In case you were not aware, October is National Cyber Security Awareness Month, an initiative designed to “engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity.”
In a perfect world, we would not stress this awareness for one month only. Awareness should be a constant, ongoing effort. However, since the DHS is making this a point of emphasis, why don’t we use this opportunity to focus on an a Security Awareness Program.
I know. The standard response to “Awareness” is blah blah train employees blah blah security policy.
After 29 years of saying it, even I am tired. I have written about Security Awareness here before. But, that doesn’t mean we’re done with it. I once asked a client about their Security Awareness program and their response was to tell me where the Security Policy was on their Intranet. This was akin to asking him what his favorite color was and him responding, “42”. Yet, I am pretty sure he didn’t get the disconnect. You might be able to guess the content of one of the recommendations in his assessment report.
By now, we should all see the value of an awareness program. I have talked for years about the concepts of hard security versus soft security. Hard security includes firewalls, IPS, IDS, vulnerabilities – all of the technical controls that you use to manage risk in your environment. Soft security is essentially the way we create a firewall analogue for a person – the way we help a person manage risk. We are not going to solve every security-relevant problem in your environment with awareness training.
Information security awareness training is simply one more tool to ensure that people are correctly managing risk. We make them smarter about security, and maybe a little more paranoid. Security Awareness Training should include your security policy, but to be effective it should not be just about the policy. We now need to include extra things in our awareness program. If you have compliance requirements, you should be including those in your awareness program. HITECH requires that you teach employees proper handling procedures for PHI (Protected Health Information). On top of that, we need to teach people what “Security” means to the organization. What things does your organization need people to pay attention to?
For a reference point, I asked my college-aged daughters what they thought was important about information security awareness. Their first answer was “huh?” I did not explain much other than to mention that October was Cybersecurity Awareness Month and asked them what they would say if they were interviewing for an article on security awareness (sneaky, eh?). I think I ended up with three very good answers:
1. “Those stupid banking emails.”
2. “Hackers.”
3. “Passwords.”
Those Stupid Banking Emails
They didn’t actually mean “banking emails”; they meant phishing emails that look like banking emails. The ones that look like they are from your bank but are actually from a .lt site trying to get you to click on their link to login and “fix” some kind of error in your account. These actually link to blackhole, try to steal your username and password, or attempt something else nefarious.
I felt pretty proud that my daughter stopped one of her friends who was entering her checking account and routing number into an online web-form to claim the “winnings” of which she was notified in a phishing email. After my daughter mocked her like a Frenchman in Monty Python and the Holy Grail, she showed her friend how to hover over the link and see that it actually went to a .cn domain, and NOT to her US-based bank (when her friend retold the story I was so proud it brought a tear to my eye).
Identifying and stopping phishing emails continues to be a big challenge. I recently heard of a company where the employee list was exposed, and literally every employee received multiple versions of phishing emails. If the company received 30,000 phishing emails, how many do you think got opened and followed, resulting in the exposure to some form of nastiness? If only 1% of incoming phishing email was opened it was 300 emails. How would you feel if you had 300 compromised computers in your network?
Your awareness program should include tutorials on how to identify phishing emails, and what to do with them when you receive them. I wrote an earlier article on identifying phishing emails that you can read here.
I have actually gotten to the point that when I see an email from any bank I assume it is a phishing email until proven differently. I suspect it is only a matter of time that I will expect every email to be suspicious.
Hackers
Besides the phishing emails, one of my daughters said “Hackers”. She had a hard time putting that into words other than starting with the same people who send phishing emails. She explained that she thinks that hackers attack companies, and go after people as a way to get to companies. Almost as an afterthought she said that they might go after her bank information. (But, she is a college student with no money and no credit card, so…) She eventually added five controls that she thought were important to help protect her from “hackers”.
1. “Update your security software.” By this she meant her anti-virus, anti-malware software. I smiled a little inside when it never occurred to her that you might not have “security software.” In context of your awareness program, this is probably only a matter or leaving it alone.
2. “Windows Update.” ‘nuff said.
3. “Backups.” I was surprised at this until she explained, “Nothing sucks more than finishing a 30 page term-paper then having your computer crash without a backup.” I think her analysis was pretty appropriate. The voice of experience. (And, no, the Professor did not give her time to redo the assignment.) How your awareness program addresses this highly depends on how your organization supports backups. In the past I worked for an organization with no remote backup capabilities. If you wanted a backup it was completely your responsibility to copy your work onto the servers, which were backed up. But, if you do something that requires ANY action from employees, it better be in your awareness program.
4. “Don’t do stupid stuff.” I asked her about this, and while she was a little vague, her general response seemed to indicate that she felt you should not browse porn. The “porn” part is easy, but I really have no suggestions for how you teach people specifically to not do stupid stuff, but that is kind of the whole point of a security awareness program – to help make sure people don’t do “stupid stuff”.
5. “Hope the hackers find someone else.” I am not sure I have a high amount of agreement with a security control that starts with the word “Hope”. I think this includes a measure of “there are no Atheists in foxholes”. Maybe with the morale of this story thrown in:
As two guys are fishing, a giant grizzly bear roars and charges out of the woods. The two guys turn and run, with one of them struggling to put on his tennis shoes as he does so. The second guy says “Bill, you are not going to be faster than that bear.” As he hops along Bill replies, “I don’t have to be faster than the bear, just faster than you.”
Passwords
Their issue with passwords was mostly to use passwords, and not use stupid ones (that “stupid” word came up a lot). So, no “password”, no “qwertyui”, no “abcd1234”. My one daughter actually had lots of “bad” password rules, and even mentioned a friend whose Facebook password was “facebook”. Additionally, don’t re-use the same password on other sites (well, in fairness, my one daughter said “too many other sites”). Don’t use your school or work password at home and visa versa. Beyond that, if we think about what your awareness program should say, standard password rules apply – construct good, strong, easy to remember passwords. But, again, whatever you use for passwords should be covered pretty explicitly in your awareness program.
That is an expansion on the view of two college students after I have practically beat “security” and “privacy” into their heads for years. So, take two (mostly) normal kids, who, of course, always listen to everything their parents say. I mean, we all know every teenager thinks that their parents are full of sage advice (well, full of something…).
The point here is that if I can train my two (non-technical) daughters to be able to walk the Cybersecurity walk, then training adult professionals should not be difficult.
Related: Security Awareness Training: It’s The Psychology, Stupid!
