Security awareness is about communication. Why do we make it the responsibility of technical experts?
At the RSA conference, I attended a panel discussion entitled “Changing User Behavior: The Science of Awareness.” The panel focused on explaining the failure of traditional awareness efforts, and made suggestions about what improved solutions might look like.
During the panel, surrounded by a room full of security professionals, it hit me: we are technologists trying to figure out how to solve a communication problem. Maybe security’s “people problem” is relying on the wrong people to solve this challenge.
Are People The Problem?
Our industry is quick to put the blame on “users” when security problems occur. Whether it is the takeover of CNN and the AP’s twitter feeds, or a hack of Target’s HVAC contractor leading to their breach, people are the scapegoat. Despite many technological solutions and increased spending, we’re not getting any better. Why?
At the root of most current compromises and breaches are phishing attacks. Phishing attacks are getting more sophisticated and more effective all the time. Phishing attacks work because they convince people to bypass the hardware and software controls we’ve put in place to protect them. The only true defense against phishing is security awareness. And we tend as an industry, to do a poor job of security awareness. Even though almost every standard and regulation requires “awareness training”.
Better awareness will result in better security. Of that there is no doubt.
What Is Security Awareness?
When defining security awareness, I prefer to use the definition of awareness coined by Michael Santarcangelo, in his book Into The Breach. He reiterated the definition in this recent blog post on CSO Magazine:
Awareness: The individual realization of the consequences of an action, in their own context of intention and impact.
Security awareness for an organization, therefore, is just an expansion on this term to include security and the organization’s concerns. Security awareness is an individual’s realization of the security consequences of an action, and the corresponding impact on the organization.
When it comes to information security, the impacts to the organization from one security incident could fill a whole catalog. The loss of intellectual property is a pretty simple one to understand, your “secret sauce” is no longer a secret. The impact felt by breaching customer or employee private information is much more complicated. It reverberates through increased IT costs, increased legal costs, payment of fines and fees. It also creates an impact to the reputation, causing reduction in the value of the brand as a whole.
Security awareness is critical to the security of an organization. And thus, falls under the purview of the individuals in charge of security.
And that, I think, is where we’re going wrong.
Effective Communication is the Key
Awareness, especially security awareness, is essentially a communication problem. In order for me to be aware of something, it needs to be communicated to me. I am only working from the knowledgebase already stored within my brain. I don’t have my cybernetic implant (yet) that performs real-time queries to supplement my knowledge with the corpus provided by the Internet.
If I’m going to be aware of something, either I need to read it, or someone needs to tell me or show me. Those that know need to communicate it to those that don’t.
To be effective, this communication must result in two things:
- I am aware of the consequences of my actions
- My behaviors change as a result of my awareness
People Are the Solution – Just Not These People
Now, let’s get back to what I said above. Since security awareness is so critical to the security of an organization, it is often placed within the responsibility of those responsible for security.
Are security experts also experts at person-to-person communication? I don’t think so.
Sure, there are certainly outliers who are talented in both security and communication. I’m lucky enough to be friends with some of the true experts on this topic. I also know there are a bunch of people like me, who are knowledgeable about security and are decent communicators. I’m no expert, but can usually get my point across.
Communication experts know exactly how to craft a message to create value, reduce the friction in the communication, and change behavior. They are hard to come by, and well sought after.
Your typical CISO, or head of network security, probably is not an expert communicator. While they might be able to learn enough to become one, is that what you want? I think I’d rather my CISO be an expert with communicating with the business and setting strategic directions for the security organization. I’d want my head of network security to understand every bit of how to architect networks to defend against emerging threats.
It’s time to change the way we handle security awareness. The first step is to stop making it the responsibility of the security teams.
Let’s cultivate true communications experts to focus on security awareness. It is the only way we will get out of the current checkbox-checking mentality that “security awareness training” has become.
5pm on Friday and you're the last one out. You locked the door but are intruders still getting in?
As a small business owner, I often find myself having some of my most productive time on Friday afternoons. My clients have gone home for the weekend, my staff members are wrapping up their week’s work and completing their timesheets. I’ve got a few hours of time to myself to get things done. Dinner time rolls around and I’m inevitably the last one out of the office, shutting off the lights and locking the door behind me.
What a lot of people don’t realize is that even once they’ve turned out those lights and locked that door, strangers might still be coming into their place of business.
Network Connections Are Like Doors
Just like a door, a network connection can let people into your business. If you have a firewall, your network connection probably looks more like a strong door with a mail slot. There’s a minimal amount of space open to the outside world, just to let a little bit of mail and web traffic in. Certainly not enough room for a person to fit through.
Unless that person is carrying a coat hanger. Unfold the coat hanger, reach it up to unlatch the deadbolt, pull the door handle, and now anyone can enter.
Likewise, your firewall isn’t enough to protect your network connection on its own. If there’s a vulnerability in that service you’ve exposed to the outside world through the “mail slot” – like your web server has some unpatched software, or your mail server is out dated – a person with the right tools can take advantage of that, and open up a door big enough to fit himself and all his friends inside your business.
