succeeds or fails based on user decisions, and users won't always make the right decision. As a result, businesses must look beyond training as a be-all and end-all, said Infosecurity Europe inductee Cole. "We have to do a better job of not allowing the adversary attack effort to make it directly to the person," for example by blocking today's four most prevalent phishing attack strategies: "executable attacks sent to emails, macros in Office documents, active scripting, and HTML content" in emails.

Thankfully, blocking those types of attacks doesn't mean preventing users from employing email or Microsoft Office altogether. Rather, it involves excising specific types of high-risk functionality. "How many of you need that asset from the Internet in order to run your organization?" he asked, referring to the four types of functionality noted above. "It's typically 1%. So if 1% of us need that, and that's the main vector that adversaries are targeting, then why aren't we shutting it down?"

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/6/2014 | 12:14:11 PM
Re: Dress like a Gnome
Ed,  speaking as a user that is relatively attuened to InfoSec issues, I couldn't agree with you more about the importance of technical controls to enforce good security hygiene. I want to do the right thing, but so often the demands of the day-to-day lead to the path of less resistance (bad behavior)...
Ed Moyle
50%
50%
Ed Moyle,
User Rank: Apprentice
5/6/2014 | 9:37:36 AM
Re: Dress like a Gnome
Security training is hard to pull off well generally.  Even when done well and using creative approaches as this article describes, the economics of it are challenging.  There are two reasons for this: attrition and human nature.  To keep pace with attrition, training needs to be done over and over and over and periodically refreshed in new and creative ways.  Plus, human nature is contrary to what we want.  People want to be helpful to each other - in fact, I'd argue (as many behavioral scientists believe) that helpfulness is "hardwired in" as a trait required for the human species to survive (think for example about what helping others means for a hunter/gatherer society - Dawkins has an excellent discussion of this in the Selfish Gene).  

Anyway, point is... In general, my preference has always been to try to find technical controls that enforce the right behavior (even if doing so requires recouping some of the costs from the training budget).  For example, rather than training helpdesk staff not to give out passwords, modify the system so they don't know it in the first place - rather than training people not to send out personal information, change the process/system so they can't.  I'm not saying "don't train", I'm just saying minimize the surface area - a technical control is almost always less expensive long term since it's a one-time investment vs. ongoing cost.  It also tends to work better since you're not fighting against human nature.  

Anyway, just food for thought and my humble two cents.  
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/5/2014 | 3:07:24 PM
Re: Dress like a Gnome
Maybe you are correct but it is a good thought.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
5/5/2014 | 2:48:12 PM
Re: Dress like a Gnome
You are exactly right Randy!  People, for better or worse, have a vulnerability that cannot be patched.  All people want to be helpful to other people.  Social engineers use this fact to get people to do what they want to do.

Additionally, if a social engineer can display an air of authority and sound like he knows the subject matter he is talking about, most people will not question him or her.  

The sad truth is awareness is extremely important but, we will never be able to secure the human completely.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/5/2014 | 12:59:35 PM
Dress like a Gnome
People have always been the easier target for hackers, they have emotion and can be reasoned with and can be breached easier than windows (believe it or not).
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3407
Published: 2014-11-27
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.3(.2) and earlier does not properly allocate memory blocks during HTTP packet handling, which allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCuq68888.

CVE-2014-4829
Published: 2014-11-27
Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allows remote attackers to hijack the authentication of arbitrary users for requests tha...

CVE-2014-4831
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to hijack sessions via unspecified vectors.

CVE-2014-4832
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to obtain sensitive cookie information by sniffing the network during an HTTP session.

CVE-2014-4883
Published: 2014-11-27
resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?