Archive for the ‘Security Awareness’ Category

The other night, while my wife and I were walking Daisy, we  had an ‘incident’ to respond to.  Not computer related, but the principles of incident response still apply.  Someone decided that abandoning three month-old kittens on the road down from our house was a good idea ~ ‘surely someone nice will give them homes!’

If we ignored their plight, the outcome would go three ways:

  1. Someone else might rescue them.  Although, since it was after 10:00 P.M. this was unlikely.
  2. They’d be hit by cars.
  3. Wile E. Coyote and his brethren would enjoy their company.

So,  we rescued them, sheltered them overnight and in the morning, off to the Humane Society (with a donation) they went since we just can’t accommodate three kittens with our golden retriever.

Reflecting on this episode, I thought about how I’d been taught about incident response by SANS Institute instructors.  The acronym I learned is PICERL; Preparation, Identification, Containment, Eradication, Recovery, Lessons-learned.

We were prepared because we had cardboard boxes to hold them and a crate at home for the night.  We identified the problem, contained the kittens and eradicated the threats that night (no, we didn’t kill any coyotes).  Recovery happened in the morning and Lessons-learned are ongoing (expect the unexpected and assume breach are two of them).

The takeaway on this is that strange things happen and we can use our training, even very IT security-specific, to manage the event.  Security is about doing the Right Thing, at the Right Time, for the Right Reasons ~ this incident was no exception and was definitely security-related, at least in the physical sense as far as the kittens were concerned.

by Bill Wildprett, Suspicious Minds blog, Copyright 2010


Read Full Post »

Some very interesting research came to my attention the other day, courtesy of the ISC2.org CISSPforum on Yahoo Groups, pointing to an article in Scientific American that discussed why flattery is effective.

The research, by Elaine Chan and Jaideep Sengupta at the Hong Kong University of Science and Technology and reported first in the Journal of Marketing Research, showed that while most people can spot obvious flattery and attempts to influence them, on an innate subconscious level it actually works!

The study showed that while participants explicit attitudes rejected marketing come-on’s, their implicit attitudes were more positive and could be used to predict future behavior.  This susceptibility to flattery may stem from the basic human need to feel good about oneself, referred to as illusory superiority or the above-average effect.

In testing whether or not the motive to self-enhance was related to insincere flattery, the researchers showed that, in the words of Scientific American, “those of us who could use a little pick-me up to begin with are particularly vulnerable to the message behind a smooth sales pitch”.

So, how does this relate to information security and why is it important?  This all goes back to social engineering and the ability to market towards or convince other people to do what you want them to.  Knowledge of these behavioral responses can be applied to social engineering as part of penetration testing and taught as part of security awareness training.  On the converse, look for this to be used in phishing attempts.

And what about security product marketing from vendors?  We all know about FUD, but should the F stand for flattery instead?  ‘Yes, this new Intrusion Detection/Prevention System does make me feel sexy!’ Probably not, but more likely about being told how much more secure you’ll be, which translates internally to how good of a security person you think you are.

The takeaway ~ keep your BS filters on high and understand that at some basic level, like Fox Mulder, you want to believe.  Doing so may open you to accepting more risk…

Food for thought.

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Read Full Post »

I’ve been thinking about Security Awareness and different ways of teaching it as a mindset.  We infosec folks think about it all the time, cultivating it as part of our general focus on situational awareness; the general public, corporate and government leaders, SMBs – not as much, perhaps.

It’s only when some epic breach like TJX, Heartland, or the recent Google hacks happen, that most people go ‘Huh?’  Security people channel their inner Homer Simpson and go ‘D’Oh!’

I’m sure other security professionals have thought about how effective security in general was approached and taught during World War II; citizens were reminded in public places that ‘Loose Lips Sink Ships’ and that ‘Careless Talk’ cost lives.

So, if we were going to use this approach today, what would we say?  What would resonate and be graphically memorable?

  • Lost Laptop – Work Stop
  • Data Breach – Painful Teach
  • DLP Works for Me!
  • Stolen Data in Motion, Crosses the Ocean

What would you suggest, dear reader, to teach staff to lock Desktops when they’re away from their office?  Or to not store unencrypted corporate data on USB drives, laptops, netbooks, PDA’s etc.,?

The posters above are courtesy of the New Hampshire State Library and Eyewitness to History.  The latter site has an excellent list on how to safeguard information from the enemy, the Ten Prohibited Subjects and more.

Are pithy slogans and eye-catching graphics enough?  Do we need Quentin Tarantino to make a movie?  I’m re-reading NIST SP 800-50 and thinking about this more.  There are all sorts of posters out there too:

In fact, it’s a niche industry!  But, how effective are posters at increasing lasting security awareness with true stickability?  Some very interesting insights and research were assembled by Ross Anderson and mentioned on the ISC2.org blog on 11/15/09, titled Psych and sec‘.  These papers and articles on psychology, behavioral economics, social attitudes towards risk, security usability, and more, remind us of the academic contributions other disciplines bring to security awareness.

What do you think?  Do security posters work in your organization?  Is there enough user-centered design in security mechanisms, or not enough?

I read a great post by Will Irace on the Cassandra Security site and I agree with him ~ it’s all about trusting people and educating/training them to do the ‘right thing’ and why.

Later friends…

Bill Wildprett

Read Full Post »