Don’t think it’s realistic? After you finish reading this, run a quick internet search on the phrase “malware on my website”…
What About Doors You Didn’t Install?
Firewalls are an essential part of minimum viable security. Examples like this show that a firewall alone won’t protect a network. Even so, let’s assume you feel reasonably safe with your current network connections.
There are also the threats posed by network connections you don’t know about. I’m sure you’re asking how can I not know about a network connection? I’m paying for the only one.
First off, there’s the threat of rogue wireless access points. We’re working with a customer whose building is built so strongly, the wi-fi signal doesn’t work well in every office. The employees’ solution? Buy a $30 wireless access point, connect it to the ethernet cable in the conference room, and BAM! super fast wireless connectivity.
While it solved his immediate problem of no connectivity, his lack of experience with security created a new problem. There was no authentication or encryption on the hotspot, and now all the sensitive traffic shared in that conference room is being broadcast to people inside and outside the building.
There’s also the more advanced threat of devices such as the Pwn Plug. Looking like an innocent power adapter, anyone from a janitor to a florist could end up delivering one to your office, and exposing your inner-most secrets to the outside world.
Make Sure Those Doors Are Locked
If network connections are like doors, then it behooves you to have as few network connections as possible, and understand the connections very well.
Here are some actions that you can take by next Friday afternoon. The first two don’t take any special IT wizardry, but the second two might require some help from your IT or Security experts.
- Do a sweep for rogue wireless hotspots in your office. There are free apps for Android-based phones and tablets that can help.
- Google your company’s IP addresses – not names – to see if they appear in unsavory lists such as places to obtain malware or illegal credit cards.
- Ensure that all openings in your firewall lead to systems and software that are up-to-date and fully patched.
- Audit your network for other unauthorized connections that aren’t expected.
Then next Friday, you’ll be able to confidently enjoy your weekend, knowing the doors are safely locked up.
Information security is just as important to startups as it is to established businesses
Some people said it was the biggest startup to come out of Stanford since Google. After securing some seed funding from professors, and then raising $25 million in a party round, Clinkle was destined for greatness among startups. Clinkle was designed to become the payment service all of us could use to manage credit cards, banks, and cash from our smartphones.
And yet, I’m guessing the majority of this blog’s readers have never heard of them. Why could that be?
The rise comes before…
Launched in 2011, Clinkle got a lot of hype. Big names like Richard Branson and Peter Thiel, and organizations like Intuit and Intel were among the investors. They were clearly excited about something. But Clinkle has remained in stealth mode, with only a leaked video showing what they’ve been up to. If so many luminaries are excited about this, why haven’t they come out, shown the product, and started picking up customers? Instead, late last year they announced significant layoffs.
It seems from an outsider perspective at least that Clinkle isn’t taking things seriously enough. Rumors of discontent with Clinkle’s 22 year old CEO have run rampant. It seems that they may have believed in their own hype too much, and just believed that they would succeed.
…the security breach.
And then last week, Clinkle suffered a breach of security that is serious enough to make everyone wonder whether they will have a chance to break out of these personnel and business issues to be successful.
As reported by TechCrunch, 33 of Clinkle’s users, most of which seem to be Clinkle employees, had their information – names, user IDs, profile photos, and phone numbers – leaked for all to see.
According to the individual who leaked the information, this was not a complicated breach. The unauthenticated user obtained the information using app’s autocomplete capability. Since this was performed without authentication, there is no way for Clinkle to trace the user that breached the information.
Impacts of the breach
How bad of a security breach is this? It’s not terrible. Most of us have our names, photos, and phone numbers plastered all over the Internet already, and so those individuals are probably no more at risk than you or I from getting our identity stolen.
However, there are two really bad things about this for Clinkle.
First, for a company that is focused on finances and payments to have any sort of breach begs the question of whether security has truly been designed into the product. If it is possible to receive information about any user of the service without even being a user myself, how many other ways can information be leaked by this system?
Second, for a company that is already going through some growing pains, having a published list of your employees can be a problem. Corporate espionage is real, and now competing businesses have a list of their targets they should befriend to learn more about what Clinkle is doing – or people to hire away to directly compete.
Startups have a lot to worry about, between funding, personnel, and creating and marketing a product. Each of those things, if not done correctly, can reduce the startup’s chances of success.
Startups also need to worry about designing security in at an early stage. Especially if they are in regulated industries such as financial or healthcare. I contend that suffering a security breach before you’ve even released your product could mean certain doom for many startups.
Startups can’t afford to wait to worry about security.
What happens when your reputation comes under attack?
Recently, an article came to my attention about social networks being gamed in order to hurt the reputations of competitors and enemies.
With all the talk these days of search engine optimization, social media experts, and the “internet of things” we are looking to connect our information to as many people, and in as many ways, as possible. Have you considered the ways this might hurt you instead?
We are beginning to get a handle, as a society, on the minimum viable security that every organization needs in order to stay in business and not be destroyed by the constant noise of attacks facing us on the Internet.
But what happens when instead of facing a distributed denial of service (DDOS) attack, you face a distributed denial of social media (DDOSM) attack? When your enemies create tens of thousands of fake Twitter followers to overwhelm your social media team and distract them from the actual input of your customers?
What would happen if a thousand negative Yelp reviews, or Amazon.com reviews plagued your products or your place of business?
I’m not even talking about the well publicized cases of Twitter accounts being hacked causing a momentary shift of billions of dollars in the money markets or the founder of Facebook finding links he didn’t post appearing in his feed. Those are typical attacks, whether social engineering to obtain someone’s password, or exploiting a bug in software to take advantage of the situation. Those attacks are generally, and quite simply, illegal.
Social media attacks, on the other hand, play by the rules that we’ve set. They use the connections between the followers and the followed to infect the mindset of many.
Social media and mindshare are a new type of currency that is being traded every day. What are you doing to protect yours?
Was an IT simplification tool the key to the recent Target breach?
Today’s reading brought me to another article by Brian Krebs about his continuing research into the breach at Target. The lengthy article points to some newly uncovered clues, and provides some conjecture as to how the breach may have been exercised. A part of it definitely caught my eye, because it is closely related to some of the work we get called on to do on a regular basis.
That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base (sic) BMC Software — includes administrator-level user account called “Best1_user.”
It seems in this case, the attack vector may have been through this IT management software suite. Looking at BMC’s site, I looked at what seems to be the current version of that product, and one of the benefits listed is “Reduce administration time by up to 50% – freeing up staff for IT innovation.”
IT is Already Overwhelmed
It is no secret that the typical information technology organization is overloaded and overwhelmed. Scott Adams’ Dilbert comics poked fun at this decades ago, with Mordac, the Preventer of Information Services. A Canadian graduate school study uncovered that IT employees need help handling stress… in 2007. Follow that with seven straight years of increased technology demands, flat budgets, “work smarter, not harder”, and staff reductions, and you have created a recipe for disaster.
It’s hard enough for IT folks to get their day job done that automation tools have become a burgeoning market of their own. Gartner’s latest magic quadrant in this area lists 13 companies that generate at least $10M annual revenue from their automation tools. And in the wake of the Snowden affair, the NSA recently announced that it would begin the process of automating nearly 90 percent of its system administration duties.
Remain Ever Vigilant
System administration, by its very nature, requires administrative access to systems. Administrative access is what all attackers seek in order to take advantage of a system for their own purposes. So every IT automation tool that is used is essentially creating another potential opening into that system for attackers. The goal of information security professionals like me is to reduce the “attack surface” of a system, but tools like this increase it.
So, what to do?
The only possible path is vigilance, and unfortunately no solution will be perfect. However, my recommendations are as follows:
- Determine whether the increased risk to the system is worth the convenience of the IT automation tool.
- Assess the security of the IT automation tool or tools you are considering the use of, and allow security concerns to drive the purchase decision. If you aren’t convinced a tool can be secure, find a different one that can.
- Document the configuration and installation of the IT automation tool, in order to ensure it is installed in its most secure state. For example, configure it to only accept instructions that can be verified as having come from your organization.
If you have questions about how to assess the security of a piece of software, or need help figuring out the best or most secure configurations it offers, feel free to contact us.
Earlier this year, we submitted a bug to Google for the Google Authenticator app on Android. Basically, the bug we submitted is that the secret key (the private code that when combined with an accurate source of time creates the one-time-use codes for use with Google’s open-sourced two factor authentication) is stored in the clear on Android devices. Google’s response was that this was behaving by design, and that not the system controls around the filesystem are sufficient to protect this information.
We humbly disagree.
Rooted devices get around these system controls that protect these secret keys. So would any malware that performed a privilege escalation exploit. And most importantly, backups of the phone (using a tool such as Titanium Backup) contains these secret keys in the clear. (Note: Google’s built-in capability for backing up Android devices excludes this file from backups.)
In my opinion, you don’t want these secret keys to be that easy to obtain. The easy answer would be to ensure Google Authenticator encrypted its internal database. Unfortunately, more than 1/3 of Android devices in the marketplace are running Android 2.x or older, meaning they don’t have any ability for storage encryption. Newer devices have the capability, but it is up to the individual to enable it. (Unlike the iPhone, which since iOS4 has had encrypted storage available for apps to take advantage of.)
Again with some more innovation, Authy (see earlier post) always encrypts the secret keys in storage. As mentioned earlier, since many Android devices do not have native storage encryption, Authy had to devise their own method to do this encryption in storage. According to Authy:
Encryption is a simple AES-256 using certain parameters of your phone as a key and some secrets stored in the Authy Binary. This is not bullet-proof and we know it. A good determined attacker can break this encryption. But it was only designed to prevent someone getting access to your computer backups or simple malware stealing your data to get your keys, for that it works great.
Authy understood that this was an important fact to consider and did what was possible to help protect the information on phones. And most impressively, they realize that it is not bullet-proof. It is meant to improve the state of the art, and decrease the chance of a leak of anyone’s secret key.
I wish that Google had decided otherwise with their Authenticator app. In the meantime, consider me an Authy user.