Tag Archive | Psychology

I Was Wrong About Security

Back in the mid-2000s I was managing enterprise security for a medium-sized entity in critical infrastructure.

Along with security I was managing much of the Information Technology team, including the Help Desk. My management style tends to be pretty hands on, and one of the things I liked to do was walk around and survey my minions in the morning.

I would talk to my teams about their problems and headaches, and if I got lucky, what was going well.

One morning I was passing through the Help Desk when I overheard one associate – we’ll call him Fred – working with an end-user on a problem. Fred kept repeating, “yes, go ahead and put your mouse on the OK button and click”. Seemed simple enough.

Well after multiple attempts, Fred decided that it was worth a trip out to see the user. I was intrigued so I tagged along.

I learned an important lesson that day.

When we got to the user’s cubicle, we were met with a sweet older women. She was smiling. Super friendly. Just a warm, inviting person. There was no frustration, no resentment whatsoever that we hadn’t been able to resolve her problem. Fred got right to work.

He repeated his instructions. “Put the mouse on the OK button and click.”

So she did just that.

She picked her mouse up off of the desk and literally placed it on the monitor, right on top of the OK button. And then she clicked. And she was right, it didn’t work.

She did exactly what we told her to do, but not what we wanted her to do.

You can guess the moral to this story.

Fast-forward to today, and most security practitioners (I used to be in this group) will have you believe that people are our biggest risk. They will tell you stories about how people fail during penetration tests, how people don’t “get it” and how statistics show that nearly all security breaches are the result of a human failure.

They will tell you that people are the biggest problem in information security.

They are wrong.

Ask yourself these questions –

  1. Would you attempt to drive across the country without a map?
  2. Would you let someone perform surgery on you if they weren’t a doctor?
  3. Would you deploy a firewall without configuring it?

The answer to all of these is obviously no.

However we regularly – in all industries, in organizations of all shapes and sizes, in every country of the world – expect human beings to behave securely without effective training, education or configuration.

What we haven’t quite figured out in a meaningful way yet is that, people are like firewalls. They need configuring and patching on a regular basis. As soon as you stop patching a firewall, the state of its security begins to decline. The same is true of people.

And yet people are not like firewalls at all. Firewalls don’t have brains. And people aren’t binary.

Yet most organizations continue to utilize training techniques that aren’t designed for human beings. Their training is boring, irrelevant, tedious, unengaging and long. We’ve all been there – forty-five bullet-filled, do-it-yourself PowerPoint slides and a quiz.

This doesn’t bring awareness, it brings tears.

If you want your employees’ security behaviors to be effective, your training needs to be effective. It has to be fun. It has to be relevant to their job. It has to be short enough that it can fit into their day without being too disruptive. It has to be timely. And it has to be continuous.

October is National Cyber Security Awareness Month, a great time to rethink your security awareness and education program.

I was wrong about security, but you don’t have to be.

Your human firewalls – and your business – will thank you.

More Tales From the (Unen)Crypt

You just can’t make this stuff up.

Last week I received the following text message from an unknown number: “I received check. Thank you. Alice“.

A quick bit of research revealed that the number came from a woman (OK, I made some assumptions on the “Alice” part) who owns a flower shop in a small town in Florida.

They offer a full line of floral favorites, houseplants and perennials, and they also accept Visa, MasterCard and PayPal. The web site doesn’t say anything about accepting personal checks but apparently they’re cool with that, too.

I sat on the text for over an hour, as various scenarios piled up in my mind. I couldn’t help but wonder how security-conscious Alice was. Now that she had opened the door, I wanted to walk through and see what was on the other side.

My curiosity was piquing. Was Alice from Wonderland, carrying a big, nasty broom, and sweeping out all that would dare trespass on PII? Or was she just another careless merchant exposing helpless customers’ personal data?

I couldn’t help myself.

Hi Alice. I don’t remember which acct I used can you resend the routing and acct number.

We would soon find out.

Like all disasters, you prepare for the worst and hope for the best. We all want to believe in human beings’ natural sense of good, to protect our own and to want the best for others. We are the only species on the planet that has been gifted with morality, a true sense of right and wrong. We are truly blessed.

Over two hours had passed and I felt strong. In a world where security breaches, fraud and cybercrime were the norm, Alice was a beacon of hope. A shining example of what was right in this sordid world where so much has gone wrong. Alice, a frail, aging shopkeeper would show us what fortitude, diligence and a sense of righteousness truly means. If Alice could do it, anyo (bzzzzzt)…


Don’t buy flowers in Florida.

What I Would Do if I Was Zappos

The Zappos hack this week made national headlines for a number of a reasons.

First, Zappos, a subsidiary of Amazon.com is a major brand recognized as a leading online footwear retailer. You don’t need to be female to know that Zappos sells just about every make and model of sandal, Skecher and pump known to man. And woman. And if you’re a woman there’s at least some chance that Zappos is your browser home page. I’ve seen it happen.

Second, the scale of the breach was massive. E-mail addresses, billing information, names and partial credit card numbers for an estimated 24 million individuals, making it one of the largest databreaches in recent history. The value of this data on the black market, using today’s cybercrime figures is in the tens of millions of dollars.

But in many ways the Zappos databreach isn’t unlike the countless other incidents we’ve witnessed lately. Which makes me wonder if we’re operationalizing information security this year any differently than we did last year. Or the year before that.

Of course history makes a great teacher, and this holds true for security, as well. And while they’re still grinding through the logs and other forensic evidence of this attack, there are some clear lessons to be learned here.

This is what I would do if I were Zappos:

  1. I would learn to be better at Public Relations – Because they expected a deluge of phone calls related to the hacking, Zappos said that they were temporarily turning off their phones, instead responding to inquiries by e-mail. “If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place,” the company’s e-mail to employees said. Now I’m no PR expert, but if I just pissed off 24 million of my customers by exposing them to identity theft, disabling their preferred mode of communication might not sound like a bright idea. Perhaps they missed the beating that RSA and Sony took for their PR guffaws.
  2. I would learn to be better at helping my customers during a crisis – Have you ever tried getting your organization of 150 people to change their password? Exactly. Now multiply that times 160,000. It’s the equivalent of sucking an Olympic size swimming pool through a McDonald’s straw. In this day and age, there should be a way to programmatically reset customer passwords, provide them a means for securely accessing the new password, or simply leaving the account disabled until such time that the customer wants to use the account again. I’m betting that a significant percentage of those 24 million accounts are inactive in the first place.
  3. I would learn to better protect sensitive information – Zappos was warned daily – possibly more frequently – by The NY Times, The Washington Post, the GreyCastle Security blog and other global media outlets that they were going to be hacked, but they proceeded to store names, billing addresses, e-mail addresses and partial credit card numbers together, in one database, potentially on one server, packaged neatly for the next disgruntled employee, hacker and other miscreant. I’m guessing that Zappos didn’t have the budget, the time or the resources to secure this information appropriately. It wasn’t a priority. Until it was too late.
  4. I would learn to be a security evangelist – Now that I’ve been owned by hacker(s) unknown, exposed my customers to incalculable risk and started racking up unnecessary Incident Response bills, I would help other companies avoid what just happened to me. “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident,” the company’s CEO said. The biggest problem in our industry is not a technical one, it’s a psychological one. As long as Company XYZ believes that they have nothing worth protecting, and that this can’t happen to them, we’ll continue to experience these issues.

It’s not fair to single out Zappos. This blog could be written about thousands of other organizations. But so far security hindsight continues to be nearsighted.

Maybe Zappos should start selling eyewear.

Foo Fighters, Muscle Cramps and Security

It was roughly 6:30 AM ET when I rounded the last corner of my morning run, approaching the bridge over the Hudson River that would eventually lead me home. As I made the turn, I was headed East into the sunrise. I had less than one mile to go, and my playlist was a perfect concoction of Beastie Boys, MegaDeth and Foo Fighters. It was 60 degrees and a perfect morning for a run (if there is such a thing).

As I got to the foot of the bridge I noticed another runner coming towards me on the opposite side of the road. He was an older gentleman, probably in his late 50s or early 60s, tall and thin with grey hair. I’m always impressed when I see someone at that age out running, as it takes a feat of will to get me out the door some days, and I’m young enough to not be old.

As we approached each other, I began sizing him up as I assumed he did of me. Was I running faster than him? Was I in better shape? Was I running farther? As human beings we are programmed to be competitive by nature, if only to survive. It is instinctive to measure ourselves against one another, as our very ego depends on it.

Then it happened. As it nearly always does in these situations. As the elderly man passed me, he waved. And I waved back. Not just default, meaningless gestures, but a real momentary connection.

You see, regardless of egos or competitive spirit, we shared a common bond – the agony of the alarm clock, dehydration and fatigue. We were kindred spirits. Brothers in arms.

And then it occurred to me – why doesn’t this happen in the security industry?

In an environment where the agony is far greater than muscle cramps and much longer than 4 miles, why is it that competitors can’t share that same connection?

Perhaps it’s because money is involved. Some security companies are much more successful than others. This inequality can heighten rivalries, even if undue. Perhaps it’s because egos are involved. Just like athletes, everyone wants to feel like their firm is the best, even in the absence of real measurements. Perhaps it’s because security is a personal experience. It’s serious business, and people take it seriously.

If I had the answers I wouldn’t be writing this blog, I’d be fixing the problem. In any case, I, my partners, my team and all at GreyCastle Security are committed to sharing, partnering and promoting this industry by working together and not creating fiefdoms.

We’re not going to win this war if we’re fighting ourselves.

Don’t Bring a Gun to a Strife Fight

“I have six locks on my door all in a row. When I go out, I lock every other one. I figure no matter how long somebody stands there picking the locks, they are always locking three.” – Elayne Boosler

This past Monday night I attended the monthly business meeting for a pistol range in my area. Having heard great things about the facilities and management, I decided that it was time to join another range – it’s great to have options. This particular range is used by DHS, DEA and 10 other law enforcement agencies which added to its legitimacy. The club also offers regular combat and tactical training courses, an added bonus.

But this story isn’t about that kind of security.

During the meeting the chapter Vice President rifled (oops) methodically through each committee update and then stopped to share with us some issues that the club had been having regarding unwanted visitors. Without giving away too many details, the club is protected by proximity card access control in various places, and cards are only granted to members of reputable standing. I made some assumptions about the “issues” that they could be having, recognizing that cards can be shared or stolen, card readers don’t prevent tailgating or social engineering and remembering that there were few visible supporting controls in place. Having experience on many ranges, I know how irresponsible, careless and downright malicious people can be.

The Vice President, after describing numerous incidents of non-member trespassing, facility damage and seriously dangerous shooting conditions, opened it up to the floor for suggestions on how to deal with this latest rash of problems. The club’s insurance, after all, did not cover all of these liabilities.

The monthly meeting was attended by individuals of all ages, from various walks of life. One thing they had in common, however, was a shared love for the 2nd Amendment. If there was one thing these guys knew, it was how to protect their property.

“We need cameras in here!”

“Put a gate out front!”

“Change the locks on the doors!”

As the new guy I sat quietly listening to each suggestion as the roar became deafening. Clearly, the club and its members were passionate about protecting their assets. They weren’t about to let a few malicious interlopers get away with this.

Unfortunately, they didn’t know how to stop them.

Preventing crime, cyber or otherwise, is not about technology. We continue to see firewalls, antivirus software, gates and door locks fail to protect us for one simple reason – they are created by, configured by and susceptible to people. A review of our industry’s survey’s, articles, databreach reports and analysis all point toward one conclusion – people continue to be the greatest weakness in the security chain. Until our security programs, budgets and corporate priorities address this – our real risk – we are doomed to repeat history.

In short, the pistol range will be more succesful if it trains its members – its security control with the greatest surface area, intelligence and liability – how to detect, prevent and correct security incidents like those that have been occurring over the past several months. A well-trained membership will be far more capable of dealing with a negligent individual or trespasser than a “No Trespassing” sign or a card-activated gate. As it turns out, training will also be a lot less expensive. While human psychology will usually default to technology (firewalls or guns) for addressing security, in most cases addressing the human element is the most effective.

While this didn’t occur to the membership on Monday night, I’m sure some well-meaning member will eventually make this suggestion.

Perhaps next month I won’t sit so quietly.

%d bloggers like this: