Security Musings Blog
Security awareness is about communication. Why do we make it the responsibility of technical experts?
At the RSA conference, I attended a panel discussion entitled “Changing User Behavior: The Science of Awareness.” The panel focused on explaining the failure of traditional awareness efforts, and made suggestions about what improved solutions might look like.
During the panel, surrounded by a room full of security professionals, it hit me: we are technologists trying to figure out how to solve a communication problem. Maybe security’s “people problem” is relying on the wrong people to solve this challenge.
Are People The Problem?
Our industry is quick to put the blame on “users” when security problems occur. Whether it is the takeover of CNN and the AP’s twitter feeds, or a hack of Target’s HVAC contractor leading to their breach, people are the scapegoat. Despite many technological solutions and increased spending, we’re not getting any better. Why?
At the root of most current compromises and breaches are phishing attacks. Phishing attacks are getting more sophisticated and more effective all the time. Phishing attacks work because they convince people to bypass the hardware and software controls we’ve put in place to protect them. The only true defense against phishing is security awareness. And we tend as an industry, to do a poor job of security awareness. Even though almost every standard and regulation requires “awareness training”.
Better awareness will result in better security. Of that there is no doubt.
What Is Security Awareness?
When defining security awareness, I prefer to use the definition of awareness coined by Michael Santarcangelo, in his book Into The Breach. He reiterated the definition in this recent blog post on CSO Magazine:
Awareness: The individual realization of the consequences of an action, in their own context of intention and impact.
Security awareness for an organization, therefore, is just an expansion on this term to include security and the organization’s concerns. Security awareness is an individual’s realization of the security consequences of an action, and the corresponding impact on the organization.
When it comes to information security, the impacts to the organization from one security incident could fill a whole catalog. The loss of intellectual property is a pretty simple one to understand, your “secret sauce” is no longer a secret. The impact felt by breaching customer or employee private information is much more complicated. It reverberates through increased IT costs, increased legal costs, payment of fines and fees. It also creates an impact to the reputation, causing reduction in the value of the brand as a whole.
Security awareness is critical to the security of an organization. And thus, falls under the purview of the individuals in charge of security.
And that, I think, is where we’re going wrong.
Effective Communication is the Key
Awareness, especially security awareness, is essentially a communication problem. In order for me to be aware of something, it needs to be communicated to me. I am only working from the knowledgebase already stored within my brain. I don’t have my cybernetic implant (yet) that performs real-time queries to supplement my knowledge with the corpus provided by the Internet.
If I’m going to be aware of something, either I need to read it, or someone needs to tell me or show me. Those that know need to communicate it to those that don’t.
To be effective, this communication must result in two things:
- I am aware of the consequences of my actions
- My behaviors change as a result of my awareness
People Are the Solution – Just Not These People
Now, let’s get back to what I said above. Since security awareness is so critical to the security of an organization, it is often placed within the responsibility of those responsible for security.
Are security experts also experts at person-to-person communication? I don’t think so.
Sure, there are certainly outliers who are talented in both security and communication. I’m lucky enough to be friends with some of the true experts on this topic. I also know there are a bunch of people like me, who are knowledgeable about security and are decent communicators. I’m no expert, but can usually get my point across.
Communication experts know exactly how to craft a message to create value, reduce the friction in the communication, and change behavior. They are hard to come by, and well sought after.
Your typical CISO, or head of network security, probably is not an expert communicator. While they might be able to learn enough to become one, is that what you want? I think I’d rather my CISO be an expert with communicating with the business and setting strategic directions for the security organization. I’d want my head of network security to understand every bit of how to architect networks to defend against emerging threats.
It’s time to change the way we handle security awareness. The first step is to stop making it the responsibility of the security teams.
Let’s cultivate true communications experts to focus on security awareness. It is the only way we will get out of the current checkbox-checking mentality that “security awareness training” has become.
Entrepreneurs need to think like investors when it comes to security
How do you buy groceries? Do you buy based on brand, what you know? Do you consider the price? Or do you have someone else handle it for you?
Making An Investment
While routine, groceries aren’t expensive. When we consider larger investments, however, the calculus changes. Most hesitate a bit when buying a new computer or tablet. We’d want to make sure the system meets our requirements and we’re not paying too much. Since they are a commodity item, you can shop around without difficulty.
Buying a car or a house requires more time to be spent in the due diligence process. At some point it becomes less about “buying” and more about “making an investment”.
Smart entrepreneurs consider their exit. And that means asking one vital question: What due diligence will an investor require before investing in me?
Think Like an Investor
Seasoned investors seek not only profits and revenue, but typically are driven by one of these three reasons.
