Welcome to the SecAware blog

I spy with my beady eye ...

28 Feb 2017

28 days of awareness: day 27

We're on the home straight now.  All the writing is done and dusted, proof-read and polished to a gleam. The poster images are winging their way to us through the Internet.

The website is being revised with an updated home and 'this month' pages describing the ransomwareness module.  We'll take the opportunity to quote Professor Angela Sasse, professor of human-centred technology and director of the UK Research Institute in the Science of Cyber Security at University College, University of London. Angela's comments at a European meeting resonated with me, in particular:
“In most organizations today, awareness training is just background noise. This stuff is being pushed at people but its going past them. They are not engaging with it and not changing as a result.”

Agreed, engaging the audience is crucial, Angela, but how?  Several engagement techniques are employed in the NoticeBored ransomware materials:
  • Rather than attempt to cover everything at once, we've focused on a specific topic: ransomware is a real and present danger, a genuine business concern right now
  • Next month's topic will be something different: even if ransomware is not exactly gripping, perhaps the next topic will be, or the next ...
  • We've found interesting angles to put across (e.g. using IoT things either as hostages or as platforms for further mischief), hoping to catch the eyes of our audiences 
  • The manner in which we express stuff reflects the distinct needs of different audiences e.g. the basics for a general audience vs. higher-level strategy, governance, policy and metrics for the management audience vs. more detailed and technical content for professionals
  • The materials address the key question "What's in it for me?" both at a personal level and as integral parts of both the corporation and of society at large
  • The variety and style of content supplied is designed to suit different learning preferences, for example some people prefer images and concepts, some prefer to read the written word, some like to be told or shown stuff, some like to chat about things, some just wanna have fun ... 
  • The volume of content varies also according to the audience e.g. busy senior managers typically prefer a more succinct and direct style, with the option to explore further if they choose to do so
  • We're encouraging people from all parts and levels within the organization to interact on this one topic, socializing information security
  • The content mixes factual, advisory and motivational stuff, giving people the knowledge and impetus to think and hopefully act more securely while avoiding the desperately lame "Do X" by laying out reasons and options
  • The awareness materials are polished and professional, of the highest quality, designed as a coherent and consistent set that complement each other both within each module and across successive modules (e.g. we will surely mention malware again this year, and we will be looking for opportunities to bring up ransomware and IoT as a reminder of the March module
'Engagement techniques' are a valuable part of the train-the-trainer guide in every module. Aside from the basics of the scope and purpose of the module, an outline of the content and how we envisage it being customized and used etc., we also provide a set of Hinson tips each month.  The intention is to help customers up their game in security awareness, giving them creative ideas to make their awareness activities and programs even more effective.  Here are a couple of tips from this module:
Drive up reporting of incidents, near-misses and concerns by making a concerted effort to thank or reward anyone who reports actual or suspected malware etc.  Word will soon spread!  Work closely with the Help Desk, IT and HR on this.  Be generous to those who followed the correct procedures and helped avert potentially serious incidents.  Weave reported issues into your awareness program, openly acknowledging those who reported them.

Aside from the ransomware metric described in the metrics paper this month, stark statistics about the prevalence of ransomware and malware can help put such matters on the agenda – within reason.  It’s easy to default to an excessively sensationalist style that portrays everything in information security as a massive problem whereas, in reality, controls are strong enough on the whole to keep things in check.  On the other hand, strong security may reduce the number and severity of incidents to the point that people (quite rightly!) start to question whether the organization is over-investing in this area and has become so risk-averse that the business is being unduly constrained.  Aim for a careful balance.  Surveys, infographics and other published statistics and commentaries can be used to reinforce the point that the threats are real and that other similar organizations are suffering costly and disruptive incidents, even if we are not.
OK, enough for now. I need to get on. The end of month deadline is starting to make that whooshing noise like an approaching steam train.


27 Feb 2017

28 days of awareness: day 26

The last-minute idea of using IoT ransomware as a unifying theme across all three awareness streams has worked out nicely.  

Most geeks being gadget freaks, we can easily set the IT and other professionals thinking and talking about the technical side of ransomware on things: taking control of them and holding them to ransom is challenging given their limited capabilities (the things I mean, not the pros!) but on the other hand all those insecure devices littering the network are, potentially, myriad network traffic monitors and launch-pads for attacks on other networked systems. Securing them is also technically challenging, to say the least. It doesn't take much to raise the topic and let the geeks' fertile imaginations elaborate.  Job done.

