paulmudgett.com

The history of viruses.  Pretty cool actually to look back at where we’ve been and the advances made in nefarious code. Courtesy of Bitdefender.

Funny how the anonymous nature of the Internet continues to mock us all.   Back on September 8th, a fake FBI profile was distributed via Twitter as shown in a recent post on Naked Security – Fake FBI Anonymous psychological profile – a lesson to all Internet users.

It takes me back to an old New Yorker cartoon that ran when the Internet was still an infant.  Enjoying the nostalgia.

Photo credit:  Ben Larson

I love this conversation:

“Is your workstation protected?”

“Of course, I have anti-virus installed.”

While anti-virus products are one piece of protecting your workstation, it isn’t enough.  Most AV products do a poor job of detecting new malware.  It does better over time protecting against old malware that happens to still be floating around IF (and a big “if” at that) signatures are updated frequently.

So what else is needed?

Single technologies can fail.  Think in layers when it comes to comprehensive security.  Here are a few considerations:

1. The bad guys have figured out that the quickest way to get to your computer is through 3rd party applications that are vulnerable and out of date.  Adobe seems to have taken Microsoft’s place as the malware whipping boy.   So, consider extending your patch management program beyond the operating system and common productivity suites like Office to include all applications that reside on business workstations.
2. Remove, where possible, local Administrator rights for users.  Most don’t need it.  Malware loves it.
3. Managing your endpoints and the software that can be installed helps control the “rogue” software that tends to magically appear on workstations.  If it’s needed for business then there is no reason it can’t be managed appropriately.  Application white listing tools may help here.
4. Consider host IPS and other features that come with suites of anti-malware products.  Tie them in with a central logging environment or management console.
5. Consider virtualizing the browser application to confine drive-by infections.

Anup Ghosh wrote in his SC Magazine article titled “Unwitting accomplices and complicit security teams“:

Cyber miscreants have figured out there is no sense in spending the energy trying to break through firewalls when you can simply ask any one of the thousands of users connected to the internet to invite you in.

How true!  What Ghosh refers to as castles and moats I call the Cyber Maginot Line.  The over reliance on simple perimeter defenses ignores the shift of focus that has been made to user behavior.  While not as sexy as the “hack” seen in movies it is simply easier to just ask.  Many users will oblige with information or are easily convinced to click on an official looking link in an e-mail.  Most are “addicted to click”.

While I agree with Ghosh that the philosophy of “users should know better” is not a strategy, awareness IS a component of an overall security strategy.  The problem is, many companies use hour long presentations on policy in hopes of convincing users to change their behavior.  Good luck with that.   A series of 5 minute videos over the course of a year is much more effective.  The goal isn’t to “train” people.  It’s to raise the level of awareness.  If an employee gets an “aha” moment and reports strange behavior or decides not to click on a link, mission accomplished.  If it helps them keep their home computer safe, all the better for everybody.  But again, it’s a small piece and can’t be relied on to adequately protect an organization.

That said, implementing technology that makes users “mistakes irrelevant” is absolutely a good approach AND the technology to do that exists while continuing to be refined.  Ghosh’s suggestion to isolate the desktop from web browsing would be a significant step in the right direction.  The threatscape continues to evolve and we need to be agile in our defense.  That includes protecting our users from themselves by not enabling their “click habit”.

Last night I was thinking about my start in the information security field.  I was working as a network analyst for an international company and was simply assigned “the firewall” for the relatively new Internet connectivity.  I quickly caught the security bug, attended a conference or two, read anything I could get my hands on and then presented a new idea of an “information security” function for my boss and his boss.

I thought I was being diligent in explaining the security triad – Confidentiality, Integrity, and Availability when I hit a road block.  The Director at the time said “Availability isn’t a security issue at all… you don’t know what you’re talking about.”   Perhaps I could have talked about Denial of Service attacks or viruses preventing employees from accessing resources needed to do their job.  I could have talked about lost revenue, customers going with alternative products, or other examples of how “availability” could impact the business bottom line but, I didn’t have the skills at the time to counter her argument.   Security remained an “other duties as assigned function” for the rest of my tenure there.

Revisiting with the organization after 18 years I found their security posture to have matured dramatically since then (along with my business, communication and security skills).  Good for them!  They have a fantastic security team that has the ear of senior leadership.

What’s funny is after 18 years, I will still come across similar failures in understanding.  For instance, at one organization their primary servers filled with customer data, including personally identifying information, sat outside of their firewalls.  The executive leadership at the time didn’t think that was a big deal because “the servers are secure”.   Another time, a plan to eliminate social security numbers that weren’t needed on a server was met with near hostility and a comment of “it’s protected by a firewall anyway”.

Examples like this continue to plague the information security field.  Is this an executive problem or a problem with CISO’s not educating or communicating the issues in a way that is understood by “business-minded” folks?  If we can’t relate the threat in terms that are used in other business disciplines, in 18 years, we’ll be hearing the same stories repeated by the next generation of security professionals.

It should come as no surprise that with the proliferation of mobile devices (Blackberry, Android, iPhone) that phishing attacks have also gone mobile.  From an article at Help Net Security, “Mobile users more vulnerable to phishing attacks“, log files from a compromised web server hosting phishing web sites revealed these interesting tidbits:

1.  Mobile users (Blackberry, Android, iPhone) are three times more likely to submit their login info than desktop users.

2.  Eight times more iPhone users accessed these phishing websites than Blackberry users.

This shouldn’t be a surprise to anybody.  Individuals have grown accustomed to getting information on the go.   It’s simple to click on a link within an e-mail on your mobile device and be taken to a website.  This site can be legitimate or it could be serving up malware or asking for sensitive information.

I’m equally not surprised by the fact that, by a large margin,  more iPhone users are going to phishing sites than Blackberry users.  Even though Blackberry users still beat iPhones in market share they tend to be more business driven while iPhones are widely consumer driven devices.  While certainly not validated, I agree with the reasonable assumption in the article that business users tend to be more “security aware” than the average consumer and are less likely to fall for “phishing” scams.

Since “awareness” is a good defense against phishing scams, who is positioned to provide it?  Should providers of consumer devices such as the iPhone and Android also be providing awareness information since their devices are now much more than phones?

It amazes me that I still hear executive level IT people say that information security is a technology problem.  Sure, technology has a vital role in the building blocks of a solid information security program but even the best technology can be circumvented by unknowing or malicious people.  Getting people to understand their role in protecting a customer’s information or heck, even their own, continues to be a challenge.

In a recent CSO online article, “Security Awareness:  Helping employees really “get” company policy“, security consultant Michael Santacangelo explained the problem in the most succinct way I’ve seen.

When people are disconnected from the consequences of their actions, they do not take responsibility and are not held accountable, he said.

The link between behavior and outcomes is accountability.  Unfortunately, it seems as though most awareness programs stop with the behavior and potential outcome duo, leaving out the accountability piece of the triad.  That is, awareness programs will list out the unacceptable behaviors and highlight the potential financial and reputation costs for the organization but fail to link that back to individual accountability of staff members.

Once you have established that everyone plays a role in protecting sensitive information and clearly set the expectation for behavior, it MUST be followed up with accountability.  It’s not “mean” to enforce policy AS LONG as the expectation for proper behavior is established and well communicated to all staff.   There should be consequences for those engaging in behaviors that place an organization and its customers at risk as long as everyone knows the behaviors and the consequences up front.

The recent VBMania virus (Trojan Horse)  is simple proof that education and awareness programs are not sufficient to overcome human curiosity and stupidity.  For years computer users have heard the same message:  “Don’t open attachments or click on links in unsolicited e-mails.”    Yet, they still do!

Yesterday’s simple spam attack  infected servers at ABC, NASA, and likely other federal agencies and clearly shows that the message delivered ad nauseum has essentially fallen on deaf ears.  This unfortunate impact to services was caused by the three biggest risks in information security:   Man, woman and child.

Two things are infinite:  the universe and human stupidity; and I’m not sure about the universe.  ~Albert Einstein.

I’m afraid awareness and education will not be able to overcome the gullible, curious, and greedy nature of humans.  We can only keep trying but it’s a tall order when faced with people who:  believe they have won a lottery they never entered; will pay an unknown person in Nigeria their entire savings account to receive their fortune; or believe that their luck hinges on sending an e-mail to all their friends.

It seems that exploiting humans is much easier than exploiting technology.  Without a clear defense against poor choices, it’s only a matter of time before a similar attack targets something a bit more critical.

I’m getting a kick out of some fun videos put together by the fine folks at StaySafeOnline.org.  Check them out and enjoy this awareness video:  “Don’t be a Billy”

The demand for a trained and educated information security workforce here in the U.S. continues to grow.   Creating a pipeline of information security professionals has to start early.   A national campaign to develop the next generation of “Cyber Defenders” has been happening without the fanfare or kudos that it needs.

The Collegiate Cyber Defense Competition has existed since 2005 where, according to a USA Today article, has grown from five competing schools to 83 teams from colleges and universities.  A similar high school competition has also been established and is seeing great participation.   This is exciting!  An environment where talent merges with enthusiasm for the the information security field is the right environment to recruit professionals.

I hope these events continue to grow and inspire similar local and regional “cyberwar games” for high school and college teams.  I hope they become common recruiting grounds for both the public and private sector.     Well done.