If you’re like many people, you’ve either been in Vegas this week, or you’ve been getting a few extra newsletters describing the heavily publicized antics that went on at this year’s Black Hat conference.
Unfortunately, I fell into the latter category.
Like years past, Black Hat delivered as advertised. Although the Secret Service didn’t halt any sessions for purposes of national security, there were some great pieces.
Black Hat (and DEF CON) always provide security professionals with plenty of new things to think about. I suppose that’s why they’ve become the most popular security conferences in the world.
But let’s be honest, they’re a lot like fashion shows.
I find fashion shows hilarious. A bunch of high-brow, Paris-types, with more time than other things convene and parade utterly garish clothing that’s entertaining and thought-provoking, but not in the least bit wearable. The ornaments, trappings and meatpuppets draped over wafer-thin models will never see a department store rack, let alone the closet in your home.
Kinda like Black Hat.
Please don’t take this the wrong way – I love Black Hat, DEF CON and the spirit behind these events. It’s just that they tend to be a distraction from what’s going on in the real world.
For example, one presentation suggested that businesses add offensive tactics to their arsenals. The presentation went on to purport that attacking, or “bringing pain to” your attackers has simply become necessary and other security tactics have become obsolete.
Another presentation, titled “Catching Insider Data Theft with Stochastic Forensics” gave attendees a look at how to predict unpredictable things in a precise way.
Yet other research focused on compromising iris recognition systems.
I feel like I need to repeat that these researchers are doing a great service, and their findings are truly revered.
However, most businesses can’t even manage to use decent passwords. They don’t patch. They don’t train their employees. Forget about introducing stochastic forensic analysis, most companies don’t have a shredder.
There was some really great research presented this year on circumventing web application firewalls, trust models and the latest findings on malware in the wild. You could say that some of these fit like an old pair of jeans.
The rest will probably stay in the closet until next year.
Recently, CSO published an article suggesting that organizations eliminate security awareness training from their security programs. The article has stirred great debate in security circles, including this one.
Citing the “Carronade” phishing test failure at West Point in 2004, the author went on to claim that any investment in security awareness training “is money wasted”. The overarching theme of the piece suggested that human susceptibility is impossible to eliminate. Because complete (100%) security is impossible to achieve in this area, resources should be dedicated elsewhere.
If this argument were true, there would be no firewalls. No antivirus. No security controls of any kind.
Let me first say that I respect the author for offering a viewpoint counter to that of the masses, and for getting us to think a bit. Let me then say that I believe the author missed the point. It’s not about eliminating training, it’s about eliminating ineffective training.
Anyone who has been protecting things for any length of time knows that trust is hard to come by. And it gets harder every day. Consider this:
- Business has become complex, amorphous and dynamic. An increasingly younger workforce cares less about privacy and security. Wireless, social media, virtualization, mobility – all of these have made it harder to protect critical assets.
- Attackers are multiplying and motivations are increasing. China just arrested 10,000 online criminals and other individuals suspected of Internet crimes. 10,000. And hacking is still not illegal in most countries.
- The tools to steal banking credentials and roll malware can be bought online with incredible ease. They’re inexpensive and come with technical support, just like Microsoft Office. Anyone can get into online crime.
Fighting cybercrime is a $400B industry, and we’re just getting started.
So now ask yourself, what – or better yet who – are you trusting to protect your assets?
I offer this counterpoint to the CSO article; an effective security awareness training is the best, perhaps the only security practice that, done effectively demonstrates dramatic, measurable return in today’s environment.
Your employees are everywhere, and they do everything. They touch every database. Every SSN. Every locked door. Every web application. Every e-mail. Every credit card number. Every line of code. Every turnstile. Every firewall rule.
Get the right message to your employees on a consistent basis and you have solved a significant number of your security challenges, or at least reduced risk in those areas. Change your employees behaviors and you have instantly changed your security profile. There is no other single security control that has that same potential.
Today, you may be trying to save the company time by making training optional for employees. Today, you may be trying to save the company money by having the security guy deliver your training. Today, you may be trying to save the company energy by delivering the same PowerPoint slides to management, IT and staff.
Today, you are wasting your money.
Tomorrow is another day.
Sometimes, security just sucks.
It was never meant to be that way. In fact, done properly security should support a business goal or a higher-level strategy. When it’s done well, security is not painful and it serves a purpose. It protects things worth protecting. It saves our @sses.
When it’s not done well, well…
I went out-of-town for a few days last week for the holiday. It was a last-minute decision, but a good one. The trip was short and sweet, and local. I used a hugely popular travel web site to make hotel reservations. To protect the not-so-innocent, the travel provider will remain nameless. But let’s just say that it wasn’t Expedia or Orbitz and it starts with a “hotels.com”.
Lately we’ve been using this service for business travel, as you can rack up free hotel stays quickly as long as you make reservations through their web site. Of course, you need to log in to your account before making your reservations – this I would learn the hard way.
The trip was wonderful – we did some biking, ate some great food and got to sleep in. Things all vacations should be made of.
Getting credit for the hotel stays was another story.
What I thought would be a quick call to the provider, started out bad and turned worse.
“Thank you for calling [hotel provider], can I help you?”
I explained that I needed to add credits to my account for stays that I had just completed. The customer service representative immediately requested my name, account number, DNA chains and a bunch of information that made me queasy. I asked politely why they needed this information for this activity, and why they would have had this information anyway. I certainly hadn’t provided it prior. These are hotel reservations after all, not the codes to The Football.
I then asked her if she could get me the secret recipe for Coke, while she was at it. Either she didn’t get it or she didn’t think I was funny.
Making a long story short, I will be calling my hotel provider back on Monday, as this situation still isn’t resolved.
This is why people shudder when IT or their company’s Information Security team start talking about reinforcing security controls or “locking things down”. Forget matching your organization’s culture and personality with your controls (which we almost never experience), but let’s remember that your security implementation should match your risk.
Even the Secret Service lets the President kiss a few babies.
I will be calling back on Monday and immediately asking for a supervisor. When I get him or her on the phone, I will do my best to refrain from security advice.
But I might still ask for that Coke recipe.