Who cares about Security Awareness? (or: why “Just Say Security” doesn’t work)
November 18, 2010
I spend a lot of time talking with people about our awareness training efforts. And the first thing that almost every one of our clients who “gets it” tells me is the same thing: ”We don’t want security awareness.”
That’s not how they say it, but that’s what they’re ultimately saying. What their actual words are vary quite a bit, but they’re usually along the following lines:
- Our users are the main source of breaches within the organization.
- If only our users would stop {insert user action here – clicking on links, writing passwords on sticky notes, leaving docs on printers, picking up USB sticks in the parking lot}
- We just can’t get our users to do the right thing.
I never hear our clients say: “I just wish our users knew more about security stuff.” Their fundamental complaint is always that their users DO the wrong things.
In fact, we often hear these complaints about members of the information security staff (and our social engineering engagements bear out that we can compromise even those whose job titles define them as the “security aware” parts of the organization).
This is why I often make the claim that absolutely nobody cares that their users are security aware. They care that their users behave in such a way that they don’t compromise their organizations. What we have traditionally called “security awareness training” is actually a behavior modification exercise.
When viewed that way, it’s clear why our efforts fail. If you look at most of the traditional “security awareness” efforts (like the SANS “Securing the Human” effort that I have been so vocal about), it’s clear that it can’t possibly work. The reason is simple: posters, screen savers, etc. come from the idea that if we just teach our users something enough times, that they’ll get it.
Unfortunately, simply saying something repeatedly isn’t enough to change behavior. It’s what the PSA (Public Service Announcement) movement discovered in the late-80s and early-90s. If saying “Just Say No” was enough to create a generation that didn’t want to do drugs, we’d have won the drug war in the 80s. Instead, the global drug market hums along as a $321 Billion market.
In order to change behavior, all the research says that you have to get people emotionally invested. That’s what all the great behavior modification campaigns (i.e. marketing campaigns) have done. And what “security awareness training” fails miserably at.
So, how do you hook emotions as part of security awareness campaigns? You’ll have to wait for my next blog post…
Everything Old is New Again…
November 15, 2010
There’s a common theme among the last couple of posts on here: first, I ranted about SANS new Securing the Human program, and then Josh got all ranty about Forrester’s “Zero Trust Model”. Here’s the thing – my biggest frustration with both of these “innovations” in our industry is that they’re nothing new. Both SANS and Forrester are reinventing the wheel and running around claiming it to be something new.
To wit – let’s take a quick Back-to-the-Future gander at two interesting paragraphs. From Forrester’s site about the ZTM: ”In today’s new threat landscape, this is no longer an effective way of enforcing security. Once an attacker gets past the shell, he has access to all the resources in our network. We’ve built strong perimeters, but well-organized cybercriminals have recruited insiders and developed new attack methods that easily pierce our current security protections. To confront these new threats, information security professionals must eliminate the soft chewy center by making security ubiquitous throughout the network, not just at the perimeter.”
Then, let’s walk all the way back to 2004 to view the mission statement of the Jericho Forum: “The Forum is dedicated to the idea that success in today’s business environment is dependant upon the ability to collaborate and do business by enabling the secure flow of data over the Internet. Its members recognized from the outset that today’s business requirement for the flow of data between mobile workforces, customers, suppliers and business partners, is increasingly eroding the ability of traditional perimeter security solutions to protect our systems. To enable business to embrace the Internet while protecting valuable company information, our industry needs new IT security models.”
Whoa. It’s like the Jericho Forum was talking about this whole “Zero Trust”, no-perimiter, the-outside-is-the-inside thing all the way back in 2004. Forrester’s only a HALF A FREAKING DECADE BEHIND.
SANS is even worse. The demo content on their Securing the Human page isn’t much more advanced than your average Successories poster. And the videos actually make this circa-90s video look good:
The frustrating thing about it all is that we have these security vendors claiming to be advancing the state of the practice, when they’re really just running around peddling the old solutions that have failed the industry in the past (or, in Forrester’s case, peddling something that was state of the art 6 years ago as something that they just came up with on their own).
Here’s the thing – some of us are actually out there doing interesting new work. It gets lost at times in the noise of those who are better at self-promotion (or have much larger PR budgets).
As an example, I’m consistently impressed with the work that Rob Cheyne and his team are doing over at Safelight Security – there’s nobody better for security awareness video content. But you’ve probably never heard of them, unless you’re working with them and seeing them get results for your organization. Our partners at Lockpath are similarly doing awesome work in the GRC space. But, again, unless you’ve had the opportunity to actually implement Keylight and see how it changes your security management strategy, you probably haven’t ever heard of them.