- Control the intellectual property (the “secret sauce”) – by owning the process or the patents. (e.g. Google’s acquisition of Motorola Mobility)
- Obtain the customer base – to offer a more complete solution to a wider audience. (e.g. Facebook’s acquisition of Instagram)
- Obtain the talent – hire valuable engineers, leaders, and/or a whole team en masse. (e.g. Salesforce.com’s acquisition of Thinkfuse)
Investors are making a calculated risk decision when they make an investment. They consider the likelihood of continued success over failure. Your valuation will depend on both how much investors might make, and how much they might lose. Investors are primarily worried about two things when they think about failure.
- The Intellectual Property – Is the “secret sauce” still a secret? And are there patents and other protections in place to ensure the IP is truly part of the purchase?
- The Time Bomb – What is already in place at the company that we don’t know about? What are the risks and liabilities that can end up shutting the business down before we get started? What might end up causing reputation damage that will make it a bad company to have our name attached to?
Invest In Security
So how do you prepare yourself to talk to potential investors? How do you calm their fears so that you can get the highest valuation? The best answer is to invest in security.
A startup with a proper information security and risk management program is well prepared to answer questions about their intellectual property. “Yes, we’re confident our secret sauce is still a secret, because we took the steps necessary to protect it, monitor it, and handle incident response.”
This program also needs to protect intellectual property, including legal considerations. It should also address how you manage vendors – to ensure that your partners don’t end up causing you issues or weaknesses. (Reports show that a third party was at the root of the recent Target breach).
Great investors hire security experts to perform security assessments before acquiring companies. Knowing about a startup’s information security program can put the investors at ease. It can erase concerns over devaluation of the intellectual property. It can also erase ticking time bomb concerns, knowing lax security isn’t going to cause disclosure of customer information or reputation damage. We’ve provided this part of due diligence for corporate acquisitions totaling over $23 billion.
Great customers do this too. We do these assessments for larger companies when they look to buy products or services that will access their confidential information. They want to ensure working with a startup isn’t going to put their company’s information or brand at risk. And they’re often willing to work with the more expensive option if they present better security capabilities.
So make sure that you’re prepared when the truly great investor or great customer comes knocking. Invest in security as early as possible in your startup. It will be one of the few investments you can make with guaranteed positive returns.
Learn to spot and recover from tax return fraud
Around this time of year, many of us are filing–or procrastinating about filing–our taxes. So you finally get around to filing your taxes, and your return is rejected because someone has already filed for that social security number. Uh-oh! What now? You know you haven’t filed your taxes already, and you’ve double checked your social security number to make sure you typed it in right.
Then you find out your worst fear is true: someone else has already filed a tax return using your social security number – otherwise known as IRS Tax Return Fraud.
Immediate Actions To Take
There are three things you need to do as soon as you can:
- First, file a police report for identity theft. Someone clearly has your social security number.
- Second, you need to file IRS form 14039.
- Finally, notify the FTC, they can help you sort out the aftermath of identity theft with banks, creditors, etc.
Filing a police report will make dealing with your creditors and the IRS easier, but by no means easy. It’s never easy to deal with identity theft. IRS form 14039 is an affidavit of identity theft. It lets the IRS know that you have been the victim of IRS Tax Return Fraud, and that when they receive your (mailed) tax form, it is the one that should be used for your social security number.
Consequences of Tax Return Fraud
Unfortunately, the IRS will require that you mail this year’s tax forms instead of e-filing. You can usually continue to e-file your state returns, but check your state’s website for details on what you should do.
The IRS will research your tax return to determine the circumstances and whether they can find who fraudulently filed your taxes for you. This can take a very long time. Any refund you might be due will not be mailed or deposited until the investigation is done. So, if you were depending on your tax return to pay bills or pay for something else, start looking at other options. You’re not going to see that money for a while (and of course they don’t pay you interest on it either!). If you owe taxes, you’re just going to have to pay them before the April 15 due date as usual. You also have to file (by mail) any other taxes (like next year’s) on-time if your case takes that long. The IRS says that if you haven’t heard anything from them within 180 days, to call their Identity Protection Specialized Unit.
Once the IRS has investigated your case, you’ll get a special PIN that you must use when filing your taxes in the future. Up until a few years ago, this PIN wasn’t supported in most e-filing software, so you still had to mail all of your tax returns, with your PIN printed on it. Now, e-filing is possible again, just enter your PIN when the software asks for it.
Continuing to Protect Yourself
While you are waiting for the IRS, you should also contact all of the credit reporting agencies and make sure no one has opened an account using your social security number. Remember, someone has your social security number – it may have been just a typo, or it may have been maliciously obtained. To protect yourself, you need to treat it as if it was maliciously obtained.
It may be worth contacting any organizations that you have given your social security number to within the last year to determine if any of them have experienced a breach of security. Accountants, doctors’ offices, and law firms are all under attack. Inform them that your identity has been stolen, and ask what they are doing to protect your personal information.
How applying too much of anything - including security - can be be a bad thing.
Water is critical to life. Many sources suggest drinking more water can lead to better health. And yet I’m sure you heard the story of the woman who died as a result of drinking too much water during a radio station contest in 2007. Water intoxication results when our water intake and water losses are grossly different. The levels of electrolytes in our system can get out of balance, causing basic functions of our body to cease operating.
Too much of a good thing–even water–can be bad.
Minimum Effective Dose
A minimum effective dose or MED, as described in effective dosage of pharmaceuticals, is the smallest dose that will produce an effective outcome. Think of acetaminophen, the main ingredient in Tylenol. If you take the right amount, it can reduce fever and pain. If you take too much, it can harm your liver. Likewise with narcotics, overuse can lead to addiction and other ill effects.
The right dosage of medicine is often based on a variety of factors, including the patient’s body mass, the rate of absorption of the drug, and others. Medicine dosage is very rarely “one size fits all”.
In his book The 4-Hour Body, author Tim Ferriss discussed the concept that MED doesn’t have to be restricted to medicines. Consider any activity as a “dose” and then think of how the MED might apply. Boiling water, for example, means that you heat the water to 212°F (100°C). Heating it any higher is wasteful and doesn’t help reach the desired outcome.
What’s the right security dose for you?
Applying information security controls is also an activity that requires a minimum effective dose. While applying too much security rarely leads to liver failure or crippling addiction, it can lead to significant waste and inefficiency. Avoiding this waste is one of the main principles behind minimum viable security.
Have you ever used a computer that had two or more anti-malware products installed on it at the same time? Anti-malware software kicks in when any file is read from or written to the disk of the computer. Having two products installed creates a flow like this:
- You click to open File X.
- Product 1 activates upon read of File X, and checks its own database to see if File X has a virus.
- Product 2 activates upon read of Product 1’s database, and checks its own database to see if Product 1’s database has a virus.
- Product 1 activates upon read of Product 2’s database, and checks its database again.
- And then Product 2 repeats the entire process when it gets its chance to scan File X.
Having two active anti-malware products means 6-8 activities every time the system reads a file. It also requires both anti-malware databases to be in memory, reducing the space for other programs. The end result is a computer which behaves slower than dial-up.
Applying more security didn’t make the system “more secure” – just like heating water past 212°F doesn’t make the water “more boiled”.
The Value of the Minimum
Minimum viable security can be thought of as an MED for security. Doing everything you must do to protect the organization and its information assets – without waste. Some technical controls are part of minimum viable security: firewalls, patching, anti-malware, and limited privileges. Non-technical controls are necessary too, such as physical security, having clearly defined policies, and increasing awareness.
Do you have an idea for what is and isn’t part of minimum viable security? Leave a comment below and join in the discussion.
Adding more security to a system is always an option – but we believe that it often is not the best option. Too much of a good thing often isn’t. We apply our creativity, passion for security, and insight in the industry to find the most appropriate solutions for our customers: the minimum effective dose of security for their organization.
Why smaller organizations in the finance industry need to make security a priority
While the headlines are dominated with tales about recent breaches at Target, Neiman Marcus, and others, those businesses will survive. What about smaller companies?
Turns out that just last year, two separate title and escrow companies have had to shut their doors after suffering cyber attacks. Leaked emails from a small regional bank resulted a successful theft of money from a client. And thieves are using the access that small accounting and financial management firms have to individual and corporate bank accounts to steal hundreds of thousands of dollars.
What do these incidents all have in common?
They are all financial industry firms. And they are all relatively small. Most of them neglected to provide even the minimum viable security necessary to protect their assets, and those their clients entrusted to them. All of them have suffered reputational and financial damage as a result of their inaction. And some are now out of business.
Financial companies in the crosshairs
Verizon reported in 2013 Data Breach Investigation Report (DBIR) that 37% of the investigated breaches occurred within finance industry organizations. Not only is this the top industry, it experienced roughly the same number of breaches as the next four industries (Retail, Food Services, Manufacturing, and Information) combined.
Why is the finance industry attacked so much?
Three words: “follow the money.”
As attacks shift toward financial gain, attackers naturally prey on targets with easy access to capital. Banks are a logical choice; they have lots of other people’s money. Title and escrow companies also handle lots of money and tend to attract less attention, oddly making them prime targets.
Accountants, financial managers, and investment firms are next. These organizations have access to banking and investment credentials, or at least enough information about their clients to enable identity theft and fraud.
Don’t press your luck: watch out for the double whammy
Also revealed in the DBIR is the startling fact that the smallest organizations – from 1 to 100 employees – suffered the greatest number of breaches in 2013. That means smaller companies in the financial sector face a double whammy.
While some still argue about whether banks are too big to fail, it’s clear that none is too small for attack. While smaller organizations may represent a smaller “score” after a heist, they are easier to perform and therefore becoming a favorite target of attackers.
What it really means is that small financial organizations cannot afford to ignore security any longer. The challenge is the security built for large organizations — those that tolerate breaches more readily – isn’t always suitable.
The surprising challenge of compliance
For example, the Gramm-Leach-Bliley Act (GLBA) requires organizations to
“develop, implement, and maintain a comprehensive information security program that… contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.”
Fairly generic in approach, it’s surprising how few small financial organizations follow this most critical requirement.
Two questions to get on the right path
First, do you have a compliant information security program in place? This doesn’t mean an information security policy that was approved four years ago and is collecting dust on a shelf. It means a complete program of policies, procedures, and controls around the physical, network, system, and data security of the organization. If the information security program doesn’t exist, or isn’t complete, our recommendation is that it should become a priority for the business.
Second, is the information security program is being followed? The best way to answer this question is to seek a third-party validation of the information security program, such as our Information Protection Assessment. This assessment should determine whether the policies are sufficient to meet regulatory requirements, whether the procedures can meet the policies, and whether the procedures and controls are implemented correctly.
Don’t be the subject of the next headline in the paper. Focus on security that is sized and prioritized to meet the demands of your business. Take these steps to make sure your organization isn’t an easy or rewarding target for attackers.
5pm on Friday and you're the last one out. You locked the door but are intruders still getting in?
As a small business owner, I often find myself having some of my most productive time on Friday afternoons. My clients have gone home for the weekend, my staff members are wrapping up their week’s work and completing their timesheets. I’ve got a few hours of time to myself to get things done. Dinner time rolls around and I’m inevitably the last one out of the office, shutting off the lights and locking the door behind me.
What a lot of people don’t realize is that even once they’ve turned out those lights and locked that door, strangers might still be coming into their place of business.
Network Connections Are Like Doors
Just like a door, a network connection can let people into your business. If you have a firewall, your network connection probably looks more like a strong door with a mail slot. There’s a minimal amount of space open to the outside world, just to let a little bit of mail and web traffic in. Certainly not enough room for a person to fit through.
Unless that person is carrying a coat hanger. Unfold the coat hanger, reach it up to unlatch the deadbolt, pull the door handle, and now anyone can enter.
Likewise, your firewall isn’t enough to protect your network connection on its own. If there’s a vulnerability in that service you’ve exposed to the outside world through the “mail slot” – like your web server has some unpatched software, or your mail server is out dated – a person with the right tools can take advantage of that, and open up a door big enough to fit himself and all his friends inside your business.
Don’t think it’s realistic? After you finish reading this, run a quick internet search on the phrase “malware on my website”…
What About Doors You Didn’t Install?
Firewalls are an essential part of minimum viable security. Examples like this show that a firewall alone won’t protect a network. Even so, let’s assume you feel reasonably safe with your current network connections.
There are also the threats posed by network connections you don’t know about. I’m sure you’re asking how can I not know about a network connection? I’m paying for the only one.
First off, there’s the threat of rogue wireless access points. We’re working with a customer whose building is built so strongly, the wi-fi signal doesn’t work well in every office. The employees’ solution? Buy a $30 wireless access point, connect it to the ethernet cable in the conference room, and BAM! super fast wireless connectivity.
While it solved his immediate problem of no connectivity, his lack of experience with security created a new problem. There was no authentication or encryption on the hotspot, and now all the sensitive traffic shared in that conference room is being broadcast to people inside and outside the building.
There’s also the more advanced threat of devices such as the Pwn Plug. Looking like an innocent power adapter, anyone from a janitor to a florist could end up delivering one to your office, and exposing your inner-most secrets to the outside world.
Make Sure Those Doors Are Locked
If network connections are like doors, then it behooves you to have as few network connections as possible, and understand the connections very well.
Here are some actions that you can take by next Friday afternoon. The first two don’t take any special IT wizardry, but the second two might require some help from your IT or Security experts.
- Do a sweep for rogue wireless hotspots in your office. There are free apps for Android-based phones and tablets that can help.
- Google your company’s IP addresses – not names – to see if they appear in unsavory lists such as places to obtain malware or illegal credit cards.
- Ensure that all openings in your firewall lead to systems and software that are up-to-date and fully patched.
- Audit your network for other unauthorized connections that aren’t expected.
Then next Friday, you’ll be able to confidently enjoy your weekend, knowing the doors are safely locked up.