For managers, ransomware taking over industrial plant and machine tools, robots, vehicles and so forth is a scary thought, given their business-, safety- and environmental-criticality. High stakes, and hence their financial value in a 'holding the business to hostage' scenario, makes the lack of security of IIoT things a significant and potentially strategic concern, all the more so given that ransomware is but one of many threats. It requires a bit more effort to explain the issue - succinctly - to managers, requiring more than just a vague hint about the risks.  

For workers in general, the possibility of ransomware attacks on home automation systems and smart devices (including coffee machines, medical things and children's toys) takes the edge off IoT somewhat. While the high-tech gadget factor is the awareness hook that we hope will catch their attention for starters, when their managers and professional contacts mention the IIoT and technology angles too, they will (hopefully!) think twice about splashing out on all those oh-so-alluring shiny red IoT gizmos. 

IoT and IIoT security is a fascinating multi-faceted topic for security awareness purposes. As with the ransomware module, we bring it up from time to time. We're now thinking about focusing in more depth on IoT security awareness, perhaps this June. A lot has changed since the NoticeBored module on this topic was released way back in September 2015 (is it really less than two years ago? Golly!).

Anyway, right now our focus is on completing the ransomware module. The writing is done apart from the newsletter and the poster images, both of which are in prep so the checklist is thoroughly ticked:

Deborah now has a day or so to proofread the materials, while I ready the NoticeBored website to show-off the new module.

It would be ironic for us to be struck by ransomware right now with the imminent deadline, so as you might expect we are on high alert, making offline backups on a frequent basis. Yes, we eat our own dogfood.


26 Feb 2017

28 days of awareness: day 25

We're plummeting towards the end of month deadline, hence working this weekend to complete the remaining writing in time for the awareness materials to be proof-read and packaged for delivery.

The professionals' awareness materials are usually the last to be finished, partly because they include the newsletter that picks up on news items right up to the point of delivery. Another reason is that I'm a self-confessed geek with an IT background, hence the materials in this stream are easier to write - so much so that if I started with them I would probably not leave enough time and energy for the other two streams. 

Having written those other materials first, I now have a reasonable picture of the topic area as a whole, including the wider personal, business and societal context. I have come up with a few angles I want to bring up and delve more deeply into for the professionals, most obviously the technologies associated with ransomware and the cybersecurity controls. However, I'm conscious (relieved in fact!) that we're providing an awareness service, not deep technical training. As with the other streams, our central aim is to inform, intrigue and motivate the audience. Catching their attention with interesting, topical, sexy stuff is the first and arguably most important challenge. We'll give them a few pointers and hyperlinks to set them browsing and Googling, but that's enough. If the awareness materials fail to inspire - if the seminars, briefings and notices are well-intentioned but boring - nothing else matters really. We might as well have not bothered at all.


25 Feb 2017

28 days of awareness: day 24

As the three awareness streams start to trickle and then flow, we are creating opportunities to bring staff, managers and professionals 'onto the same page'. 

From the outset, NoticeBored was designed to provide relevant information and guidance to educate and motivate those three key audiences in terms and formats that work for them and to encourage them to interact with each other around the monthly topic. 

Although we talk about the 'three parallel streams of content', they all cover the same topic and we expect the streams to converge in practice. The informal social aspect is an extremely valuable part of an effective security awareness program. It lifts the awareness content from the paper into the corporation at large, influencing the culture through casual chat, repetition and endorsement. 

Today we wrote the management and executive awareness briefings on ransomware, completing the management stream too. Both briefings take a management perspective, highlighting the business impacts of ransomware attacks and describing at a fairly high level security controls to address the information risks. Strategies, policies, compliance activities, metrics and governance are the management concerns we discuss in relation to ransomware.

Tomorrow we press on with the professionals' stream. Some rather inane comments from a panel discussion at the RSA conference about ransomware taking over smart door locks and thermostats reminds me to bring up the ransomware threat to the Industrial Internet of Things - things controlling industrial machinery and processes, in power stations, chemical plants, factories, distribution warehouses, industrial labs and, I guess, missile silos - safety and business critical things some of which may be part of the critical infrastructure. Compared to the level of expertise hackers would need to meddle sensibly with the settings on, say, an electrical generator, a smart valve on a high pressure oil pipeline, or a fly-by-wire plane, simply locking up the whole control system would have an equally galvanizing effect on the companies and individuals responsible. Whether their aim is to make a few Bitcoins or bring down the infrastructure, it's a sobering thought for the geeks busily smartening up everything in sight. Maybe we should mock-up another ransomware demand in the style of a glass cockpit panel displaying something along the lines of "Pay up to land safely". Makes you think, eh?

