Securosis

Research

Security Awareness Training Evolution: Why Bother Training Users?

It seems everyone has an opinion about security awareness training, and most of them are negative. Security luminaries have largely panned awareness training as ineffective and a waste of time and money. They use weird analogies, claiming things like we cannot train folks not to eat fast food, so training never works. Are they wrong? We have all sat through endless PowerPoint slides telling us what we can do and cannot do on the Internet. They threaten you with termination unless you follow the rules specified in the 15-page Acceptable Use Policy, without any context for why they matter. It is not much different than your parents telling you that you cannot do something “because we said so.” But regardless of the specific situation, security awareness training occurs for a few reasons, some more productive (and strategic) than others: Limit Corporate Liability: If an organization doesn’t make very clear to employees what they can and cannot do using corporate technology assets, they cannot terminate employees for doing the wrong thing. Too much of today’s awareness training content is built as a warning to justify termination. This kind of training is built by lawyers expressly to enable them to prosecute employees if needed. That gives you a warm and fuzzy feeling, doesn’t it? Compliance Mandate: This is in play in many government organizations, who are expected to follow NIST 800-50 to comply with FISMA and build a security training program. We applaud the mandate – we all know it wouldn’t happen otherwise. But compliance requirements rarely create sufficient urgency to excel or address the original goals behind the regulation. Protect Information: Before our cynicism gets the best of us, some organizations perform security awareness training to actually train employees about security. Imagine that. In this case they need to know what not to click and why. They need to learn who to call when they think something is wrong. How to protect their mobile devices, which increasingly contain sensitive data and access. This content is typically built by the security team (or under their watch). If your current awareness program is controlled by Human Resources with a heavy influence from the General Counsel, you have some work to do. If you are in charge of an awareness training program, at least you can roll out some content to achieve your objectives. That doesn’t mean you understand the latest and greatest training techniques. Nor does it mean you actually have the time to build effective training materials. But at least you can make some decisions about the training program, and that’s a start. So we are excited to start a new blog series: “Security Awareness Training Evolution.” Adversaries have gotten better, so you need to prepare employees more effectively to be the first line of defense. Obviously they are an imperfect line of defense, but a human control is better than no control at all. As with all our blog series, we will write this one using our Totally Transparent Research methodology, which means we will post everything to the blog first and let you have an opportunity to provide feedback to make sure we are on target. Before we get started, we would like to thank the fine folks at PhishMe for potentially licensing the paper when we finish. We use the term ‘potentially’ because with our research process there is no commitment on either side until the research is done. That allows us to write what needs to be written, and for each licensee to verify that the content meets their needs (objectively, of course) before they actually license anything. Pragmatic Security Training It’s not like a focus on security awareness training is the flavor of the day for us. We have been talking about the importance of training users for years, as unpopular as training remains. The main argument against security training is that it doesn’t work. That’s just not true. But honestly it doesn’t work for everyone. Like security in general, there is no 100%. Some employees will never get it – mostly because they just don’t care, but they do bring enough value to the organization that no matter what they do (short of a felony) they are sticking around. You need to accept that those folks will do what they want and you will clean it up. You also need to realize that some of your employees will be targeted by advanced attackers. No amount of security training will protect them if they are targeted. To clean that up you will need some-high end forensics, and if that’s in play you probably should consult our CISO’s Guide to Advanced Attackers. Then there is everyone else. Maybe it’s 50% of your folks, or perhaps 90%. Regardless of the number of employees who can be impacted and influenced by better training content, wouldn’t it make your life easier if you didn’t have to clean up after them too? Obviously it depends on the organization, but we have seen training reduce the amount of time spent cleaning up easily avoidable mistakes. Yet, far too many organizations lose interest when they don’t see immediate results. Like any program, security awareness training requires patience and persistence. This is covered in Mike’s Pragmatic CSO book. Here is an excerpt on this point: The easiest thing to do regarding security awareness is to give up. Most organizations (and CSOs) are impatient. It’s hard to make a consistent effort when it is not clear that progress is being made. There really is a “tipping point” in security awareness, and until you get there, it’s hard to justify the time and investment required by the program. Thus the most critical success factor for security awareness is CONSISTENCY and PERSEVERANCE. It takes months and years of consistent effort to make security awareness second nature. Your employees have to overcome years of bad habits, like opening attachments and clicking links in emails. What’s Broken? How hard could it be to teach folks what not to do? You

