Tag Archive | Security Awareness

Cyber Monday is Dead, Long Live Cyber Monday

Cyber Monday is dead.

At least that’s what NPR would have us believe, along with CNN, USA Today and countless other media outlets.

According to these sources, ubiquitous Internet availability, along with the ability to shop from smartphones and other mobile devices has closed the gap between Cyber Monday and the days on either side of it.

This is compounded by the fact that Black Friday no longer starts on Friday. Yours truly was in line at 6:30 PM Thursday night because Black Friday started at 9 PM on Thursday in my town. This has caused online retailers to follow suit – the online deals are available Thursday, too. Waiting until Monday will only get you disappointment.

The simple fact is, people are doing more shopping on days other than Cyber Monday.

Now this doesn’t mean that Cyber Monday is going away. In fact, sales for Cyber Monday are growing rapidly year over year, and 2012 is expected to trump year’s past by 16.8%.

The opportunities are boundless, for retailers and fraudsters.

But a dead or dying Cyber Monday could have both positive and negative effects for security awareness.

On one hand, a special day tends to generate special behaviors. I might argue that awareness is heightened on Cyber Monday because it has a name, the media promotes it, retailers advertise it, banks warn of it.

When one dies, so does the other.

But the reality it that your payment card information is just as likely to get jacked on Wacky Wednesday or Filthy Friday. Security is a process, not a moment in time.

So in the spirit of Cyber Monday, and all it may come to be, here are our Top Five Tips for safe online shopping:

  1. Only Use Secure Sites – Check for HTTPS, the lock and a valid certificate before you enter any information, and certainly before you check out.
  2. Only Use Reputable Sites – Just because #1 is true doesn’t make it safe, don’t give your money to a stranger just because they handle it properly.
  3. Only Use a Credit Card – Don’t use a debit card, it does not offer the same protections as a credit card, and if the number is stolen it’s one step closer to your bank account.
  4. Check Out as a Guest – Don’t create an account with online retailers unless you have to, this may help you avoid storing your payment card information online.
  5. Check Your Statements – As silly as this sounds, this is one of the easiest ways to tell if you’ve been compromised.

We all shop online. It’s convenient, easy and usually saves you some coin.

And if you’re careful, Cyber Monday doesn’t have to be as black as your Friday.

Advertisements

The Walking Dead

It seems that everybody loves a good zombie apocalypse.

The Walking Dead has become the highest rated cable series ever. And for good reason. The thought of free gas, unlimited travel and zombie target shooting is appealing to many.

And regardless of how you feel about Rick and company’s impending doom, there is one thing that is pretty clear – they weren’t exactly prepared.

That being said, they haven’t exactly screwed everything up, either.

Let’s take a critical look at the team’s security strengths and weaknesses, zombie-style:

Strengths:

  1. Leadership – Although at times challenged by Shane, Merle, his wife, zombies and the occasional deer, Rick quickly established himself as the Incident Response Lead, and a reasonably effective one. Nevermind that he had to kill his best friend to get there.
  2. Escape and Evasion – You can’t argue with success. Even the elderly, ladies and children have made it through hordes of feasting undead. And zombie meatsuits? Brilliant.
  3. Conservation – I’ve never seen a group of newbies shoot with such deadly accuracy. Ammo may be free in the post-zombie-apocalyptic world, but why take two shots if you can get the job done in one? High ratings here.

Weaknesses:

  1. Tactics – How many times is Rick going to wander off by himself in the middle of the night in a heavily zombie-occupied zone searching for someone who likely died two episodes ago? Isn’t this guy a trained Sheriff?
  2. Communication – Seriously, Rick, next time you’re in town grab a walkie-talkie or something. Or a flare. Anything. Must you all wander about wondering what everyone else is up to?
  3. Planning – Oh and while you’re at, grab a pencil. And WRITE SOMETHING DOWN. Like where the exit is. Or where you found the beans last time. Or maybe come up with a plan. Like what you’re going to do for the next 40 years.

I have to admit I’m a huge fan of the show, and I have been since it debuted in 2010. I’d be lying if I wasn’t a little jealous – living out a zombie-apocalypse is sort of a fantasy of mine. I often wonder how I would fare. Baked beans and all.