Actually, that comment also reminds me that we need to review the staff and management materials too before the module is completed, making sure all three streams remain aligned. The possibility of ransomware attacks on things has relevance and interest to all three audiences, meaning that it might just spark those casual information risk and security conversations that we strive to achieve through the awareness program. Writing the module is an iterative as well as a creative process ... and we have just 4 days left before March.  

Gary (Gary@isect.com)

PS Talking of streams, we've been in drought. The long hot NZ summer came to an end about 2 weeks ago with barely enough rain to start refilling the aquifers beneath us. We and our animals rely on spring water pumped up to the tanks with an ancient Lister diesel powered pump, the chug-chug-chug being one of the characteristic sounds of rural New Zealand. The drought reduced the spring flows to the point that the neighboring farm ran dry for a while.  We scraped though this year and reconsidered our critical infrastructure. No smart things here, I'm relieved to say our lovely old Lister is dumb-as and built to last.

24 Feb 2017

28 days of awareness: day 23

One advantage of having covered malware many times before is that we have a stock of awareness graphics already in the bank, including the poster images, mind maps and so on created for our previous modules.  As such, we own the copyright on them and can use them freely without the bother and expense of commercial graphics.

Good quality graphics not only illustrate and amplify on the words, they also make the awareness materials more enjoyable to read. Our poster images are particularly effective because of the way they are designed: most consist of bright photographs with just a few words on a plain background, a deliberately simple yet visually appealing style. Furthermore, most have a touch of humor about them. Even when shrunk down from high-res poster-size to fit a seminar slide or document page, they remain eye-catching. 

Adjusting the word wrapping to make the text flow around the image, and adding a subtle shadow, makes the finished product still more impressive - closer to a professional type-set look than the blockwork typical of home-made awareness content.

To see it in action, here's an extract from the draft staff awareness briefing on ransomware.  First the original text:

And now the exact same text wrapped around a bright embedded graphic with shadow:

Which of those would you be more inclined to read? Easy when you know how!

Having suitable high-quality striking and relevant graphics is key to this approach. You might be lucky enough to find suitable clip art or other royalty-free artwork online, but simply searching for it is tedious and time-consuming. Commercial services such as Getty charge an arm and a leg for this kind of stuff. Another possibility is to call on your in-house Graphics Department (remember them?) or establish a relationship with an external commercial graphics specialist. Of course, if you are a skilled artist and have the facilities and props for professional photography, then you can do it all yourself - given enough free time and inspiration. Just one word of warning though: there's more to this than meets the eye  :-O

Today ended on a high: the general employee awareness materials are virtually complete bar the posters (expected in the next few days), plus any last-minute changes and corrections as a result of fresh sparks of inspiration or proof-reading. We're still actively scanning the news sites and blogs for information about ransomware, particularly major or unusual incidents and other interesting angles on the problem - which is why the newsletter is usually the very last item to finish as the module is completed. Old news is not news!


23 Feb 2017

28 days of awareness: day 22

While working on next month's module, we're also thinking forward to those that will follow. As soon as the ransomware module is delivered, we'll need to come up with poster ideas for a brand new module on 'innovation and creativity' - an unusual topic for a security awareness program for sure. We've been quietly researching the topic for months, in parallel with the ongoing work. Over the next week or two we need to review the information already gathered and firm-up the scope and purpose of the new module, clarifying the learning objectives and key messages that we'll be putting across. The fundamental premise we originally had in mind was to encourage the legitimate exploitation of the organization's intellectual property and other information assets, while at the same time protecting them from various risks including (in part) theft and exploitation by others. Instead, or perhaps as well, we might delve into the controls and tools supporting information security, another area of innovation and creativity. 

Meanwhile, the ransomware module keeps us busy. Today we prepared an IT audit-style ICQ (Internal Controls Questionnaire) for the professionals' awareness stream, encouraging someone (ideally a competent IT auditor) to review the organization's ransomware risks and controls. As with all the NoticeBored materials, the ICQ is generic, reflecting typical information risks and security controls, identifying issues that would typically be checked and proposing the checks or tests that would typically be performed. In practice, the ICQ is just a starting point that should ideally be customized or adapted for the organization's specific situation e.g. some parts of it may have been covered already by recent audits, and there may be other areas of concern and tests to perform.

We have about 16 types of awareness content done or nearing completion, well on the way to the 26 or so in the finished module.


22 Feb 2017

28 days of awareness: day 21

With a week to go until our self-imposed end-of-the-preceding-month regular-as-clockwork delivery deadline, the ransomware awareness module for March is coming along nicely. 

The contents listing is gradually filling up with ticks as each item is drafted and completed, which means that stress levels in the office are elevated but under control at this point. The diagrams/mind maps, glossary and presentations are sources of inspiration and content for most of the remaining materials, allowing us to increase the pace of production at this point in the monthly cycle.

Today we completed four more deliverables:

(1) The case study is valuable for security awareness and training purposes because: 
  • It gets people thinking and talking animatedly about the topic, especially in a lively group with an inspirational facilitator;
  • It is a good way to bring information security topics to life with relevant news, recent incidents, advisories, issues etc.
  • It is succinct; 
  • It is flexible to deliver e.g. a case study session can be run as a discrete, standalone event or incorporated into other awareness activities such as seminars and courses to break the tedium of lectures and increase audience participation; and
  • It is an excellent opportunity to share, promote, consider and discuss good security practices in the organization's business context. 
The style we have developed for the NoticeBored case studies is a two-pager: the first page outlines a scenario or situation in a brief paragraph, then poses three rhetorical questions designed to draw out the main learning points through individual reflection then group discussion. The second page offers 'model answers' - not a definitive or comprehensive set of responses, simply highlighting the key points in order to pump-prime the group discussion if it needs a boost, and to give participants something on paper to take away, recall the discussion and consider further at their leisure. 

Sometimes a genuine incident can be used directly although this month's fictitious case study was merely inspired by a news report on a ransomware incident affecting a public transport service in San Francisco over the Thanksgiving weekend. Thanks to their effective recovery controls, the infection was eradicated and services soon returned to normal after a period of free rides. The case study explores the possibility of more disruptive and costly outcomes in that kind of situation.

(2) The board agenda is a simple and straightforward yet valuable part of every module - a device designed to get top management engaged with the month's awareness topic. The agenda poses two rhetorical questions with just a few brief sentences of explanation providing the context, and color-coded scoring scales for board members to consider and communicate their positions, leading to a lively discussion during the meeting. The questions are deliberately framed at a high level, normally with a business or organizational focus and phrased in strategic or governance terms. We don't anticipate senior managers getting involved in the details of information security controls or their management, but they do have an overall governance role, ensuring that information risks are being properly considered and duly treated in relation to other risks of concern. Their purview includes setting strategic direction, allocating corporate resources and prioritizating corporate activities.

(3) The wordsearch puzzle is a toy, a game to encourage people to search a grid for words and terms relating to ransomware and malware in general. It's a lighthearted challenge to increase one's vocabulary and have some fun (a rare commodity in this domain!). 

We generate the puzzle from a list of malware- and ransomware-related words and phrases extracted from (4) the glosssary which is practically finished. It's surprising just how many terms-of-art we come up with every month: typically over 150 per topic, more than enough to fill the puzzle grid so we take the chance to trim out the least relevant/most obscure ones, although it would take a superhuman effort to find all of the remainder.

That's it for another day: more gaps to fill in the contents listing tomorrow. The floggings will continue until morale improves.


21 Feb 2017

28 days of awareness: day 20

As you might expect, we use security metrics extensively to illustrate, and support the NoticeBored awareness materials. We exploit data, graphs and statistics from recent reports, advisories, surveys and other information sources published on the Web*. It's not always easy to find credible information however, since quite a lot of stuff out there is either pure marketing tripe or is so badly described and presented that it is unsuitable.
Look at this Bitdefender graph for example:

I've included the preceding paragraph and legend in the clip to point out the complete lack of values on the Y-axis, while the X-axis doesn't actually state the years (given the date of the blog piece, I think it covers September 2014 to March 2015). I guess from the evenly spaced horizontal lines that the Y axis is linear, and I hope the X axis crosses the Y axis at the zero point, in which case it appears ransomware jumped up from about 1.3 to about 9.3 unspecified units from January to February, while "banker" (bank Trojans?) increased from 1 to 3 units in the same period. What use is all that? Not a lot! Ransomware increased on some parameter (does "overall numbers" mean the number of infections? Number of families or variants? Size of payload? Height above sea-level?!) at three times the rate that bank Trojans increased, for no obvious reason in February. Far too much guesswork there without additional information. If we were unethical or naive, we might simply use this graph in the awareness materials to demonstrate "a huge spike in ransomware infections in February", a scare tactic known as FUD (Fear, Uncertainty and Doubt). We aren't ... so we'll carry on searching for better metrics.

It's not as easy as you might think to find reliable data, sound statistics and (ideally) nice graphics in the information risk and security world. Mostly we see the same stuff spread all over the Web like a nasty rash, often (arguably) misinterpreted and misrepresented. In the apparent absense of anything better, almost any number will do for some - such as this vague journalism from CNN:

The $209m first quarter estimate is lame enough (How was that determined? What costs does it include and exclude? How much of the world does it cover? How reliable is the figure? Who estimated it? Was it actually produced by someone from the FBI - if so who, why and how?).  To then project an annual figure for 2016 by multiplying the Q1 number nearly five times is an insult to our intelligence, on a par with the most outrageous fake news. For the marketers and other FUD-merchants, $1 billion is nice round eminently quotable figure, while its (alleged but untraceable) association with the FBI gives it still more impact. And so, as the number is bandied about willy-nilly, the original source becoming ever more distant and obscure, fiction becomes fact.

Hopefully our customers have their own corporate metrics and other information sources to supplement or replace those we provide in the NoticeBored materials. It is more relevant, more eye-catching and hopefully more motivational to say "We saw a 3-fold increase in ransomware attacks last month" than "Statistics from an antivirus company indicate a 3-fold increase in ransomware numbers in February". Better yet, "We are experiencing a spike in infections with three times the normal number of ransomware attacks on us last month, including an unfortunate incident in the XYZ Department that cost $XX,000. Our CEO says ransomware must be brought under control, and quick"!


In case you're wondering, we either seek explicit permission from the copyright owner or limit ourselves to using small/insignificant parts for educational purposes under the 'fair use' provisions of copyright law. We always cite and/or link to the original sources so that interested readers can check the context and read more - it's a common courtesy. If you make use of the content on this blog or our other websites, please reciprocate.

20 Feb 2017

28 days of awareness: day 19

We spent much of the day chainsawing, clearing one tree and side branches of another from the microwave link path.  

So far it seems to have worked: the link is holding up in today's drizzly rain that interrupted proceedings the other day.  Phew.  An Internet business without the Internet is not a business.


19 Feb 2017

28 days of awareness: day 18

Nothing to report today on the awareness front - another day off. Luxury!

Well ... almost. Part of the reason for the break is that our rural Internet connection failed. Our Internet service uses a dedicated microwave link to a mountain-top comms site about 20km away. The path was degraded by heavy rain and, I believe, wet foliage on the trees at our end. Chainsawing the most accessible lower branches out of the way didn't resolve it so I guess more dramatic chainsawing is called for.  

I wish I could access the path quality metrics from the dish feedpoint radio system to check how much difference the foliage clearance is making and how much further we have to go - also to double-check the dish alignment since we've had storms with strong winds lately. Hmmm, time to contact the service provider, I think, and maybe to check out the admin interface on the dish radio system.

Annoyingly, one of our two backup Internet connections also fell over. There appears to be an intermittend hardware or software issue between the modem and the router, exacerbated by poor signals on the wireless interface. Part of the fun of running a small business is that we have no in-house tech support team to diagnose and fix these little annoyances. Mind you, we also have no in-house tech support team to manage and pay so it's not all bad!


18 Feb 2017

28 days of awareness: day 17

With the graphic/visually-oriented materials well under way, it's time to crack on with the supporting ransomware awareness briefings. These are primarily intended to supplement and extend the PowerPoint slides (e.g. as printed seminar handouts), filling-in the details for people whose interest has hopefully been piqued - or simply to appeal to those who prefer the written word and quiet reflection over colorful diagrams and whatever the seminar leader is spouting off about, up front. They are valuable for people who want or need to know about the topic but, for whatever reason, don't get to the seminars, workshops, courses or meetings in person and are unwilling to ponder over the somewhat cryptic slide decks online.
At this point in the month, I have a reasonably clear picture in mind of the whole ransomware topic area, including most of the elements that I believe are worth bringing up in the written briefings. I also have several diagrams and other graphics to hand that will be incorporated to illustrate and break up those monotonous, boring blocks of text or tedious bullet-point lists that plague a lot of technical documentation. Furthermore, the text and images on the slides, plus the accompanying speaker notes, provide donor content and prompts that help me press ahead with writing the briefings. This is my chance to incorporate quotes from and references to relevant content published on the Web - the news stories, advisories, surveys, reports and recommendations made by various parties with an interest in ransomware ... which reminds me that things are and will remain fluid until the module is completed and delivered. As new information comes to light, it gets considered and where appropriate incorporated, making the materials as fresh as the tulips in a Dutch market.

To the left is a list of the 30-odd templates we are using to prepare most of the awareness materials. Templates not only make it quicker and easier to start a new document, presentation or whatever, but give the materials a consistent, professional look and feel. They have been designed, developed, tested and refined continually since NoticeBored was launched in 2003. They also remind us of the preferred structure and layout of each item although of course we can make changes as required - as indeed can our valued customers (e.g. swapping their awareness program logo for our NoticeBored placeholder, and perhaps integrating additional content obtained or written independently).

Having recently revised the template for our usual monthly paper on metrics, it all came together beautifully this time around. We're combining the GQM (Goal-Question-Metric) and PRAGMATIC approaches, generating a unique tabular style of metric that addresses multiple aspects of the topic area in a consistent, business-aligned manner, the whole thing expressed succinctly in a 3-page management-level briefing:


17 Feb 2017

28 days of awareness: day 16

Today I've mostly been reading and thinking about the official launch of the NCSC - that's the UK's new National Cyber Security Centre as opposed to the US National Counterintelligence and Security Center (presumably an unfortunate clash of acronyms ... or was that deliberate?  They do have remarkably similar aims). 

Reading between the lines of the formal speeches and usual puffery on the website, I get the feeling this is more than just the lastest in a long line of government re-orgs. In particular, I noticed the chief's stated intent to demonstrate the value of cybersecurity advice by proving it on Her Majesty's Government first. Using HMG as a guinea pig is a bold move and an interesting one. I wish them well - seriously, I have more than just a passing interest in their success.

Skipping deliberately past the thorny issue of what they actually mean by "cyber", one of their glinting advisories caught my beady eye because it concerns security awareness. "10 Steps: User Education and Awareness" is part of the "10 Steps to Cyber Security" series ... which so far has 13 steps (!) since in addition to 10 'technical advice sheets' it includes 3 introductory sheets aimed at senior management. Bear with me: I'll come back to that point towards the end.

First let's take a closer look at their advice on "user education and awareness". 

The advisory starts out well by explaining the [information] risks it covers, providing a useful context for the recommended controls that follow. The stated risks include: 

  • "Removable media and personally owned devices" - that's actually two distinct if related categories of risk.  I'm uncomfortable to see this listed first, precedence implying higher priority;
  • "Legal and regulatory sanction" is really an impact not a risk, but fair enough compliance is bound to be a strong driver for any authority, something they are naturally keen to promote more widely. There's more to say about this later;
  • "Incident reporting culture" is a control not a risk, one that is quite rightly covered below leaving the corresponding risks unstated;
  • "Security Operating Procedures" is again a control not a risk, although confusingly the supporting comments refer vaguely to 'imbalance', where [excessive or inappropriate] security impedes legitimate business activities - another separate issue and hardly a major information risk in any reasonably well-managed risk-driven outfit. I wonder if someone has misinterpreted SOP (Standard Operating Procedure), anyway, and garbled this point?;
  • "External attack" is a broad class of incidents, refined by the following comments to mean attacks by outsiders using insiders i.e. social engineering. This is patently a key risk to tackle through awareness and education since it revolves around people. I wonder why they chose not to say "social engineering": is it too scary perhaps?;
  • "Insider threat" is technically a class of threats but is broadly understood to mean the information risks arising from and relating to workers. Again, awareness is a key control in this area, so that's cool. Personally, I'd have put this along with the previous bullet up top.
Other relevant risks are missing from the list e.g.:

  • Genuine errors, accidents and mistakes that compromise information and hence the organization: this is by far the biggest category of human-related incidents by volume and probably by value ('death by a thousand cuts'), hence it is a significant omission from the list. It's also a nice risk to mention because of the lack of associated blame in most cases (aside from carelessness and negligence, anyway) and the fact that collective and individual behaviours can make a real difference in this area;
  • Poor quality work: this is an information risk stemming partly from carelessness along with other factors such as people settling for incomplete, out of date or inadequate information, not spotting and correcting errors, failing to help or encourage others to do things right, and not speaking up when they see things going wrong or think of better ways to work. It's another area where awareness can drive behavioural and cultural changes, with obvious payoffs for the organization (and the people!) if done well. I guess this one would suffer from rampant political correctness since at first glance it appears to be accusing workers of shoddy work, so it probably ought to be expressed more carefully ... on the other hand, 'rampant political correctness' may be part of the problem! Sometimes, straight talking achieves more, especially if supported with positive suggestions on how to make things better for everyone;
  • Fragility, by which I mean situations where the organization gets thrown out of kilter by even fairly small issues or incidents. This risk arises from a deep-seated vulnerability in many mature organizations (such as governments), a profound reluctance to change and, worse still, a premium on stability, conservatism and maintaining the status-quo over creativity, innovation, responsiveness and resilience. It is a particular issue in security and technology being such fast-moving areas. We are constantly facing fresh challenges, new threats, new vulnerabilities, new impacts ... and new opportunities, some of which are well worth adopting. Maturity and stability have their moments too so this can be a tricky issue to express. I guess the risk relates to striking the right balance between opposing forces.

Notice that I'm straying beyond the generally-accepted cybersecurity sphere here, quite deliberately. And I have picked out just 3 of many information risks that are intimately associated with people. 

Anyway, moving swiftly on, next comes their security advice:

  • "Produce a user security policy": hmmmmm, 'a policy' is likely to be quite a beast given the breadth of issues to be covered, although the advice also mentions procedures so maybe I'm being too picky here. However, even assuming they are actually talking about a coherent suite of policies and procedures (hopefully including guidelines and other supporting materials, in various formats and styles, professionally written, readable and engaging, motivational as well as informational ... all of which remains unsaid) the phrase 'user security policy' hints at another concern (see below).
  • "Establish a staff induction process": again I could quarrel with 'establishing' a process (unless that happens to mean designing, operating, managing, measuring and systematically improving it!), and specific mention of 'staff' is another issue (what about managers? How are they supposed to get up to speed on this stuff?) but it gets worse. The text refers to compliance responsibilities being formally acknowledged for disciplinary purposes: fair enough, the formalities are important for new starters, but that's primarily an HR or Legal issue rather than information or cyber security: what about helping newcomers understand the corporate culture and attitudes in this area, and appreciate why information risks are of concern? Even simple things like how to get help, who to call if something doesn't seem right, where to find the infosec policies etc. are all worthwhile topics.
  • "Maintain user awareness of the security risks faced by the organisation": I'm relieved to read 'maintain' and 'regular refresher training' in the notes, although I'm surprised they only mention "security risks to the organisation" - not controls? Not governance? Not information risks?  Not personal concerns? Not compliance? I realise this is a succinct piece of advice but it could be read very narrowly, missing an opportunity to spread good practice.
  • "Support the formal assessment of security skills": this one is not bad but also misses the mark. 'Formal assessment' and 'certification' are fine but the real value comes from personal development, competence, knowledge and motivation, not the courses or the parchment on the wall.
  • "Monitor the effectiveness of security training": monitoring - and measuring - are good, provided the information is used positively to drive improvements that benefit the organization, which the following advice sort of says. However, the term 'security training' raises yet another concern as that implies courses in security, either in a classroom setting or online focused study. What about all the other forms of awareness and education? Shouldn't they be monitored, measured and improved as well? Oh, hang on a moment, those other forms are barely even hinted-at, let alone promoted, in the document.
  • "Promote an incident reporting culture": well OK, the most obvious question is "How?" and brief advice follows. I'd also ask "Why?" but that's not covered. Prompt reporting of incidents, near-misses and concerns is a valuable part of information risk management, although it was not mentioned among the risks listed earlier.
  • "Establish a formal disciplinary process": I still trip up on that weasel-word 'establish', and struggle with the implication that a 'formal disciplinary process' is sufficient in this area - necessary, yes, but not enough. This is definitely an old-skool approach to compliance, focused on hammering those who don't comply, rather than rewarding those who do. Both approaches have their place, with positive reinforcement being much more powerful and valuable (in my experience) in terms of driving the culture in the right direction. It's better that workers willingly and readily do the right thing because they understand and support the organization's objectives, than because they fear disciplinary action. At the very least, there is a fighting chance they will behave appropriately even when nobody is watching over their shoulder like a hawk, waiting to pounce.

I can think of other controls in this area, in fact I talk about them often on this very blog. It's disappointing that the official advice is so lame, so far behind current practice. I would not have been the least bit surprised to spot that old saw "annual awareness training" in there (thankfully not).

But wait, I'm not done moaning yet. Those repeated references to 'users' as in 'computer users' concern me. We are talking about people, not keyboard-jockeys or key-pressing automata, nor illegal-drug-users (an even more common expansion of the term). We, the people, have personalities, desires, constraints, flaws, priorities, prejudices, biases, creativity and many other biological and sociological characteristics that make us uniquely human. To ignore all that is to disrespect us, or at least demonstrates an apparent lack of empathy towards the audiences for awareness and educational purposes. Saying 'users' reflects a distinctly computer- or cyber-centric view of the world and probably unrealistic expectations about how people behave, react, respond to and learn from this kind of stuff. It is demeaning. We can't be rebooted, and the big red off-switch ... well, let's not go there. 

Finally, and most disappointingly of all if I'm reading this right, is the suggestion that awareness is something that management does to staff. Managers, it seems, are above all that. It's for their underlings, the hoi palloi, the sheep. And, just as bad, IT and other pros are above it too. They are expected simply to know all about information risks and security and all that, having presumably picked it up by some magical sixth-sense parallel-universe out-of-body learning experience - Vulcan mind-melds perhaps. They are anticipated to be the teachers and gurus, apparently, and yet how do they learn the ropes? Speaking for myself as a career infosec pro with 3 decades' experience under my belt and clearly a keen interest in awareness, I definitely don't know it all, and I learn new things every day. The day I stop learning is the day my big red switch gets flicked to OFF and the lights go out for the very last time.

So, to end on a more positive note, I am gratified that the 3 management-level briefings I mentioned earlier have been included, albeit seemingly tacked-on as an afterthought. Those, to me, are at least as important as the tech briefings - in fact more so in the sense that without management's understanding in this area, their support is going to be lacklustre at best. If your management is obsessive about "compliance", for instance, that is a huge hint that they Just Don't Get It. Surely it makes sense to tackle management's security awareness and understanding first, and to maintain that impetus thereafter? More please!


Gary (Gary@isect.com)

16 Feb 2017

28 days of awareness: day 15

The security awareness seminar slide decks are coming along nicely. Today we picked up on 'bluff ransomware' (a form of scareware that displays a warning message and ransom demand without the system lock-out or data encryption) and 'Ransomware as a Service' (malware for rent). 

The management seminar now includes a tip in the notes about insisting on 'proof of life' i.e. making part-payment first and checking that you can recover some of your data before completing the deal ... if it turns out - due to inadequate preparation - that you have no alternative but to pay the ransom to get your system/data back. 

By the way, it should be obvious from the management presentation thumbnails above that we much prefer graphics to plain bullet points or solid blocks of text when presenting stuff. The slides may not be entirely self-evident, though, so we invest nearly as much time in writing the accompanying speaker notes (not shown here) for the benefit of the presenters and (if printed as handouts) the audience. Also, the slides are animated where it makes sense - nothing too fancy, mostly just smooth transitions from one slide to the next plus sequential builds on some slides. Rather than force the poor presenter to [click] [repeatedly] [and] [laboriously] [through] [each] [and] [every] [single] [bloody] [item], we mostly use automatic/timed sequences to reveal the full slide over a few seconds without presenter inputs, allowing them to continue speaking to and interacting with the audience, uninterrupted. It illustrates the value of doing this stuff for a living: do you know how to make good use of animations? Do you have the time and energy to make your presentations spring to life? Are you a competent, experienced and confident presenter/trainer?

Another big advantage of using graphics such as mind maps in presentations is that the presenter can either linger and expand on a slide that catches his/her or the audience's attential, or otherwise move swiftly ahead. It's a very flexible presenter-and-audience-friendly style that we've developed over many years. The underlying aim is to fire up the imaginations of those who 'think in pictures' and those who don't.

Creating a more authentic [and yet fake, I hasten to add!] ransom note from yesterday's newspaper headlines was easier than I thought. This work of art took about 10 minutes with a craft knife, a sheet of paper and a glue stick - more fun and quicker than Googling for a suitable font, even if the office now looks like the Blue Peter studio.

Question is: should I now shred the message before recycling it? And should I shred the tattered remains of the newspaper too, in case some enterprising official decodes the gaps? In infosec, paranoia is an occupational hazard!


15 Feb 2017

28 days of awareness: day 14

Here we are, half way through the month so it's time to take stock of the awareness materials in the bag already, on the go right now or not yet started. This acts as a crude progress metric: will we finish the module before our self-imposed end-of-month deadline? [We always do but some months are more stressful than others!]

I'm ticking off items on the contents list as they come into being, in pencil first as they are drafted then inked-in as they are completed. When the whole module is done, this listing will become a checklist for customers to zip through the materials and decide which ones to use. 

Today we started work on the management and staff awareness seminar slide decks. A few slides can be re-purposed from the professionals' seminar, and maybe a few more from previous malware modules, but there's an art to designing a seminar to suit the audience. Finding angles, perspectives or aspects that will catch their imaginations is key. We try to incorporate fresh content reflecting current or recent incidents, too, making the point that this is very much a live topic, a genuine present-day issue that deserves to be taken seriously. 

Having said that, serious needn't mean dull as dishwater! Ransomware stirs thoughts of ransom notes. In that vein, we'll splash "Your money or your data" or "Your money or your business" on the title slides of the seminars, using fonts that resemble letters rough-cut from the press.
For added impact, I'm very tempted to cut and paste the letters from actual papers and magazines to make more realistic ransom notes - maybe later if there's time.


14 Feb 2017

28 days of awareness: day 13

The security awareness seminar for professionals is coming along.  So far, we have a quote from Kaspersky, two diagrams showing a process view of a typical ransomware incident, a mind map (see below) and some notes about risks and controls.

Two of the slides use the following mind-map:

Mind maps are a useful way to structure and express our thoughts.  The malware mind map was developed over several previous years and has been updated to emphasize ransomware this year.

Gary (Gary@isect.com)