IASAP International Association of Security Awareness Professionals

The CSI Security Awareness Peer Group has reformed itself as a non-profit organization after CSI discontinued the group last year.  IASAP (the International Association of Security Awareness Professionals) offers a supportive forum in which security awareness professionals can meet up and share good ideas.  A former CSI manager remains involved in the role of coordinator and meeting facilitator.

IASAP membership is limited to those who are running security awareness programs within their companies: vendors of security awareness, training and related products are supposedly excluded although, paradoxically, PhishMe Inc. is the group's "exclusive founding sponsor" and "corporate sponsorships" are acknowledged as a source of funding on the IASAP website.  

Perhaps as a consequence of the no-vendor policy, annual membership costs $2,500.  Members presumably anticipate recovering at least as much value through networking and sharing ideas and materials with their professional colleagues, primarily through two-day meetings held twice or three times a year.

The 'international' part of the title currently appears to mean US and Canada but fair enough, that's a start!  We wish the group well for the future.

Regards,

Gary (Gary@isect.com)

Breaking Sod's Law

A news piece about a failure of the 911 emergency phone services during a storm is valuable security awareness lesson for any organization that relies on a generator-backed UPS to maintain clean, stable power to essential ICT services - meaning practically every large organization and many smaller ones too.

Reading somewhat between the lines, the Fairfax County 911 ICT services depended on a UPS, the batteries in which were supposed to be kept fully charged by two generators in case the mains power failed.  One of the generators worked fine but the other evidently failed to auto-start.  Insufficient capacity in the one running generator meant that the UPS batteries gradually ran down over a few hours until eventually the UPS ran out of juice, the lights went out and the 911 ICT services failed.

Moments after the initial power cut, the technician/s on site were probably relieved that the change-over from mains input to generator input had gone smoothly, and the ICT services carried on running normally.  It is a stressful event.  However, it seems they relaxed too much or perhaps lacked the information to realize that the second generator was not working, and hence the UPS batteries were gradually discharging.

Speaking from personal experience as a former ICT manager, 'running on UPS' is an unusual situation that requires unusual activities.  Whenever the sites I managed experienced power cuts during the normal working day, I relied on the site maintenance people - our wizzards - to ensure that the electrical equipment was working correctly, leaving me to worry about the peripheral ICT equipment and services that may not be on UPS, for example, figuring out which bits of kit had failed or might fail soon, and which parts of the business might be affected.  When power cuts happened out-of-hours, there was generally less pressure since the business was relatively quiet but at the same time the wizzards were often unavailable, so I've been faced with unfamiliar blinkenlights and contingency situations, leaving me little choice but to muddle through and hope for the best.

Thankfully that haphazard, high-risk approach was good enough at the time but would be quite inappropriate for a critical 24x7 operation ... such as the ICT supporting 911 emergency services to nearly 2.3 million people ...

Verizon had tested (and presumably passed!) the standby power system just three days before the storm - so why did it go wrong on the big day?  According to the Washington Post article, "At the Arlington site, the routine and limited testing had not checked whether a generator could carry a full power load in an emergency".  Oops.  The Post doesn't say why Verizon's testing was limited, but these are the kinds of reasons (justifications or excuses?) I have come across in the course of hundreds of IT installation audits elsewhere:

• "Since the power system was professionally designed and thoroughly tested when it was installed, routine testing is unnecessary" [wrong!  Loading changes, equipment wears out, batteries lose their capacity ...];
• "It was tested 2 or 3 years ago" [see above - and in this particular case, it turned out the previous testing was so limited as to be pathetically inadequate]
• "Full testing is too costly" [unanticipated power incidents can be far costlier];
• "Limited/offline testing is sufficient" [it's useful for some but not all checks, and could even be counterproductive since lightly-loaded generators may accumulate partially-burnt fuel];
• "The power fails every few weeks and whenever it does, the backup power has worked fine - so there's no point in testing it" [testing is an opportunity to check things more thoroughly and if appropriate push things to the limit e.g. simulating extended power outages on full load];
• "We follow the equipment suppliers' recommendations" [strangely enough, when I trotted out the predictable line "Show me", nobody could lay their hands on the mythical guidance documents];
• "Full testing is too risky so we only do very limited testing out of hours" [a scary response: management was clearly afraid their critical backup systems would fail the tests, meaning they lacked the necessary assurance to be confident they would work when actually needed for real, meaning significant business risks were not being properly treated].

Aside from the obvious stuff such as excellent power engineering, automated failovers, over-capacity, proper equipment maintenance, procedures and full on-load testing, there are other ways of reducing unacceptable power risks:

• More than barely adequate funding, in other words treating the complete power system as a vital infrastructure investment; 
• Proper instrumentation, allowing power supplies and loads to be monitored continuously and projected accurately in relation to power system capacity, with suitable alarms and alerts triggering response procedures when the readings head into the amber (don't wait for them to go red - or worse still go out altogether!).  Adequate voltage, current and power metering is hardly rocket-surgery, while temperature monitoring (including the use of thermography) can tell an experienced power engineer a lot about the state of the plant and switchgear;
• Independent power system audits by competent, experienced assessors;
• Productive working relationships between the facilities people, IT people, site and information security people, power people and business people, including the suppliers of specialist UPS, generator and other equipment and, of course, the lines companies and power suppliers.

Backups and contingency arrangements are needed because of Sod's Law or Murphy's Law.  Trouble is, backups and contingency arrangements are subject to exactly the same laws (remember how the tsunami flooded the emergency backup generators at Fukushima?).  And so are the tests, by the way.  The trick is to do whatever it takes to make sure the systems will pass their tests with flying colors and have solid contingency plans just in case they don't.

Regards,

Gary (Gary@isect.com)

Social media naivete

Users of social media sites such as Twitter and Facebook don't always appreciate how much information they are giving away as they naively post updates.  For example, this site figures out where you live from the GPS info you send to Twitter from your Android system, looking up the latitude and longitude on Google Street View, while this site simply filters Facebook updates for potentially incriminating or embarrassing information.

Using social media Application Programming Interfaces to query their public message databases is much the same in principle as using Google to find sensitive stuff published inadvertently on the Web.  Once information is published, it is there for people to use.

Regards,

Gary (Gary@isect.com)

Awareness lessons from Wal Mart

This year's social engineering 'capture the flag' competition at the DefCon hackers' conference was won by a contestant who socially engineers his clients' employees for a living.  In the course of a 20 minute phone call, he successfully fooled an unsuspecting Wal Mart employee into revealing potentially sensitive and valuable information, even persuading him to visit a (potentially infectious) website to 'complete a survey'.  Read more about the con here.

The con was cool in the sense that, live on stage, the contestant collected all the flags on his task list, but uncool in the sense that the attack was relatively straightforward and entirely benign, within the strict rules of the competition.  I've read about many similar attacks in books such as The Art of Deception, The Art of Intrusion and Ghost in the Wires by Kevin Mitnick, and Spies Among Us by Ira Winkler.  In No Tech Hacking, Johnny Long writes at length about the ability to research potential targets and identify vulnerabilities, while David Lacey discusses the psychological flaws that open up vulnerabilities in his Human Factor book.  This is not rocket surgery :-)

The troubling part is that actual real-world social engineers are far from benign, and don't follow the rules - in fact, they consciously eschew the rules and take advantage of not always making the anticipated approaches, gaining a significant advantage from being innovative as well as ballsy.  Social engineering is merely one tool in their toolboxes.

As to what Wal Mart might actually do to mitigate the risk of its customer services and other employees being socially engineered for real, reading Rebecca Herold's Managing an Information Security and Privacy Awareness and Training Program would be a great start - but don't get me wrong, a 'training session' for employees is certainly not going to make them immune to such attacks, while even a NoticeBored-style rolling/continuous security awareness program is not the Ultimate Solution either.

To claim otherwise is as ridiculous as a technical security consultant recently claiming that security awareness is a waste of money since incidents such as this still occur, and hence we must put all our faith - and $$$$ - into technical security controls.  As we say in NZ, "Yeh, right".  Of course you can throw big money down the drain by doing awareness incompetently and badly, in exactly  the same way as you can chuck money at unsuitable technical security controls, or neglect to train people in how to install, use, manage and maintain them properly (which, by the way, is itself a form of security awareness).

Social engineering is one of our most popular and important awareness topics, one that we revise, update and reissue annually.  You can be sure that the Wal Mart incident will be mentioned in the NoticeBored materials this December, delivering the module in good time for the Thanksgiving/Christmas/New Year holiday season when social engineering attacks are rife.  You can be sure because earlier DefCon Capture The Flag social engineering competition were featured along with various other social engineering incidents in previous NoticeBored materials.  The competition remains a golden opportunity in awareness terms, for those organizations that are far-sighted enough to appreciate its significance to them.

What's more, social engineering is just one of the 40+ awareness topics we cover, and in fact it gets a mention in some form in almost every other module, a practice known professionally as "reinforcement".  The idea is to remind people about various threats throughout the year rather than relying solely on a single awareness/training event.  The same thing applies to other commonplace security issues such as malware: a once-a-year malware focus is woefully inadequate to maintain a sufficient level of awareness.  I completely understand that those organizations who are still stuck in the Dark Ages, believing that an annual lecture to the troops on (usually just IT) security is sufficient, are less than impressed at security awareness.  That may be enough to comply with various badly-written laws and regulations, but it's way  short of good practice in this area.

And, by the way, compliance is another of those 40+ topics we cover!

That said, although we know how to do security awareness well, we also know it's never a perfect control.  We also emphasize the value of other forms of control therefore, ranging from security governance, risk management, policy,  business continuity and other strategic security stuff for management to technical security stuff for the IT professionals.  Managers and teccies also benefit from security awareness, whereas only addressing "end users" (which is itself a demeaning or belittling term for PEOPLE) is definitely missing a trick.  No wonder those old-fashioned "annual security training sessions" give awareness a bad name: they are almost guaranteed to fail.

If, at the end of the day, year-round information security awareness programs based on NoticeBored are sufficient to make the hackers, crackers, social engineers, industrial spies, identity thieves, organized criminals and security services go elsewhere for easier/softer targets, our customers are happy and our job is done - although naturally we're always hopeful of signing up the likes of Wal Mart and other victims who - finally - appreciate that they could do with some professional help.  

Regards,
Gary (Gary@isect.com)

'orrible outsiders

Our security awareness materials this month concern myriad threats coming from outside the organization.  "'orrible outsiders" was an interesting awareness module to research and write since, although we have covered most if not all of the threats previously, this was the first time we had specifically looked into the full spectrum of external threats as a whole.

There appears to be a growing consensus in the information security community that external threats are not just more numerous than internal threats (which has long been recognized), but some of them are even more dangerous (which is relatively new).  I'm talking here not just about APTs (Advanced Persistent Threats - sophisticated malware), but about blended attacks in general using combinations of attack vectors, such as malicious website + email + malware + social engineering + strong encryption + physical penetration.  Such attacks succeed by peeling back the onion layers of the classical defense-in-depth approach, reminding us - yet again - that in security, standing still means falling behind.   

I remain convinced of the value of blended defense, in other words combining complementary and overlapping controls rather than putting one's faith entirely into one particular form of control (e.g. "technology", for one highly topical example!).  Being an information security awareness guy, it's obvious that I favor security awareness and training, but perhaps it's less obvious that I also believe passionately that we need technical controls such as firewalls and antivirus, plus compliance controls such as enforcement, and governance controls such as security strategies, plus ... well ... plus any other form of control that has some actual, provably beneficial effect on security.  

Personally I draw the line at Neuro Linguistic Programming but, hey, if you want to stick some magic crystals on top of your authentication server, be my guest.  Cross your fingers.  Touch wood.  

Be lucky,

Gary (Gary@isect.com)