That, to me, is what we should be measuring our success on: results with our clients. That’s how I measure our success at MAD. It’s also why I get so completely ranty when I see someone taking ideas and content circa 5-10 years ago and claiming that they have great new ideas.
Trust No One – Then What?
November 14, 2010
At long last, we have been presented with the Holy Grail of information security management and protection strategies. Forrester Research recently declared the Zero Trust Model (http://goo.gl/PT348) that aims to fix the current – broken – model in terms of inherent trust levels, which areas of the network should be protected and from which perspective. In all seriousness, this is a step in the right direction which is only becoming relevant now because of recent advances in various security technologies as well as the underlying computing power which must be in place to run them.
At the core of the Zero Trust Model is that the notion that the existing model – hardened exterior (network perimeter) and trusted internal network – is flawed. Further, that there should be no network location or perspective from which any network traffic or users are considered “trusted.” While this is certainly a valid observation, it is not through gross negligence that the current model was so widely adopted. It is not so much a broken model as it is a model we have evolved past. In the past, the top down approach to implementing information security controls led enterprises to minimize their attack surface area. The external network at large will always be more vast than the internal network. It is this perspective and scale that leads us to secure from the external perspective first. While internal resource may represent varying degrees of trust, everything and everyone from the external network can most certainly be categorized as un-trusted.
While I wouldn’t be so bold as to say we’ve conquered the task of securing our networks from traditional Internet-based attacks, we have made significant strides in this area. We have a multitude of technologies available that effectively shrink the perimeter attack surface area to the point where it is simply no longer an attractive target to many attackers. Enter the new favorite exploit vector for many modern attacks – also known as the users. It’s not that the users themselves cannot be trusted, simply that the network traffic resulting from a successful attack on a user (usual an internal asset) must not be trusted as inherently safe. There are now too many client side attack vectors for the average user to fall victim to, to blindly trust her.
If we don’t trust traffic from the outside, and we can’t trust traffic from our own internal networks, where does that leave us? Frankly, with the current threat landscape, we are now forced to recognize and account for security at ALL layers of the enterprise network. A decade ago this may not have been a realistic goal, but technology is becoming available that can bring this goal within reach with the right approach and the right toolset. Instead of the tired “defense-in-depth” model, we should now assume a “defense-at-all-depths” approach. However, implementing this strategy in reality takes more planning and precision than just a blanket policy to monitor/inspect/analyze every byte that traverses the network. Several key players are emerging in the information security space that are bringing to market unique tools that finally give enterprises a fighting chance in mitigating risk down to an acceptable – or at least manageable level.
At the end of the day, the underlying concept of Zero Trust is really a model of measured trust. To learn more about implementing robust security architecture in your organization, drop us a line.
Securing the Human and Missing the Point
November 9, 2010
SANS (after acquiring Lance Spitzner) has launched a new security awareness program called “Securing the Human“. And, while I applaud them for getting on the bandwagon and realizing that the users are the big threat (and I’ve always been a fan of Lance’s work), they manage to completely miss the point (which Aaron mentioned in his previous post).
Without being too dramatic, I spent a few hours going through the demos of their content and it just made me sad. The content is hokey, poorly edited (note the typo on the Protect Your Passwords poster – should be “use”, not “used”) and guaranteed to do little more than bore the users to death without modifying behavior in the slightest.
Here’s the thing: security awareness is a misnomer. When MAD helps organizations with their security awareness programs, we don’t care if the users are aware. We care that they make the appropriate decisions. Not that they know WHY they’re making the decision, just that they do.
It is exactly the same stance that marketers take. Proctor and Gamble doesn’t care that when you enter your nearest Walmart that you know all of the reasons that Tide is the best detergent. They don’t care that you’re “Detergent Aware”. They care only that, when placing a box of detergent in your cart, that it’s Tide.
Similarly, I don’t care that you know WHY you should use good passwords. I care only that you do. And I can incent you to do that a million different ways that involve no (boring) posters, (sad) screensavers, (unwatchable) videos or (immediately discarded) newsletters.
Here’s the point that SANS missed – we’re taking technologists and trying to treat user behavior modification like system design. It doesn’t work like that. People aren’t puppies. And they aren’t machines.
An exercise for the reader: Figure out why this video has been watched over 145,000,000 times and you’ll understand why your users ignore your security awareness messages.