Share:
Read Post

Incite 10/2/2013: Shutdown

17 years. That’s a long time. The last time the US Government shut down was December 1995 through January 1996. I was working for META Group at the time, probably on an airplane heading to a meeting with some client. I wasn’t married yet. I could sleep in on a Saturday. Those were the days. Life was fundamentally different. Looking back I don’t remember the specifics of what happened during the last shutdown, as that group of politicians battled each other over funding this, that, or the other thing. In fact, until this latest shutdown because a possibility, I didn’t even remember it happened in the first place. 17 years later, in my mind that shutdown was an inconsequential footnote in history that I needed to look up on Wikipedia to even remember it happened. I suspect we will see the same outcome this time. 17 years from now I doubt I’ll even remember how this group of politicians fought over funding this, that, or the other thing. The more things change, the more the stay the same. Negotiating deadlines are blown, activities are impacted, and people (a lot of people) aren’t working today because these folks can’t find the middle ground. But they’ll work it out. They always do. The last time the shutdown lasted for a total of 28 days. Maybe this one will be shorter. Maybe longer. The only thing I know for sure is that it will be more visible. With social media, you’ll be seeing tweets from folks out of work and Facebook blasts talking about how they are right and the opposition is wrong. So even though it’s the same, it will feel worse because we will see much more of it. That’s just the way things go down nowadays. We know how this movie ends. At some point they will make a compromise. Both sides will claim victory. Everyone will get back to work. Programs will be funded. Money will be squandered. Life will go on. Which is why it’s hard for me to get fired up about this stuff any more. The system is broken, but it’s the one we have. My efforts are far better spent worrying about the things I can control, and the idiotic machinations in Washington just aren’t on that list. So shutdown all you like. I have writing to do. –Mike Photo credit: “Anarchist computer” originally uploaded by Michael Bingaman Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Defending Against Application Denial of Service Introduction Firewall Management Essentials Quick Wins Managing Access Risk Optimizing Rules Change Management Introduction Newly Published Papers Continuous Security Monitoring API Gateways Threat Intelligence for Ecosystem Risk Management Dealing with Database Denial of Service Identity and Access Management for Cloud Services The 2014 Endpoint Security Buyer’s Guide The CISO’s Guide to Advanced Attackers Incite 4 U Distributing workloads won’t fill the gap: No, this isn’t my attempt to infringe on Rich’s cloud security coverage. I am talking about the significant security skills gap. In my CISO Roundtables at the IANS Forums this year, a very consistent theme has been the challenges of staffing. From finding qualified folks, to retaining the good ones, to keeping pace with technology… most CISOs spend a large (and increasing) portion of their time dealing with these softer personnel issues. After spending a day with HR, a firewall console probably never looked so good. Michael Santarcangelo explains in his CSO blog how believes that distributing the workload among operational groups is the answer. He even said: “We don’t need more security professionals.” Uh, WTF? That’s dead wrong. I’m not saying we don’t need help, or that we don’t need the rest of the organization to become more security aware. But they have no real incentive to be secure. So over the long run, they won’t. Period. We clearly don’t have enough skills internally to even work with the ops groups and business folks to help them become more secure. So there is a skills gap, and it’s serious – and no amount of internal redistribution is going to solve it. – MR MS RAMPing up: For those who don’t know, FedRAMP is the US government’s way of setting up a security baseline for cloud providers. While every agency (well, the ones still in business) needs to still meet its own requirements, FedRAMP is an assessment baseline they can leverage to reduce their overhead. So not every agency needs to deeply audit each cloud provider. Like most cloud security certifications, FedRAMP says the cloud meets a baseline, so you can focus on the bits you deploy above that. Microsoft Azure was just granted its FedRAMP certification (Okay, it isn’t a certification per se, but close enough). Microsoft is the first cloud service to get the sign off-from the Joint Assessment Board (DoD, DHS, and GSA), while Amazon has theirs from HHS and a third party assessor. Why do you care? Even if you aren’t a Fed (and you aren’t, because they aren’t allowed on the Internet right now for no apparent reason), FedRAMP, especially from the JAB, is a decent security baseline. It doesn’t mean you are ‘secure’ on that cloud, but it sure is a nice additional assurance. – RM Better memory: Oracle’s big announcement at OOW 2013 was an in-memory database option. With a single configuration change and a metric crapton of DRAM, you basically can run the database in memory. What does that have to do with security, you wonder? Absolutely nothing. This really does not change any threats to the database, to answer a question a couple of you have asked me this week. But what’s most interesting is that the database loads data into memory as columnar and row stores, and

Share:
Read Post

IE Zero Day Getting Serious

A vulnerability in Internet Explorer has been known and unpatched for two weeks. According to ThreatPost, an exploit module is now in Metasploit, and real attacks are growing. Better deploy the FixIt tool if you don’t have some other way of blocking exploits. But I’m probably screwed, because I can’t get that mitigation to run on my Mac. Share:

Share:
Read Post

The Gartner Tax and Magic Quadrants

I haven’t worked at Gartner for over six years now, so I’m not surprised that many people still think vendors can pay to move up the rankings in a Magic Quadrant. I mean, just look at them. Big vendors almost always show up in the top left or right, so they have to be paying for play. Vendors can’t buy Magic Quadrant ratings. Let me say it again: vendors cannot directly buy MQ ratings. I don’t expect to change any minds here, but that isn’t how it works. Not that money can’t influence the process, which I will get into. Analysts are totally walled off from the financial side of Gartner. They are not compensated, at all, based on how much a vendor spends. Many analysts have a very negative view of the vendor community, which can actually be destructive. It doesn’t matter how much a vendor spends – the analyst makes the same. In the seven years I was there I never saw management ask an analyst to adjust an MQ because a new client spent more money. Really, the anti-vendor attitude is so deep that an analyst is more likely to reduce a rating if a vendor tries to play those games. There used to be a loophole. Analysts used to get paid more for participating on strategy days with vendors. Some unscrupulous analysts effectively used blackmail to get vendors to buy more days. Gartner cut that off around the time I became an analyst, sometime around 2001 I think. It pissed off some analysts who were basically doubling their salary with strategy days. Today, all a strategy day does is keep an analyst away from their family – they don’t get paid more. However. Gartner clients get to talk with the analysts more. Anyone can brief an analyst once a quarter or so, but paying clients get longer calls, more frequently. Strategy days mean the vendor gets face time with the analyst and can build a personal relationship (there are guidelines limiting gifts, meals, and such to reduce influence there). This can subtly influence an analyst over time, even though it isn’t explicit buying. Smart vendors can do much the same thing without spending a dime, because most analysts don’t care about contract value, but paying up can definitely be used as an advantage. So why do all the big companies score better, especially in ability to execute? Because, in many MQs, that’s where a larger, more mature organization will almost always score better. They have mature sales, marketing, and channel programs. Bigger support teams. The ability to support larger clients. As much as we slam them for inefficiency all the time, you can throw enough bodies at certain problems to make them go away. It doesn’t mean the product executes or performs better, but that the company has accountants. That’s why startups tend to do much better on vision (since they, you know, actually innovate). One of my weirdest post-Gartner experiences was helping some vendors work through the MQ process. All I really did was help them figure out what the analysts wanted (honest answers) and how to avoid getting into trouble (legal threats if your dot moved 3mm, which happens). I even warned them away from trying to schedule strategy days too close to an MQ, which could be seen as trying to cheat. I wouldn’t say it is a perfect process. And there is a reason Securosis will never engage in vendor comparison research like an MQ, but money doesn’t directly buy results. I have no skin in this game (not even stock) and have been out for a long time, so take it as you will. But if you are an analyst reading this, don’t think for an instant that vendors aren’t trying to influence you every second of every day, and there’s a reason they call it the “Gartner Tax”. Share:

Share:
Read Post

The Goof Excuse

Another day, another breach – that’s not novel. A bunch of personal information (including driver’s license numbers) was stolen from Virginia Tech. But having the organization own up to the fact that the breach resulted from a human error is uncommon. Of the 144,963 individuals affected, only 16,642 provided their driver’s license numbers. According to school officials, the breach was a result of “human error” involving compliance protocols when dealing with the personal data. A forensic investigation into the issue revealed that the information was “partly” accessed through a Virginia Tech server in Italy. “The issue here is that someone on our staff goofed,” Larry Hincker, associate vice president for University Relations, said. Kudos to these folks for not blaming a super-sophisticated attack or the APT or any other way to skirt responsibility. They screwed up and lost data. It is also a reminder about the downside of poor security and IT operations. Photo credit: “Professional Strength [GOOF OFF]” originally uploaded by Chapendra Share:

Share:
Read Post

Not the Rut You Think

Over at Network World Anton Gondalves wrote Security industry in ‘rut,’ struggling to keep up with cybercriminals: Dramatic changes are needed in multiple fronts if the security industry hopes to move ahead of cybercriminals, who are continuously finding new ways to breach corporate systems, experts say. Some technology pros say the industry needs to develop new technologies and architectures that send hackers back to the drawing boards. Meh. In many cases the technologies are already here, or deep into development. The problem isn’t a lack of innovation, but that people keep spending money on the same old crap. That’s a different kind of rut. Besides, no matter what we do, the bad guys will keep innovating around it, as they have been for thousands of years. There are a couple good bits deeper in the article, including: On the white hat side, security professionals get paid for how they defend, not what they share, and companies view knowledge as a competitive advantage. In addition, companies fear being sued by customers or partners, if the data shared relates to them. That is a big one, and worthy of a separate article. Share:

Share:
Read Post

Summary Haiku

Hurt back yesterday Too much pain to write much now Haiku easier And don’t forget to sign up for our Black Hat cloud security training in December! On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike’s Dark Reading article on Shiny and New. Rich’s Touch ID and Secure Enclave article was picked up by Daring Fireball, AllThingsD, and who knows where else. Dave Lewis at CSO: Stuffing The Social Media Genie Back In Favorite Securosis Posts Adrian Lane: Investigating Touch ID and the Secure Enclave. Really good analysis from Rich on the security implementation of Touch ID on the iPhone 5s. But I’m not buying the ‘article’ angle – he just wanted a cool new toy! Mike Rothman: Cybercrime at the Speed of Light. Everything can (and will) be gamed. Everything. Gal Shpantzer: API Gateways. Especially because it made @beaker jealous. Rich: Keep Calm and Bust out the Tinfoil Hat. Mike is supposed to be an engineer, not a history major. But this is exactly what I have been thinking. Plus, every other country is doing the same thing to the best of their ability. Other Securosis Posts Continuous Security Monitoring [New Paper]. Data brokers and background checks are a massive security vulnerability. Walled Garden Fail. Incite 9/25/2013: Road Trip. Firewall Management Essentials: Quick Wins. A Quick Response on the Great Touch ID Spoof. Favorite Outside Posts Adrian Lane: Meet the machines that steal your phone’s data. Interesting to see professional eavesdropping devices for mainstream law enforcement. Nothing state of the art, but it allows Officer Barbrady to jack a cell tower. Still, before Snowden nobody cared about this stuff. Mike Rothman: Apple’s Fingerprint ID May Mean You Can’t “Take the Fifth”. We’re entering (yet) another new age, when the legal system is nowhere near keeping pace with technological innovation. Interesting thoughts from Marcia Hoffman about the legal question of whether you can be compelled to unlock your phone (with presumably damning evidence on there) because biometrics are not protected under the 5th Amendment, while passwords would be. Rich: A TED talk by master pickpocket Apollo Robbins. This is more entertainment than learning (as are most TED talks), but damn. You may think you understand the limits of your perception, but you don’t. The last line is the real kicker. Dave Lewis: London schoolboy secretly arrested over ‘world’s biggest cyber attack’ Gal Shpantzer: Yahoo recycled email accounts may contain emails destined to old account owner. No matter how they try to talk this up, or what they do to recover, this is a mess. Research Reports and Presentations Continuous Security Monitoring. API Gateways: Where Security Enables Innovation. Identity and Access Management for Cloud Services. Dealing with Database Denial of Service. The 2014 Endpoint Security Buyer’s Guide. The CISO’s Guide to Advanced Attackers. Defending Cloud Data with Infrastructure Encryption. Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment. Quick Wins with Website Protection Services. Email-based Threat Intelligence: To Catch a Phish. Top News and Posts Chaos Computer Club breaks Apple Touch ID. A Survey of the State of Secure Application Development Processes. Just downloaded a copy. Review forthcoming. TouchID defeated: what does it mean? New CA law will let minors digitally erase their past. ‘Mr Big’ of UK cyber-crime among gang of eight arrested over £1.3million Barclays computer hijack plot in carbon copy of Santander scam Blog Comment of the Week This week’s best comment goes to Gunnar, in response to Cybercrime at the Speed of Light. HFT is about trading, not investing. Traders buy and sell every second of every day. Investors have multi year time horizons. That’s how ordinary should approach it, long term, buy and hold investment not as traders. These events which continue to happen on a more regular basis and show no signs of stopping, are worrisome, for traders. They can bankrupt themselves with their own algorithms, as one of the biggest Knight Capital did last year http://www.forbes.com/sites/halahtouryalai/2012/08/06/knight-capital-the-ideal-way-to-screw-up-on-wall-street/ Share:

Share:
Read Post

Continuous Security Monitoring [New Paper]

Continuous Monitoring has become an overused and overhyped term in security circles, driven by US Government mandate (now called Continuous Diagnostics and Mitigation). But that doesn’t change the fact that monitoring needs to be a cornerstone of your security program, within the context of a risk-based paradigm. So your pals at Securosis did their best to document how you should think about Continuous Security Monitoring and how to get there. Given that you can’t prevent all attacks, you need to ensure you detect attacks as quickly as possible. The concept of continuous monitoring has been gaining momentum, driven by both compliance mandates (notably PCI-DSS) and the US Federal Government’s guidance on Continuous Diagnostics and Mitigation, as a means to move beyond periodic assessment. This makes sense given the speed that attacks can proliferate within your environment. In this paper, Securosis will help you assemble a toolkit (including both technology and process) to implement our definition of Continuous Security Monitoring (CSM) to monitor your information assets to meet a variety of needs in your organization. We discuss what CSM is, how to do it, and the most applicable use cases we have seen in the real world. We end with a step-by-step list of things to do for each use case to make sure your heads don’t explode trying to move forward with a monitoring initiative. We are indebted to all our licensees for supporting our research and broadening our reach, including Qualys, Tenable Network Security, and Tripwire. We don’t expect you to rebalance security spending between protection and detection overnight, but by systematically moving forward with security monitoring and implementing additional use cases over time, you can balance the scales and give yourself a fighting chance to figure out you have been owned – before it’s too late. Check out the landing page in our Research Library or download the paper directly: Continuous Security Monitoring (PDF) Share:

Share:
Read Post

Cybercrime at the Speed of Light

A few years ago our very own James Arlen presented at Black Hat on the security risks of high-speed trading. Today I read in The Verge: Last week’s Federal Reserve announcement made big waves on Wall Street, sending markets skyrocketing and financial organizations scrambling to spread the news – but a new report raises concerns that some were spreading it faster than they should have. The high-speed trading experts at Nanex say they saw simultaneous reactions in both Washington D.C. and Chicago, when the news should have taken at least three milliseconds to travel the 600 miles from the Federal Reserve Building to the Chicago’s commodities exchanges. I await Gunnar’s response, but it seems to me that ordinary people have little chance of surviving the markets as computers take over ‘our’ economy. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.