The real lesson here is that we can’t exactly plan for everything. Preparation is important, but adaptation is critical. The ability to survive – in business or otherwise – depends on our ability to recognize our threats, weaknesses and the most effective ways to counteract them.

Bullets and beans don’t equal survival. You need people who know how to use them. And a plan.

One way or another, we’re all going to end up a Rick or a zombie.

The choice is yours.

I Was Wrong About Security (Again)

On Friday of last week, a few GreyCastlers spent some time at the range with the FBI Albany Division SWAT team.

We started with the obligatory safety briefing, then talked training and qualifications for a while and then we shot firearms for a few hours.

I love my job.

During the course of the conversation, the SWAT Team Leader discussed the rigor and frequency of the squad’s training program. On average, each operator fires 10,000 rounds each year. Some of these are in basic training drills, where the operator is simply shooting at a target. Some these rounds are in live fire drills, where the operator is timed, under duress and working with a team. And yet another bunch of rounds are fired in what’s called force-on-force. This is where someone is firing back (they’re using non-lethal ammo, of course).

When asked why they spent so much time training, the Team Leader stressed the need for “unconscious competence” in their profession. This is a term that has been coming up more in information security circles, too, particularly regarding operational security.

The SWAT team did a quick demonstration of a dynamic entry before we all geared up and grabbed guns. They deployed a flashbang, kicked a (virtual) door in, dropped a few tangos and rescued the hostage. It was over in under three seconds.

These guys are good. Really good.

What do you expect for individuals who qualify with their weapons four times a month under tight tolerances and grueling conditions?

After the course I started thinking again about how unconscious competence can be achieved in our business. Let’s rewind a bit.

Last week I suggested that people weren’t the biggest problem in information security. I was wrong.

Human beings, despite having an oversized brain and opposing thumbs, are naturally bad at interpreting risk. We are by far, the biggest problem in information security. We are the only reason that training programs are required.

What if employees were required to qualify four times a month like the SWAT team? What if we could get employees to achieve unconscious competence?

Most of the people reading this will already recognize that changing people’s behavior’s requires a bit of psychology. Up until recently we’ve focused on learning sciences as they relate to content and delivery – relevance, engagement, tempo and duration.

But what if we applied a secondary model to this, one that starts out suggesting that people don’t know what they don’t know.

Introducing the “Four Stages of Competence“.

This learning model has been around for some time (I first learned about it in the October/November 2012 issue of Handguns Magazine) and it makes a lot of sense.

We plan to do some research on this and continue to think about how we can integrate this into our awareness and education programs.

If it’s good enough for SWAT it’s good enough for us.

I Was Wrong About Security

Back in the mid-2000s I was managing enterprise security for a medium-sized entity in critical infrastructure.

Along with security I was managing much of the Information Technology team, including the Help Desk. My management style tends to be pretty hands on, and one of the things I liked to do was walk around and survey my minions in the morning.

I would talk to my teams about their problems and headaches, and if I got lucky, what was going well.

One morning I was passing through the Help Desk when I overheard one associate – we’ll call him Fred – working with an end-user on a problem. Fred kept repeating, “yes, go ahead and put your mouse on the OK button and click”. Seemed simple enough.

Well after multiple attempts, Fred decided that it was worth a trip out to see the user. I was intrigued so I tagged along.

I learned an important lesson that day.

When we got to the user’s cubicle, we were met with a sweet older women. She was smiling. Super friendly. Just a warm, inviting person. There was no frustration, no resentment whatsoever that we hadn’t been able to resolve her problem. Fred got right to work.

He repeated his instructions. “Put the mouse on the OK button and click.”

So she did just that.

She picked her mouse up off of the desk and literally placed it on the monitor, right on top of the OK button. And then she clicked. And she was right, it didn’t work.

She did exactly what we told her to do, but not what we wanted her to do.

You can guess the moral to this story.

Fast-forward to today, and most security practitioners (I used to be in this group) will have you believe that people are our biggest risk. They will tell you stories about how people fail during penetration tests, how people don’t “get it” and how statistics show that nearly all security breaches are the result of a human failure.

They will tell you that people are the biggest problem in information security.

They are wrong.

Ask yourself these questions –

  1. Would you attempt to drive across the country without a map?
  2. Would you let someone perform surgery on you if they weren’t a doctor?
  3. Would you deploy a firewall without configuring it?

The answer to all of these is obviously no.

However we regularly – in all industries, in organizations of all shapes and sizes, in every country of the world – expect human beings to behave securely without effective training, education or configuration.

What we haven’t quite figured out in a meaningful way yet is that, people are like firewalls. They need configuring and patching on a regular basis. As soon as you stop patching a firewall, the state of its security begins to decline. The same is true of people.

And yet people are not like firewalls at all. Firewalls don’t have brains. And people aren’t binary.

Yet most organizations continue to utilize training techniques that aren’t designed for human beings. Their training is boring, irrelevant, tedious, unengaging and long. We’ve all been there – forty-five bullet-filled, do-it-yourself PowerPoint slides and a quiz.

This doesn’t bring awareness, it brings tears.

If you want your employees’ security behaviors to be effective, your training needs to be effective. It has to be fun. It has to be relevant to their job. It has to be short enough that it can fit into their day without being too disruptive. It has to be timely. And it has to be continuous.

October is National Cyber Security Awareness Month, a great time to rethink your security awareness and education program.

I was wrong about security, but you don’t have to be.

Your human firewalls – and your business – will thank you.

More Tales From the (Unen)Crypt

You just can’t make this stuff up.

Last week I received the following text message from an unknown number: “I received check. Thank you. Alice“.

A quick bit of research revealed that the number came from a woman (OK, I made some assumptions on the “Alice” part) who owns a flower shop in a small town in Florida.

They offer a full line of floral favorites, houseplants and perennials, and they also accept Visa, MasterCard and PayPal. The web site doesn’t say anything about accepting personal checks but apparently they’re cool with that, too.

I sat on the text for over an hour, as various scenarios piled up in my mind. I couldn’t help but wonder how security-conscious Alice was. Now that she had opened the door, I wanted to walk through and see what was on the other side.

My curiosity was piquing. Was Alice from Wonderland, carrying a big, nasty broom, and sweeping out all that would dare trespass on PII? Or was she just another careless merchant exposing helpless customers’ personal data?

I couldn’t help myself.

Hi Alice. I don’t remember which acct I used can you resend the routing and acct number.

We would soon find out.

Like all disasters, you prepare for the worst and hope for the best. We all want to believe in human beings’ natural sense of good, to protect our own and to want the best for others. We are the only species on the planet that has been gifted with morality, a true sense of right and wrong. We are truly blessed.

Over two hours had passed and I felt strong. In a world where security breaches, fraud and cybercrime were the norm, Alice was a beacon of hope. A shining example of what was right in this sordid world where so much has gone wrong. Alice, a frail, aging shopkeeper would show us what fortitude, diligence and a sense of righteousness truly means. If Alice could do it, anyo (bzzzzzt)…

021000322 XXXXXXXXXXXX XXXX

Don’t buy flowers in Florida.

Black Hats – Function or Fashion?

If you’re like many people, you’ve either been in Vegas this week, or you’ve been getting a few extra newsletters describing the heavily publicized antics that went on at this year’s Black Hat conference.

Unfortunately, I fell into the latter category.

Like years past, Black Hat delivered as advertised. Although the Secret Service didn’t halt any sessions for purposes of national security, there were some great pieces.

Black Hat (and DEF CON) always provide security professionals with plenty of new things to think about. I suppose that’s why they’ve become the most popular security conferences in the world.

But let’s be honest, they’re a lot like fashion shows.

I find fashion shows hilarious. A bunch of high-brow, Paris-types, with more time than other things convene and parade utterly garish clothing that’s entertaining and thought-provoking, but not in the least bit wearable. The ornaments, trappings and meatpuppets draped over wafer-thin models will never see a department store rack, let alone the closet in your home.

Other than an evening of pageantry and spectacle, it’s a complete waste of time.

Kinda like Black Hat.

Please don’t take this the wrong way – I love Black Hat, DEF CON and the spirit behind these events. It’s just that they tend to be a distraction from what’s going on in the real world.

For example, one presentation suggested that businesses add offensive tactics to their arsenals. The presentation went on to purport that attacking, or “bringing pain to” your attackers has simply become necessary and other security tactics have become obsolete.

Another presentation, titled “Catching Insider Data Theft with Stochastic Forensics” gave attendees a look at how to predict unpredictable things in a precise way.

Yet other research focused on compromising iris recognition systems.

I feel like I need to repeat that these researchers are doing a great service, and their findings are truly revered.

However, most businesses can’t even manage to use decent passwords. They don’t patch. They don’t train their employees. Forget about introducing stochastic forensic analysis, most companies don’t have a shredder.

There was some really great research presented this year on circumventing web application firewalls, trust models and the latest findings on malware in the wild. You could say that some of these fit like an old pair of jeans.

The rest will probably stay in the closet until next year.

To Train or Not to Train, That is Not the Question

Recently, CSO published an article suggesting that organizations eliminate security awareness training from their security programs. The article has stirred great debate in security circles, including this one.

Citing the  “Carronade” phishing test failure at West Point in 2004, the author went on to claim that any investment in security awareness training “is money wasted”. The overarching theme of the piece suggested that human susceptibility is impossible to eliminate. Because complete (100%) security is impossible to achieve in this area, resources should be dedicated elsewhere.

If this argument were true, there would be no firewalls. No antivirus. No security controls of any kind.

Let me first say that I respect the author for offering a viewpoint counter to that of the masses, and for getting us to think a bit. Let me then say that I believe the author missed the point. It’s not about eliminating training, it’s about eliminating ineffective training.

Anyone who has been protecting things for any length of time knows that trust is hard to come by. And it gets harder every day. Consider this:

  1. Business has become complex, amorphous and dynamic. An increasingly younger workforce cares less about privacy and security. Wireless, social media, virtualization, mobility – all of these have made it harder to protect critical assets.
  2. Attackers are multiplying and motivations are increasing. China just arrested 10,000 online criminals and other individuals suspected of Internet crimes. 10,000. And hacking is still not illegal in most countries.
  3. The tools to steal banking credentials and roll malware can be bought online with incredible ease. They’re inexpensive and come with technical support, just like Microsoft Office. Anyone can get into online crime.

Fighting cybercrime is a $400B industry, and we’re just getting started.

So now ask yourself, what – or better yet who – are you trusting to protect your assets?

I offer this counterpoint to the CSO article; an effective security awareness training is the best, perhaps the only security practice that, done effectively demonstrates dramatic, measurable return in today’s environment.

Your employees are everywhere, and they do everything. They touch every database. Every SSN. Every locked door. Every web application. Every e-mail. Every credit card number. Every line of code. Every turnstile. Every firewall rule.

Get the right message to your employees on a consistent basis and you have solved a significant number of your security challenges, or at least reduced risk in those areas. Change your employees behaviors and you have instantly changed your security profile. There is no other single security control that has that same potential.

Today, you may be trying to save the company time by making training optional for employees. Today, you may be trying to save the company money by having the security guy deliver your training. Today, you may be trying to save the company energy by delivering the same PowerPoint slides to management, IT and staff.

Today, you are wasting your money.

Tomorrow is another day.

Indian Food, Spartacus and Credit Card Fraud

Friday night was date night.

After five weeks of client meetings, traveling and conferences without a single day off, I was looking forward to a relaxing evening with my girlfriend enjoying some Indian food and downtime. We had been looking forward to fully exercising a $25 Groupon on a table-full of exotic curries and then catching up on one of our favorite new series.

The meal did not disappoint. We left properly stuffed and excited for the rest of the evening’s activities – three episodes of Spartacus.

As we walked home we noted how beautiful the evening had become. We made it to the block where I live when my girlfriend noticed something interesting on the ground. We stopped to take a closer look.

It was the customer copy of a credit card receipt.

Upon closer inspection we discovered that this was no ordinary receipt. In addition to the full credit card number, it had the CVV, expiration date, zip code, phone number, full name and customer signature.

