Tag Archive | Security Psychology

Doomsday Preppers – What’s Your Score?

Doomsday Preppers, National Geographic Channel’s new hit series – is awesome.

The show follows various survivalists through their daily lives as they prepare for the end of civilization as we know it, whether it be from massive economic collapse, nuclear war, the melting of the polar ice caps or the failure of the power grid.

Each prepper, and sometimes their families, friends and neighbors has undertaken serious precautions, from stockpiling months of non-perishable food and water, to training in self-defense to building bunkers in the desert. All based on their belief that at some point – in their lifetime – they will need it.DoomsdayPreppers

They are then scored by survival experts in five categories of survival; water, food, shelter, security and an x-factor.

Some score quite well. Others? No.

Most people find it entertaining due to the uniquely odd and dysfunctional nature of the preppers themselves.

I recall one episode specifically where one prepper had stockpiled nearly 50,000 rounds of ammunition, built a sniper nest in a tower, and then proceeded to have his ear blown off because his companion was had no experience with firearms and because he wasn’t wearing appropriate ear protection.

Sometimes it’s the little things.

But I find it entertaining for different reasons.

First, if you ask the experts that are closest to these scenarios – financial collapse, cyberterrorism, chemical and nuclear weapons – they’ll tell you that the likelihood of them making a significant impact on our lives is higher than most think.

The joke’s on us.

Second, human beings aren’t very good at identifying the real threats in any situation.

In the event that water, food and shelter become scarce due to some epic disaster, the threat isn’t going to be the flood waters, chemical agents or viruses. The real threat will be your neighbor.

People are always the biggest threat.

Hurricane Sandy was a massive storm, but one could argue that the worst damage was fairly localized. If you lived on the Jersey coast, lower Manhattan or Long Island, things were very bad, but outside of those areas you may have only gotten a little rain.

Yet inside of two weeks people were pulling guns and knives on each other, just to get in line for gas. What would it have been like if the damage was more widespread and the shortage sustained?

We saw the same behavior during Katrina. People were killed for food and guns. Society started breaking down. Quickly.

By nature we are all survivalists. It’s why we have a massive brain and opposing thumbs. The human race has endured for thousands of years because this is how we’re programmed. In many ways, we’re all Doomsday Preppers.

What’s your score?

Advertisements

Smashing Pumpkins, Security Myths and Pretty Much Anything Else We Can Get Our Hands On

Hurricane Sandy, appropriately named after a slow-moving but powerful family member of yours truly, spent the last few days wreaking havoc on the East Coast.

And while some of us made it through with just a bit of sideways rain, I’m sure there are more than a few business out there putting a Business Continuity Plan on their “To Do” list this morning.

Better late than never, they say.

Or is it? After all, Upstate New York has experienced an earthquake, a tornado, epic flooding and two hurricanes in the past fifteen months. This in an area that is considered relatively protected from Mother Nature.

Maybe it’s time to rethink the “cross your fingers” Risk Management strategy. And just in time for Halloween.

Tonight, on All Hallows’ Eve, most of us will engage in some sort of ghoulish tradition, whether carving a pumpkin for the front stoop or trick-or-treating with the kiddies. And yet we know that most, if not all of these activities can end in some kind of trouble.

Chances are good that the creepy teenager down the block with the acne and the freakishly thick eyebrows is going to smash your pumpkin. Someone’s car is going to get a clean shave. And Mrs. McGillicutty’s willow tree is probably getting TPd.

But despite all of this, we trust our kids and neighbors to make it through the night without serious damage. We trust that things won’t get out of hand. Without trust that people won’t kill each other over a bag of treats.

We trust.

And in that apparent weakness lies one of our greatest strengths. In trust we gain the ability to go about our lives. To interact with others. To exist.

Without trust, we could not walk down the street at night without checking every dark corner. We couldn’t approach a stranger’s door without a background check. We couldn’t eat candy without inspecting every chocolatey bite.

Without trust, we could simply not function.

Trust is at the heart of every security model on planet Earth. Despite popular wisdom, the security controls that we put in place to protect our information, people and other assets imply some measure of trust in their relationships.

We trust that a firewall will disallow specific protocols on specific ports. If we didn’t we wouldn’t buy them. But like the creepy kid down the street, trust only goes so far.

At some point, you need to verify.

And what better time than Halloween for a lesson in verification? Whether it’s the batteries in your flashlight, the traffic crossing in front of your little Spiderman or the brastrap on your girlfriend’s Lady Gaga BaconSuit costume, some times you just need to verify.

Halloween is no time for a wardrobe malfunction.

I Was Wrong About Security (Again)

On Friday of last week, a few GreyCastlers spent some time at the range with the FBI Albany Division SWAT team.

We started with the obligatory safety briefing, then talked training and qualifications for a while and then we shot firearms for a few hours.

I love my job.

During the course of the conversation, the SWAT Team Leader discussed the rigor and frequency of the squad’s training program. On average, each operator fires 10,000 rounds each year. Some of these are in basic training drills, where the operator is simply shooting at a target. Some these rounds are in live fire drills, where the operator is timed, under duress and working with a team. And yet another bunch of rounds are fired in what’s called force-on-force. This is where someone is firing back (they’re using non-lethal ammo, of course).

When asked why they spent so much time training, the Team Leader stressed the need for “unconscious competence” in their profession. This is a term that has been coming up more in information security circles, too, particularly regarding operational security.

The SWAT team did a quick demonstration of a dynamic entry before we all geared up and grabbed guns. They deployed a flashbang, kicked a (virtual) door in, dropped a few tangos and rescued the hostage. It was over in under three seconds.

These guys are good. Really good.

What do you expect for individuals who qualify with their weapons four times a month under tight tolerances and grueling conditions?

After the course I started thinking again about how unconscious competence can be achieved in our business. Let’s rewind a bit.

Last week I suggested that people weren’t the biggest problem in information security. I was wrong.

Human beings, despite having an oversized brain and opposing thumbs, are naturally bad at interpreting risk. We are by far, the biggest problem in information security. We are the only reason that training programs are required.

What if employees were required to qualify four times a month like the SWAT team? What if we could get employees to achieve unconscious competence?

Most of the people reading this will already recognize that changing people’s behavior’s requires a bit of psychology. Up until recently we’ve focused on learning sciences as they relate to content and delivery – relevance, engagement, tempo and duration.

But what if we applied a secondary model to this, one that starts out suggesting that people don’t know what they don’t know.

Introducing the “Four Stages of Competence“.

This learning model has been around for some time (I first learned about it in the October/November 2012 issue of Handguns Magazine) and it makes a lot of sense.

We plan to do some research on this and continue to think about how we can integrate this into our awareness and education programs.

If it’s good enough for SWAT it’s good enough for us.

I Was Wrong About Security

Back in the mid-2000s I was managing enterprise security for a medium-sized entity in critical infrastructure.

Along with security I was managing much of the Information Technology team, including the Help Desk. My management style tends to be pretty hands on, and one of the things I liked to do was walk around and survey my minions in the morning.

I would talk to my teams about their problems and headaches, and if I got lucky, what was going well.

One morning I was passing through the Help Desk when I overheard one associate – we’ll call him Fred – working with an end-user on a problem. Fred kept repeating, “yes, go ahead and put your mouse on the OK button and click”. Seemed simple enough.

Well after multiple attempts, Fred decided that it was worth a trip out to see the user. I was intrigued so I tagged along.

I learned an important lesson that day.

When we got to the user’s cubicle, we were met with a sweet older women. She was smiling. Super friendly. Just a warm, inviting person. There was no frustration, no resentment whatsoever that we hadn’t been able to resolve her problem. Fred got right to work.

He repeated his instructions. “Put the mouse on the OK button and click.”

So she did just that.

She picked her mouse up off of the desk and literally placed it on the monitor, right on top of the OK button. And then she clicked. And she was right, it didn’t work.

She did exactly what we told her to do, but not what we wanted her to do.

You can guess the moral to this story.

Fast-forward to today, and most security practitioners (I used to be in this group) will have you believe that people are our biggest risk. They will tell you stories about how people fail during penetration tests, how people don’t “get it” and how statistics show that nearly all security breaches are the result of a human failure.

They will tell you that people are the biggest problem in information security.

They are wrong.

Ask yourself these questions –

  1. Would you attempt to drive across the country without a map?
  2. Would you let someone perform surgery on you if they weren’t a doctor?
  3. Would you deploy a firewall without configuring it?

The answer to all of these is obviously no.

However we regularly – in all industries, in organizations of all shapes and sizes, in every country of the world – expect human beings to behave securely without effective training, education or configuration.

What we haven’t quite figured out in a meaningful way yet is that, people are like firewalls. They need configuring and patching on a regular basis. As soon as you stop patching a firewall, the state of its security begins to decline. The same is true of people.

And yet people are not like firewalls at all. Firewalls don’t have brains. And people aren’t binary.

Yet most organizations continue to utilize training techniques that aren’t designed for human beings. Their training is boring, irrelevant, tedious, unengaging and long. We’ve all been there – forty-five bullet-filled, do-it-yourself PowerPoint slides and a quiz.

This doesn’t bring awareness, it brings tears.

If you want your employees’ security behaviors to be effective, your training needs to be effective. It has to be fun. It has to be relevant to their job. It has to be short enough that it can fit into their day without being too disruptive. It has to be timely. And it has to be continuous.

October is National Cyber Security Awareness Month, a great time to rethink your security awareness and education program.

I was wrong about security, but you don’t have to be.

Your human firewalls – and your business – will thank you.

Remembering 9/11

For most, if not all Americans, today is a special day.

Eleven years ago we were all changed, some of us irrevocably. The images of that day are still burned into our memories.

Images of Osama bin Laden or the collapsing Twin Towers still generate feelings of angst, powerlessness and fear.

And yet, that’s all they are.

In a world of risks separating feelings from reality is difficult, but necessary. In many cases, they are not only different, but contrary.

Ask someone if they would rather text while driving or face a terrorist.

Yet texting while driving has killed twice as many people this year than terrorists.

So why aren’t we afraid of texting in a moving car?

The answer is related to the way human beings make decisions. It’s related to way the human brain works, and to the way fear, ego and survival instinct cause us to feel and react.

It makes us really bad at judging risk sometimes.

Eleven years ago, the USA, including the intelligence community, Government and Military, didn’t keep feelings and reality in check. We didn’t understand our risks.

We didn’t think terrorists would fly planes into buildings.

Let’s take a moment today to remember those lost in the tragedy on September 11. Let’s remember all of those affected. Let’s remember those who have paid the ultimate price fighting to make things right.

Let’s also remember that the next tragedy can be averted if we remember that you can feel secure and not be.

Black Hats – Function or Fashion?

If you’re like many people, you’ve either been in Vegas this week, or you’ve been getting a few extra newsletters describing the heavily publicized antics that went on at this year’s Black Hat conference.

Unfortunately, I fell into the latter category.

Like years past, Black Hat delivered as advertised. Although the Secret Service didn’t halt any sessions for purposes of national security, there were some great pieces.

Black Hat (and DEF CON) always provide security professionals with plenty of new things to think about. I suppose that’s why they’ve become the most popular security conferences in the world.

But let’s be honest, they’re a lot like fashion shows.

I find fashion shows hilarious. A bunch of high-brow, Paris-types, with more time than other things convene and parade utterly garish clothing that’s entertaining and thought-provoking, but not in the least bit wearable. The ornaments, trappings and meatpuppets draped over wafer-thin models will never see a department store rack, let alone the closet in your home.

Other than an evening of pageantry and spectacle, it’s a complete waste of time.

Kinda like Black Hat.

Please don’t take this the wrong way – I love Black Hat, DEF CON and the spirit behind these events. It’s just that they tend to be a distraction from what’s going on in the real world.

For example, one presentation suggested that businesses add offensive tactics to their arsenals. The presentation went on to purport that attacking, or “bringing pain to” your attackers has simply become necessary and other security tactics have become obsolete.

Another presentation, titled “Catching Insider Data Theft with Stochastic Forensics” gave attendees a look at how to predict unpredictable things in a precise way.

Yet other research focused on compromising iris recognition systems.

I feel like I need to repeat that these researchers are doing a great service, and their findings are truly revered.

However, most businesses can’t even manage to use decent passwords. They don’t patch. They don’t train their employees. Forget about introducing stochastic forensic analysis, most companies don’t have a shredder.

There was some really great research presented this year on circumventing web application firewalls, trust models and the latest findings on malware in the wild. You could say that some of these fit like an old pair of jeans.

The rest will probably stay in the closet until next year.

The Desmond Breach, and Why We Haven’t Learned Anything Yet

In May of 2011, the Desmond Hotel and Conference Center in Albany, NY was compromised by an as-yet-unnamed foreign entity. Very little has been made public about the incident, and it’s possible that we will never know the true extent of the damage.

What we do know is that the credit and debit card numbers of every hotel guest from May 2011 to March 2012 were potentially compromised. At least one patron had their bank account drained.

This story was noteworthy because it was local, because it affected countless individuals and because the Secret Service was involved.

Otherwise, it was just like the countless other breaches we’ve witnessed recently.

First, The Desmond had been compromised for nearly a year and didn’t know it. The Secret Service discovered evidence of the Desmond breach during routine investigations of foreign hackers and notified the hotel of their findings. We can only assume that the compromise would still be going on today if this stroke of luck hadn’t occurred.

Second, The Desmond didn’t have an Incident Response Plan. This is an assumption on my part, but one that I am confident in, given the post-event fallout. The incident, which could likely have been better contained, grew quickly and became a public relations nightmare that lasted for days.

Third, they didn’t think this could happen to them.

This is not a smear piece. The Desmond is my favorite hotel in the area, and one that we hope to make a client someday. Unfortunately, they became long-hanging fruit. They were simply the next target in a long line of victims, a queue that grows daily.

The Desmond made the news. 99% of breaches don’t. And it seems that until an organization experiences their own incident, there is little compelling them to protect themselves.

The industry, our peers, the media, the company where you work – all are providing us an education, but we are not learning from our mistakes. Psychology 101 teaches that human beings learn best when content is relevant, entertaining and interactive. It would seem that major public data breaches tick all of these boxes.

For now it seems the only thing that’s ticked is The Desmond’s customers.

 

What I Would Do if I Was Zappos

The Zappos hack this week made national headlines for a number of a reasons.

First, Zappos, a subsidiary of Amazon.com is a major brand recognized as a leading online footwear retailer. You don’t need to be female to know that Zappos sells just about every make and model of sandal, Skecher and pump known to man. And woman. And if you’re a woman there’s at least some chance that Zappos is your browser home page. I’ve seen it happen.

Second, the scale of the breach was massive. E-mail addresses, billing information, names and partial credit card numbers for an estimated 24 million individuals, making it one of the largest databreaches in recent history. The value of this data on the black market, using today’s cybercrime figures is in the tens of millions of dollars.

But in many ways the Zappos databreach isn’t unlike the countless other incidents we’ve witnessed lately. Which makes me wonder if we’re operationalizing information security this year any differently than we did last year. Or the year before that.

Of course history makes a great teacher, and this holds true for security, as well. And while they’re still grinding through the logs and other forensic evidence of this attack, there are some clear lessons to be learned here.

This is what I would do if I were Zappos:

  1. I would learn to be better at Public Relations – Because they expected a deluge of phone calls related to the hacking, Zappos said that they were temporarily turning off their phones, instead responding to inquiries by e-mail. “If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place,” the company’s e-mail to employees said. Now I’m no PR expert, but if I just pissed off 24 million of my customers by exposing them to identity theft, disabling their preferred mode of communication might not sound like a bright idea. Perhaps they missed the beating that RSA and Sony took for their PR guffaws.
  2. I would learn to be better at helping my customers during a crisis – Have you ever tried getting your organization of 150 people to change their password? Exactly. Now multiply that times 160,000. It’s the equivalent of sucking an Olympic size swimming pool through a McDonald’s straw. In this day and age, there should be a way to programmatically reset customer passwords, provide them a means for securely accessing the new password, or simply leaving the account disabled until such time that the customer wants to use the account again. I’m betting that a significant percentage of those 24 million accounts are inactive in the first place.
  3. I would learn to better protect sensitive information – Zappos was warned daily – possibly more frequently – by The NY Times, The Washington Post, the GreyCastle Security blog and other global media outlets that they were going to be hacked, but they proceeded to store names, billing addresses, e-mail addresses and partial credit card numbers together, in one database, potentially on one server, packaged neatly for the next disgruntled employee, hacker and other miscreant. I’m guessing that Zappos didn’t have the budget, the time or the resources to secure this information appropriately. It wasn’t a priority. Until it was too late.
  4. I would learn to be a security evangelist – Now that I’ve been owned by hacker(s) unknown, exposed my customers to incalculable risk and started racking up unnecessary Incident Response bills, I would help other companies avoid what just happened to me. “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident,” the company’s CEO said. The biggest problem in our industry is not a technical one, it’s a psychological one. As long as Company XYZ believes that they have nothing worth protecting, and that this can’t happen to them, we’ll continue to experience these issues.

It’s not fair to single out Zappos. This blog could be written about thousands of other organizations. But so far security hindsight continues to be nearsighted.

Maybe Zappos should start selling eyewear.

Avoiding Cyber 9/11

Like most people, I remember September 11, 2001 like it was yesterday.

It was a bright and beautiful afternoon as we drove North along the 3 headed back to Zürich, following a 10-day visit to Innsbruck, Venice, Milan and a number of other quaint countryside villages. I was visiting a good friend who had recently moved to Switzerland, and we were taking some time to enjoy Europe’s best sites. The Alps are breathtaking, no matter what time of year it is.

As we entered the city center and got closer to Andre’s apartment, we could feel the end of our trip growing closer. I was scheduled to fly out the following morning and Andre was headed back to work. As we mentally switched gears, we also switched radio stations, changing from the throbbing dance music that kept us hammering on the Autobahns to a local news broadcast. It was in German, so I only caught every fifth word.

I will never forget the look on Andre’s face.

“An airplane crashed in to the World Trade Center”, he said in his thick Dutch accent.

Simultaneously piecing together in my mind what I just heard and sorting through the possibilities of mis-translation, I immediately began rationalizing what might have happened. Once I gathered my thoughts I explained to Andre that this had happened before, and that the buildings are so big that a small Cessna wouldn’t cause much damage.

For a while I lived in New York City just three blocks South of the World Trade Center. I lived in a large apartment on the 26th floor with a balcony that overlooked the towers. I walked through World Trade South nearly every day. My apartment didn’t need paintings or artwork, I had the New York City skyline.

“It wasn’t a Cessna, it was a jumbo jet.”

For Americans, everything changed on 9/11. The inconceivable events that transpired on that day shifted everything we knew in a different direction. Finances, politics, healthcare, education, relationships – everything we knew suddenly took on a different perspective. A different priority. But none of these things changed more than our position on security.

The 9/11 Commission spent nearly three years collecting, analyzing and documenting the 585 pages of data resulting from that day and the years leading up to those horrific events. In the end, the Commission determined that there was a single condition that made the events of that day possible.

We didn’t think it could happen to us.

As simple and sad as that seems, there’s another chapter to this story. We face a much greater threat today, and we find ourselves repeating history. The infrastructure that our very existence depends on is in jeopardy, and we have put our heads in the proverbial “9/11 sand”. An exploitation or compromise of our power, water or financial networks could result in a complete collapse of society and death tolls that bin Laden himself could not imagine.

This is not science fiction. Thanks to Hurricane Irene, we have seen very recently what power and water loss of only a few days can do to a community. Now imagine this on a global scale.

By the year 2020, there will be 50 billion devices connected to the Internet. There will be tens if not hundreds of thousands of hackers and organized cybercriminals. If it took the United States ten years to track down one man moving from cave to cave, how long will it take us to dismantle an organized network of 100,000 computer hackers?

On this, the ten-year anniversary of the worst security incident in United States history, I urge you to ask yourself the following question:

What are we doing to avoid Cyber 9/11?

 

Security Awareness and the Apocalypse

As the owner of an information security firm, I spend a lot of time promoting security awareness and encouraging organizations to adopt an appropriate level of operational security (OPSEC) in their businesses. It has been proven time and again that humans have been and continue to be the greatest weakness in an organization’s security chain, primarily because the humans in question haven’t been given the right tactics, techniques and procedures (TTPs) to defend themselves, nor have they had adequate adjustments in attitude to want to do so. Today’s human firewalls tend to be as flawed as the firewalls plugged into countless datacenters.

I had breakfast this morning with a friend of mine who has been employed in various law enforcement agencies for all of his adult life. A highly certified and accredited individual, my friend (who I shall refer to as Harry) has worked in counter-terrorism, forensics, explosives interdiction, corrections and firearms training, among other things. Harry and I met for breakfast to talk about business, but were inevitably sidetracked by the latest juicy gossip of police raids on terror cells, unpublicized databreaches and gangs using the Internet to auction illegal firearms.

Over a couple of breakfast sandwiches we continued to talk about the problems that citizens and local businesses were having with gangs, drugs and the illegal firearm trade that has become so active in the Capitol Region. I listened as Harry shared story after story of small businesses that were being increasingly terrorized by racist groups, crime and violence. For confidentiality purposes I can’t share specifics, but I can tell you that I was alarmed at the frequency and severity of the crimes that were occurring. As I processed all of this new information it occurred to me that if John Q. Public really knew what was going on in law enforcement, they would never leave their house.

And then it occurred to me – what if the same was true of information security?

I recently read an article that suggested that there should be more databreach notifications, rather than less. The idea behind the article was that with more notifications, we would learn more about current exploits and be better at addressing the threats and vulnerabilities behind them.

But imagine for a moment that the details of every databreach, malware outbreak and security incident were at once made public. One of two things would happen:

  1. With so much information made suddenly available, there would be no way to process it, and it would be useless. The number of databreaches and security incidents that go unreported is staggering, beyond comprehension in any meaningful way. The sheer volume of data would desensitize all but the most determined practitioner.
  2. The computing world as we know it would stop. I liken it to a mass, global outbreak of the AIDS virus – there’d be a whole lot less sex going on. Web properties like Amazon, eBay and Facebook would cease to exist, as would their trading partners. Credit cards would disappear. Banks would shutter and dissolve. Security is based on trust – when that trust is shattered, the systems that are built upon an implied system of security cannot survive.

The only way to prevent one of these two outcomes is to increase our awareness while improving our ability to identify and deal with our risks. Our very way of life relies on this.

And while it may seem far-fetched to think of our world recessing to a time before the Internet, before credit lines or before the first financial institutions, remember that there’s an ugly world going on out there. You just don’t know it yet.

%d bloggers like this: