Security and Privacy in a Networked World/Training: Herding cats

Intro

Security can be a difficult thing to train. Humans tend to strive towards "keeping the face" and not getting into humiliating or embarrassing situations - and many security-related incidents are just that ("I still cannot believe I was that naive!"). This brings the temptation to 'brush it under the carpet' - leave the incident unreported and hope that someone else gets the rap.

In the U.S. army slang, there is an acronym known as SNAFU - Situation Normal, All ****** Up. SNAFU is based on the notion that efficient communication is only possible between more or less equal peers - as soon as one side is significantly lower/subordinate, he or she will face the temptation to present the situation in a more favourable light to avoid unpleasant reactions. At the same time, in many cases the amount of damage would remarkably depend on prompt responses - yet in a SNAFU situation, the 'higher' side does not learn about the actual situation until it is too late to respond effectively.

Training the users/employees in security awareness can help significantly reduce these factors. Yet there is a reason for mentioning cat herding in the title - cats are profound individualists who are almost impossible to herd. The same may happen with people, drastically reducing the effect of training. A good security awareness programme should result in interested and willing cooperators rather than passive, obeying subjects.

Some possible topics

Note: this is by no means a finite list - in some cases, some of them could be omitted or replaced with something new.

Generic

• We are targets - the overall awareness training should focus on the PIBKAC issues and different motives of attackers ranging from teenage pranksters to professional data thieves or Stuxnet-style 'cyberoperations'. The employees should realize that there is no one who is 'too small/unimportant' or 'too hard/smart' to be targetted.
• Social Engineering - trust as a central concept, the gradual nature of attacks (learning some non-critical information and using it to create trust and access critical data), various techniques (including the ones for bypassing physical security, e.g. tailgating or shoulder surfing).

Main technologies

• Web - while everyone will claim some knowledge of "web surfing", this area of training should contain a diverse range of issues like various browsers and their plugins, browser maintenance, HTTPS, privacy features and their limitations, detection of phishing attempts etc. Also, an important issue to cover is "What happened online, stays online" (e.g. the Wayback Machine).
• E-mail - users opening unknown attachments has been a major problem at least since the 90s. In addition to preventing that, the users should get familiar with basic concepts like incoming and outcoming mail servers, but also using TLS or SSL for more secure connection, detection of scams and social engineering attempts etc.
• Instant messaging - users should be familiar with different channels and their limitations as well as develop an alert mindset to detect possible interception and hijacking (especially spear phishing or targetted attacks).
• Social networks - users should learn about major networks and their usage for both company (e.g. marketing or sales) and personal purposes. Two specific areas to be covered could be photography (what and when to upload or not) and use in mobile devices.
• Wi-Fi - the training should cover different encryption techniques and their effectiveness (e.g. WEP vs WPA2), using free hotspots, connecting to VPN-s over Wi-Fi etc.
• Mobile devices - different operating systems, application download channels, application security, using the device in unsafe environments.
• Cloud services - main platforms and providers, main risks associated with the services.

Special groups

• IT staff - those actually in charge of technology, including administrators, developers, support/helpdesk etc. While these employees tend to be more knowledgeable about IT risks, lax attitudes towards security is a common problem (Estonians may recall the case with Eesti Telefon - it was leaked to the media that their main server's admin password was "kala" (fish)...). Training should generally focus on actual examples and be clearly connected to the security policies present.
• Higher management - can be especially difficult to train due to their limited time resources and sometimes also mixed attitudes (reluctant to learn, feeling being 'above the law' etc). Should especially focus on social engineering, mobile/travel/cloud and data security, but also reach adequate knowledge of common applications usage (e.g. e-mail). Also, clear connections to security policies and stressing their universality (i.e. everyone must comply) may help.
• Service staff (janitors, drivers, couriers etc) - a major target for social engineers, therefore the training must focus on recognizing and neutralizing SE-based attacks. However, with training these people can be valuable in countering threats due to their mobility and "low profile" image ("just a janitor - he is supposed to be there").

Environment

• Physical security - doors and locks, but also ID-s, keycards, codes and their proper usage. Especially needed for flexi-workers, contractors, IT staff and management who may need to be present at irregular times.
• BYOD and teleworking - everyone using their own devices puts an extra workload to the IT staff, but this can be held in check with good planning and training. Telework means for the company no physical control over the employee's workplace - and the same device will be connected to the protected (and trusted!) company networks during the day and possibly to some unsafe ones during the off hours (the issue is known as the end node problem). As with other aspects of security, the weakest link is what counts - among the diverse array of devices, just one teleworker still using Windows XP may be enough for a serious breach.
• Protecting home - connected to the previous point, but additional factors include devices shared with family members with varying levels of security consciousness, online safety for children, controlling one's online habits etc. Depending on the position of the employee, targetting his/her home and family may also result in direct threats to employer.
• Travelling abroad - in the age of public wireless and mobile roaming networks, many travelling employees (usually from management, marketing or sales) would also work from abroad. Besides being aware of generic mobile device, services and network security, care must also be taken regarding various local regulations and possible interception (especially in places where government has a history of snooping, e.g. Russia or China).

Other areas

• Access control - while mostly about passwords and PINs, the training should also cover other measures like certificate-based access.
• Data security - creation, maintenance and safe disposal, both in physical and electronic form (e.g. shredding old paper documents vs securely formatting old hard disks).
• Malware - even if the actual removal is done by IT staff or third parties, it is useful to include the topic in the training - it can relieve groundless fears ("can the computer virus infect me too?") and promote adequate responses. On the other hand, some basic countermeasures should be taught for e.g. mobile computing, BYOD, travels etc when there is no immediate assistance available.
• Threats from inside - depending on the organization and its structure, attacks from inside (whether the attacker is the initiator or just an agent for an outside force) can be a serious problem. The coverage could range from technical (e.g. configuring the network with users considered a priori hostile) to organizational (e.g. tracking work regimen or contacts) measures.
• Children online - some organizations (e.g. schools and kindergartens) deal directly with children and also let them online 'in-house', others will have more indirect influences (most of all BYOD and teleworkers, but sometimes also visiting families).
• Incident response and damage control - the users should be trained how to react when something has happened, including avoiding SNAFU and assuming active roles in the response. It is important to support the training with actual policies that reward active responses and acquit for honest mistakes.

Additional reading and links

• MANKE, Samantha, WINKLER, Ira. The Habits of Highly Successful Security

Awareness Programs: A Cross-Company Comparison. http://www.securementem.com/wp-content/uploads/2013/07/Habits_white_paper.pdf

• O'DONNELL, Andy. How to Create a Security Awareness Training Program. http://www.csoonline.com/category/security-awareness/
• SCHNEIER, Bruce. Security Awareness Training. https://www.schneier.com/blog/archives/2013/03/security_awaren_1.html
• IT security awareness training tutorial: Employee compliance education. SearchSecurity.co.uk. http://www.computerweekly.com/tutorial/IT-security-awareness-training-tutorial-Employee-compliance-education
• SANS security awareness presentations. http://www.securingthehuman.org/resources/presentations
• Security Awareness @ CSO. http://www.csoonline.com/category/security-awareness/

Study and Blog

• Pick a topic above (e.g. passwords or social networks) and write a short awareness training programme for your colleagues (those who do not work may use a fictional company).