And amazingly the retailer managed to write down the customer’s CVV and expiration date but not the total. You can’t make this stuff up.

Here it is, blurred for confidentiality.

As you can see it contains everything necessary to commit identity theft and card fraud, with the possible exception of one piece of data – the customer’s billing address. So I did what any self-respecting security professional would do – I called and asked for it.

The conversation went something like this:

“Daniel [name changed to protect the guilty] I live in [city deleted] and I found a credit card slip with your name on it. I’m really scared that someone will use it to steal your identity, if you give me your address I’ll send it to you.”

Of course, Daniel assumed that because I already had his name and number and that I appeared to be a good Samaritan, that I was worthy of his home address. This is exactly how card fraud is taking place at restaurants, retail stores and hotels across the country.

This is not just Daniel’s problem. Merchants are instructed to not write additional information on receipts for this very reason. The merchant where Daniel used his card is a prominent and highly regarded institution in the Capitol Region. Just like the Desmond.

This week I plan to send Daniel his receipt, along with a note to be more careful. Not just with his credit card and receipts, but with the information that he gives out over the phone. I was a good Samaritan, but the next person may not be.

I may also give the merchant a call and offer free advice on avoiding public relations nightmares.

And then I’ll just sit back and wait for the good karma to roll in.

Force Multipliers and Why You Need Your Own Seal Team 6

The United States Military has spent a lot of time and money developing its Special Operations forces. These elite teams of security operatives are highly trained to shoot, move and communicate under duress, with little or no advance notice of their impending scenario. Most missions involve dynamic entry, assessment and neutralization of threats, all while achieving a primary objective.

Seal Team 6 is the most famous of all the Special Operations teams. These are the operatives that led the capture and termination of Osama bin Laden, the maritime rescue of American sailors on the Maersk and the recent recovery of foreign journalists held hostage by Al-Shabaab terrorists. The best of the best has handled the worst of the worst.

Imagine what you could get done if you had your own Seal Team 6.

Think it sounds crazy?

On the surface, this legendary team appears to have accomplished near-mythical tasks. Once you start to break their missions and objectives down into their most basic milestones, actions and counteractions, however, their methods become much simpler.

Like Seal Team 6, cybersecurity has become a household word and responding to security incidents has become a common occurrence. Intellectual property, sensitive data and bank accounts have never been more at risk, and detecting, containing and correcting security incidents requires planning, practice and grace under pressure. Once developed, your Computer Incident Response Team (CIRT), Special Operations Team (SOT) or whatever you call it (just don’t call it Seal Team 7, that’s taken) will give your organization a “force multiplier”.

Force multipliers are assets that give your organization a strategic advantage and increase the effectiveness and efficiency of overall operations. These assets, or teams multiply the force of your organization because they carry out tasks that would normally require much greater resources to accomplish. This is possible due to the highly trained and focused nature of the team.

And yes, you can have your own.

Here’s what you need:

  1. Find the right operatives – Incident responders are born, not made. This isn’t completely true, but it takes a certain mindset and attitude to gain situational awareness, remain calm and lead when an organization is under attack. These skills are tough to teach. You probably already know who your operatives are. If you don’t, stop here and look for a qualified security provider that already delivers Incident Response services.
  2. Select the right weapons – A good shooter can make a bad gun shoot well. You don’t need the most expensive security tools, but you do need to make what you’ve got work effectively. If you’re about to embark on a digital forensics mission, you better have the right tool in your bag. And carry a backup. Your tools should meet their requirements and work consistently.
  3. Train, train, train – Training is the most important of all, and it should incorporate the following:
    1. The basics – Every Navy Seal is required to qualify with a rifle every year, regardless of his or her rank. It’s part of being a Seal. The ability to shoot, move and communicate makes our Military the greatest on Earth. Your CIRT resources should understand the basics of threat modeling, analysis, communication and tool manipulation. No exceptions.
    2. Scenario drills – Your training should incorporate regular attack and counterattack simulations – these should be as real as possible. Good penetration testing is critical, but tabletop exercises and other drills are important parts of the program. Training should incorporate “unplanned” scenarios, performance assessments and any analysis that will help the team perform during a real situation.
    3. Bugout – Training should include handling worst-case scenarios, or what the Military calls SHTF. When things really get sideways, you need to know what to do, when to do it and who’s going to do it. Crisis Management should integrate with your Incident Response Plan.

Regardless of what industry you’re in or what size your company is, at some point you will become a statistic (if you haven’t already). A Special Operations team specifically trained and ready to handle incidents could mean the difference between an achieved objective and a botched mission.

You may not be hunting terrorists or saving foreign diplomats, but your CEO might just give you a Medal of Honor.

Becoming A Low Hanging Olive

In January of 2004 I spent three weeks in Northern Africa. It was one of the most memorable trips of my life.

The second half of my trip would be spent in Morocco with close friends, being catered to by personal attendants, drivers and handmaids, dining on the finest couscous and staying in chic riads. The first half of the trip was spent in Tunisia, a third-world country that has for years suffered through political turmoil. Most of Tunisia is uninhabited, rough and Islamic, which was simultaneously exciting, frustrating and frightening.

It was also educational.

Tunisia is an amazing country. Undiscovered beaches, the endless dunes of the Sahara, ancient ruins, bustling souks with fresh fruit and spices and the planet’s largest herd of camels.

Tunisia is also the world’s largest olive grove. No ladies and gentleman, it’s not Greece. There are only a few roads in Tunisia, but all of them seem to go through olive groves. You can drive for hours with olive trees outside both driver and passenger windows.

When I first arrived in country, I was met by Muslims with machine guns. Which I expected. And appreciated.

In 2004 my security career was rather young, but I was no less exuberant. If they had decided to strip search the only white guy in Tunisia I would have been inconvenienced but impressed.

Little did I know when I arrived that Tunisia would teach me a few things about security.

On the last full day of my trip I visited Carthage, the ancient coastal ruins where Hannibal became famous. Satisfied that I had filled my quota of digital pictures, I headed for the train to begin the trip back to my hotel. I needed to pack, eat and make some calls to arrange for my trip to Morocco the following day. My mind was busy as I boarded the busy rush hour train.

I passed a few stops, continuing to plot out the next day’s early morning checkout and flights. I noticed how overloaded the train was getting. I needed to remember to change some money at the airport. Just a few more stops now. I needed to send post… Is that a hand in my pocket?

Time slowed to a crawl and the roar of the rush hour train came to a hush. My wallet was gone. It had some money, a credit card and a copy of my passport in it. And the doors were closing. Was that the thief escaping? I needed to make a decision and fast. So I did what any security professional would do.

I panicked.

By the time I knew what was happening it was over. I rocked my best Walter Payton 45-Right to get off the train before the doors closed, pulling several likely innocent bystanders with me. But despite my seemingly heroic effort, the perpetrator was long gone by the time I got to the platform. I frantically challenged every pedestrian in the station that looked suspicious. They all looked suspicious. And I looked crazy.

How could this have happened?

  1. I lost situational awareness – Even though I had lived in New York City and I was a security-minded person, I was out of it on that train. It had been an exhausting week and I had less than 12 hours before I was escaping to paradise. My mind was somewhere else. While I was mentally reviewing departure times and sorting out logistics, an attacker was fingerprinting me.
  2. I was poorly defended – I was alone. It was the end of my trip and all of my laundry was dirty, so I was wearing baggy khakis with loose pockets. I was standing on a tightly packed train, hands above my head to keep from falling on some indigenous woman. I might have well been wearing a sign that said “defenseless tourist”.
  3. I became a low-hanging olive – I looked out of place. I was tired. I was in the wrong place at the wrong time. I became the low-hanging fruit and I got picked.

And here’s some advice – if you ever find yourself pickpocketed in Tunisia, save yourself the time and anguish of reporting it to La Police. These are the same people who beat their own citizens with blackjacks.

Your adversaries can strike at any time. The good ones will find your weaknesses and exploit them. Your business may not require the same defenses as the Pentagon, but whatever defenses you have should be up at all times.

Sometimes the best lessons are those hardest learned.

And now the olives in my life usually end up on a salad.

%d bloggers like this: