One of the topics that I sometimes think about is the value of security awareness training.
This tends to be a topic that many people in the security industry seem fairly passionate about, either for or against the value of it.
Vendors of software / programs such as Wombat, PhishMe, SANS etc. are all very pro user awareness training and regular programs to raise security awareness.
Conversely companies who sell products and not training are likely to strongly advise security budget is spent on tools rather than awareness training. To renforce this point at RSA Europe last year I actually asked a couple of senior RSA guys about the value of awareness training when they did a presentation around improving security and where to spend, and was told somewhat strongly that awareness training was basically a waste of time.
So the question is who is right, or do both sides have a fair point?
On the for side – how can users be expected to act securely and know how to act securely without some training? People need to learn and understand how to spot phishing emails, why it is bad to send anything non public externally without it being encrypted, why stronga and unique passwords should be used, how to spot social engineering etc. Security awareness training and campaigns can serve a dual purpose –
– Ensure users learn more about security for both their work and home IT / online lives
– Raise general awareness – a continual program of advice and varied messages keep general security and secure methods of working on peoples minds – this should not be a once a year process.
Any increase in security awareness and reduction in the attack surface that is the human user must be a good thing right?
On the against side – what is the most effective way to spend a limited security budget? Does spending budget on training offer the sam improvement in overall security as say adding a further layer to the defence in depth strategy or hiring extra dedicated IT security personel? Even with training a significant number of users will stil click the link in a phishing email or give out details they shouldn’t to a social engineer, so you still need all the other defences, both technical and personel even if an extensive security awareness program is undertaken.
– Users will always be a large security risk, so it’s best to treat them and their actions as untrusted and create a security posture accordingly.
So which side is right? I think to a large extent they both are. Depending on which report you read, something like 60-80% of all APT (Advanced Persistent Threat) attacks are initiated via social engineering – e.g. getting a user to do something for the attacker. So the most insidious attacks that are very difficult to detect and currently being used by the security industry as the driver for selling new security tools tend to start with the user. Then surely reducing the chances someone will succumb to social engineering much be a good thing? Yes you’ll never get to 100%, but then no actual security device ever detects or prevents 100% of attacks. So why do security tool vendors not like awareness training? Likely money and profits.
A balanced approach is key, understand the environment and threat landscape your company operates in and create a holistic security program encompassing the necessary tools, skilled security personal and user awareness training.
So, how can awareness training be made as effective as possible? Along with mixed and continuous messages and taking the time to make security part of the culture, the key thing is to get the message to people and make them want to take it on board. I think there are two components to make this successful;
– Fear – not with lies or exaggeration, but highlight real stories, as especially stories that people will relate to so think Playstation and Bank / online shopping hacks.
– Make it relevant – Link the secure ways of working to peoples home lives so highlight how they can be secure online, not fall for scams, use social sites as safely as possible, shop safely etc.
To conclude my opinion is that security awareness training does add real value and should be part of any security program. It does not however replace in anyway the need for a strong defence in depth strategy aligned to your business and threat landscape. What do you think?
I was recently sent a link to an article covering what were described as ’13 security myths – busted’ and asked my opinion. As it was a fairly light and interesting I thought I would share the article and my thoughts;
The original article can be found here;
Have a read of the myths and why they thin they are myths, read my thoughts below, and it would be great to hear your thoughts.
1. AV – Possibly not super efficient, but I think still necessary – they kind of mix apples and oranges with the targeted attack comment, as it is not designed for that, but it still prevents the vast majority of malware, and general attacks. Possibly and an environment where literally no one runs with admin privileges and there is strong white listing you could do without AV, but generally I’d say it is still relevant and required.
2. This one is hard to know as there is so much FUD around. It is clear that in many circumstances (stuxnet etc, Chinese APT , US government espionage etc.) that governments are investing huge sums of money and employing extremely bright people to attack and defend in cyber land. I suspect much will never be known as the NSA / Mi6 / <insert secret government money pit here> are by definition very secretive. Remember all the speculation around the NSAs ability to crack encryption in the past..
3. Totally agree – just look at most businesses and the trouble they have getting control of authentication via AD / IAM. However, many are moving in the right direction though so maybe soon we’ll have everything in IAM and / or AD..
4. I think this one proves itself incorrect in the text – Risk management is needed, you just need to work on understanding your adversaries and the actual risks you face, which includes understanding their motivations and the value they place on your data and IP.
5. This I totally agree with. I have already highlighted I don’t really like the fact we as an industry use the term ‘best practice’ all over our standards and policy documents etc – who defines what it is? Is it best in any specific environment with it’s support skill sets and technology stack etc?
6. Half agree they are a fact of life, however you can have effective responses and strategies around privilege control and application controls etc. to massively mitigate the risks these pose.
7. I can’t comment on this one, but most national infrastructures are inadequately protected and tend to rely on old legacy systems for many of their functions so this is probably try in the UK for much supporting infrastructure as well.
8. Completely agree with this. Compliance is a useful checklist, but compliance with standards should be a by product of good secure design and processes, not something we strive for as a product in itself. If provides a driver but is very much the wrong focus if you want to be secure rather than compliant.
9. Agree – CISO may own security policy and strategy etc., but security is everyone’s problem and everyone should be accountable for performing their duties with security and security policies in mind. I’m a big fan of security awareness training as a regular thing to help educate people and keep security at the forefront of the way we do business.
10. Likely has been true, in the same way as Mac / Linux are ‘safer’ than Windows, as it has not been the focus of as much malicious attention and has not been carrying as much functionality and valuable data. This is rapidly shifting though as we rely more and more on mobile devices for everything from banking to shopping to actual business. So I think this one is rapidly if not already becoming a myth.
11. Agree – you can likely never be 100% secure if you want to have a life or business online. I think it was an American who coined ‘eternal vigilance is the price of freedom’ we should work to be secure, but freedom both individually and as a business is too important and hard won to give up. Obviously some personal freedoms to do whatever you want with corporate devices have to be given up, but I think my point stands as a general concept. As the guy in the article says (and I do above) work to understand your adversaries, their motivations and tools.
12. Agree with this one also – continuous monitoring, trending and learning are key to understanding and preventing or at least capturing todays advanced long term threats such as APTs.
13. I agree with this final one as well, and have actually blogged about this before. We live in an ‘assume you have or will be breached’ world. Put the detective measures and controls in place to ensure you rapidly detect and minimise the damage from any breach. Read last years Verizon data breach report..
It would be great to hear your thoughts on this light article.
Next Generation Information Security – Jason Witty
Some statistics and facts to set the scene;
– 93.6% is the approximate percentage of digital currency in the global market!
– 6.4% cash and gold available as a proportion of banking and commerce funds..
– 45% US adults own a smartphone – 21% of phone users did mobile banking last year.
– 62% of all adults globally use social media
– Cloud ranking as #1 in top strategic technologies according to Gartner – 60% of the public cloud will serve software by 2018
– 2015 predicted as the year when online banking will become the norm..
– Nielson global trust in advertising report for 2012;
– 28,800 respondents across 56 countries – Online recommendations from known people and review sites 80-90%+used and trusted, traditional media, falling below 50% used and trusted.
– NSA were working on their own secure smartphone. Plans scrapped and now they are working on how to effectively secure consumer smart phone devices. Consumer mobile devices are everywhere!
Emerging innovations; cloud computing..
– IDC forecasts $100bn will be spent per year by 2016, compared to $40bn now.
– By 2016 SaaS will account for 60% of the public cloud
Cost savings often cited as reason for moving to the cloud; however other benefits like agility, access to more flexible compute power etc. often mean cloud migrations enable better IT for the business and thus you can do more. So increased quality and profit result, but casts likely remain flat.
Trends in Cybercrime;
Insiders – can be difficult to detect, usually low tech relying on access privileges
Hacktivists – responsible for 58% of all data theft in 2011
Organised crime – Becoming frighteningly organised and business like
Nations states – Since 2010 nation state created malware has increased from 1 known to 8 known with 5 of those in 2012. Nation states now creating dedicated cyber-warfare departments, often as official, dedicated parts of the military.
Organised Crime – Malware as a Service
Raw material (stolen data) – Distribution (BotNet) – Manufacturer (R&D, Code, Product Launch) – Sales and support (Delivery, Support (MSI package installation, helpdesk), Marketing – Customer (Affiliates, Auctions / Forums, BotNet Rental / Sales)
Crime meets mobile – Android – patchiy updates as vendor dependant, many pieces of malware, but play store security getting better.
Nation states becoming increasingly active in the world of malware creation..
So, Next generation Information Security;
– Must be intelligence driven
- Business line
- Cyber threat
– Must be comprehensive
- Anticipate – emerging threats and risks
- Enable –
– Must have excellent human capabilities
– Must be understandable – need to explain this and ensure the board understands the risks and issues – PwC survey – 42% of leadership think their organisation is a security front runner. 8% actually are. 70% leadership thing info sec working well – 88% of infosec think leadership their largest barrier to success..
– We cannot do this alone: Strong intelligence partnership management
Pending cybercrime legislation;
– White house has stressed importance of new cyber security legislation.
– Complex laws take time to review and pass; technology environments change fast.
– Various Federal laws currently cover cybercrime – Federal computer fraud and abuse act, economic espionage act etc.
– Likely executive order in the near future with potentially large cybercrime implications.
While this is a very US centric view, many countries or regions are planning to enact further, more stringent laws / regulations that will impact the way we work.
Intelligence driven: the next phase in information security;
– Conventional approaches to information security are struggling to meet increasingly complex and sophisticated threats
– Intelligence driven security is proactive – a step beyond the reactive approach of the compliance-driven or incident response mind-sets
– Building and nurturing multiple data sources. Developing an organisational ability to consolidate, analyse and report, communicate effectively and then act decisively benefits both operational / tactical security and strategy.
– Establish automated analytics and establishing patterns of data movement in your organisation
I recommend you review – Getting ahead of advanced threats: Achieving intelligence-driven information security – RSA report, 2012. This can be downloaded from here;
CSA STAR – lessons from an early adopter – Microsoft Director of Trustworthy Computing
The Trustworthy Computing Initiative had its 10 year anniversary in 2012. Encompasses; Security – Privacy – Reliability – Business Practices.
Managing risk at all layers..
– If I move to a CSP and they have the same level of security as me, and I am saving money then I am being efficient
– If I move to a CSP and they have better security than me I am mitigating risk
Help adopters understand why!
– Adoption rests on clear and simple ROI
Microsoft ‘Cloud Security Readiness Tool’
Trusted cloud initiative – not there to sell product, just to help organisations (possibly everyone?) to be safer and more secure in the cloud.
This tool addresses the 10 key Cloud Security Control Areas from the CSA guidance.
The tool also allows you to select your industry, then maps this back to the regulatory bodies that are likely to regulate your industry. This then maps the specific regulations and controls you will need to meet.
Considerations to aid adoption;
– Consult guidance from organisations such as the CSA
– Require that provider has obtained their party certifications and audits such as ISO/IEC 27001:2005
– Ensure clear understanding of security and compliance roles and responsibilities for delivered services
– Know the value of your data and the security and compliance obligations you need to meet
– Ensure as much transparency as possible e.g. through STAR (https://cloudsecurityalliance.org/star/) – suppliers such as Amazon and Microsoft already registered here.
This talk was much more about the Microsoft Cloud readiness tool than the CSA STAR (Security, Trust, and Assurance Registry), but was still interesting and I can highly recommend both the STAR registry for CSPs and consumers, and the Microsoft tool.
Advanced Persistent Response – Tim Kellermann – Vice President of Cybersecurity – Trend Micro
How might organisations learn from elite hackers?
– 52% of companies failed to report or remediate a cyber-breach in 2011 (retains plausible deniability, but we all trade with these companies)
– A new piece of malware is created every second
– Trend Micro evaluations find over 90% of enterprise networks contain active malware!
Targeted attacks are becoming increasingly common. Attackers take time to gain intelligence about you and your networks.
Offence Informs Defence: The Kill Chain;
5. Command and Control
Advanced Malware examples include;
– IXESHE – The attackers behind this advanced malware use compromised hosts inside organisations networks to control other systems.
– Jacksbot – bot malware that is multi-platform across multiple O/Ss including mobile. (check)
We need to conduct more tests and assessments of our environments, using Zeus, BlackHole exploit kit, Metasploit, Spy Eye etc.
Tactical trends in Hacking;
– Professionalism and Commoditisation of Exploit Kits
– Man in the Browser attacks becoming more common
– Android Framework for exploitation (BYOD = BYOM (Bring Your Own Malware)
– Proximity attacks realised (Microphones turned on in laptops / phones / tablets, Bluetooth attacks)
– Mobile malware proliferation
– Application attacks
– Botnets migrating from IRC to HTTP
– Attacks against Macs
Cloud security issues / considerations;
– Server and VM integrity (virtualisation attacks, Inter VM attacks, Instant on Gaps)
– Network and Intrusion management and monitoring in a cloud / virtual environment
Custom attacks need intelligent and custom defences. We must recognise that APTs are consistent and part of ongoing campaigns.
Risk management in 2012;
– Has the cyber security posture of all third parties been audited?
– Is access to all sensitive systems governed by 2-factor authentication?
– Does a log inspection program exist? How frequently are they reviewed?
– Does file integrity monitoring exist?
– Can vulnerabilities be virtually patched?
– In MDM and mobile management software utilised?
– Do you utilize DLP?
– Can you migrate layered security into the cloud environment?
– Do you maintain multi level, rule based event correlation?
– Do you have access to global intelligence and information sharing?
There was a lot to think about in this presentation from Trend Micro, and it nicely builds on / reinforces the points made both here and at RSA – the attackers are getting increasingly more sophisticated and we need to work hard to not just keep up but to try and get ahead of them. The closing points under the heading ‘Risk management in 2012‘ are well worth bearing in mind when thinking about your risk management process / strategy.
Aligning Your Cloud Security with the Business: A 12-Step Framework
This talk was actually very light, but I thought I would share the 12 points they covered as the points around creating business cases and defining value in business not IT terms are worthwhile;
Implementing data centric security in the cloud;
Key ingredients – Data, Users, Business Processes, Clouds, Controls, Compliance
- Define business relevance of each data set being moved to the cloud
- Classify each data set based on business impact – must be business driven, not IT
- Inventory data – technical and consultative. Mentioned that DLP one of the best ways to discover and maintain data inventories.
- Destroy (or archive offline) any unnecessary data
- Inventory users – into user roles / role types (can do other things as well like geography)
- Associate data access with business processes, users, roles
- Determine standard control requirements for each data set
- Determine Feasible controls for each cloud environment e.g. you can implement far less of your own controls in a SaaS environment vs. IaaS
- For each data set, identify acceptable platform based on the required controls and security level of the data
- Ensure only users that need access to data have access to it, and that this access is at the appropriate level
- Identify and Implement appropriate controls across each cloud environment
- Validate and monitor control effectiveness
So to summarise the presentation;
Start with the business context, not the security controls
Classify based on the business value, not the IT value!
This week I am at the Cloud Security Alliance (CSA) congress in Orlando. The week has been pretty hectic with meeting people and receiving an award etc. I have made some notes from a few of the talks so will share those here, although they are not as comprehensive as the notes I made at the RSA conference a few weeks ago.
Regarding the conference itself, this has been a bit of a busman’s holiday as I have had to take this week as annual leave due to it not being directly linked to my current day job and the fact it’s my third conference in a couple of months.. On a brighter note the CSA actually paid for me to come out here to receive my award, which was an extremely cool gesture.
It terms of organisation and content this one falls somewhere between the service technology symposium and the RSA conference, but much nearer the RSA end of the scale. The conference is obviously a lot smaller than RSA, but was surprisingly well organised. Content we also pretty good, a few too many vendor product focussed talks for my liking, but this is a new conference that has to be financially viable as well as interesting. Overall I would definitely recommend coming to this next year if you have any interest in cloud security.
As with the previous conferences I’ll split the day’s notes into a couple of posts. In order to get these up now rather than waiting until I get home and finding time to write things up, so please be understanding if some of them are not perfectly formatted or as fully explained as they could be. I will be creating more detailed follow up posts for some of the key issues that have been discussed.
Opening Keynote 1 – The world is changing; we must change with it!
– What do you do if you have a security incident in a faraway country? Your Law enforcement / government has no jurisdiction.. eBay has directly indicted over 3000 people globally due to the security / incident response and investigation teams.
– Have to create capabilities to share vital information globally
– Computation is changing
- Exponential data growth and big data
– Adversary is professional, Global and Collaborative
- We are all fighting alone
– Threat continues to increase
– Business environment is changing
– Change the way you think!
- Can we make attack data anonymous enough that is can be shared in a meaningful way to help others and improve overall understanding and security
– Look at things like CloudCert
Computing is changing;
– Cloud computing is just the beginning
- Shared datacentres, networks, computers etc..
– Driven by cost savings and need to be competitive in a global marketplace
– Virtualisation – Mobile – BYOD (explosion of devices)
– Increasing reliance on Browser
- Secure Browser ‘App’ vs. URL (Apps vs. things like HTML5)
- Do we start building Apps / Browsers dedicated to specific tasks for critical / risky tasks such as banking, online shopping with card details etc. This would stop XSS.
Exponential data growth – Big data
– In 2010 humanities data passed 1 zettabyte – (1 with 21 zeros after it).
– Estimated volume in 2015 – 7.9ZB
– Number of servers expected to grow by 10* over the next 10 years.
- Malware 26M in 2011 – 2.166M/mo. – 71,233/day. 73% Trojans.
- Application lifecycle – how long will the legay apps you use be around?
- First attacks on O/S
- First mobile drive by downloads
- Malicious programs in App stores
- First mass Android worm
– Attacks built in the Cloud are invisible, and inexpensive
- Role of cloud providers in detecting attack development – what are the implications of this – to prevent attacks CSPs would need some visibility around what you are doing.. Would you want this?
Business Environment Changes
– Drive to innovate
- Scrums, agile computing initiatives change the way we work
- Security needs to work in a more agile way
– Rapid delivery of features and functions
- Build securely – not build and test
– Impact of Intense, Global competition
– SMBs are the foundation of US recovery but need help
– Blurring of home/personal and work
Six Irrefutable Laws of information Security;
- Information wants to be free
- Code wants to be wrong
- Services want to be on
- Users want to click
- Even a security feature can be used for harm
- The efficacy of a control deteriorates with time
The implications for Cloud Security, shared infrastructures and platforms, virtualisation, the proliferation of mobile devices etc. are clear..
Even small or seemingly less interesting companies are now targets – criminals want as much information as they can get.. Again highlights the point that you will be hacked..
What do we need to do? – We need intelligence!
Director of Georgia Tech Information Security Centre, 2011 –
“We continue to witness cyber-attacks of unprecedented sophistication and reach, demonstrating that malicious actors have the ability to compromise and control millions of computers that belong to governments, private enterprises and ordinary citizens.”
We have limited resources so what should we spend our time and money on – malware defence? Mobile? Big Data?
What is needed to get where we need to be?
– Global perspective
- Not National
- Not Government
– Global Information Sharing
– Intelligence based security
- Strategy and Budget
– We MUST eliminate the obstacles!
Global Information Sharing
– We have been trying for decades
– How do we establish trust
- Methods to make data anonymous
- Attack data sharing
– Who shares?
- Needs of SMBs
– Role of Governments (pass treaties around data sharing and cross boundary working)
– Benefits go far beyond incident response
Incident response in the Cloud;
– Where is your data (does it ever get moved due to problems, bursting within the CSPs infrastructure etc. – need very clear contracts)
– Consider model you use – IaaS / PaaS / SaaS and what this means
– Network control
– Log correlation and analysis – where are these, who owns them, who can access them..
– Roles and responsibilities
– Access to event data, images etc. When will you find out about issues and breaches?
– Application functioning in the cloud – consider impacts of applications running is shared and / or very horizontally scalable environments.
– Virtualisation benefits and issues
– Capabilities and limitations of your provider
– CSA and Cloud CERT
- Role critical
– Government initiatives
– Private initiatives
Breaches can impact all of us, finding ways to work together and share data is critical. Cloud is relatively new – we can make a difference and improve this moving forwards.
Recommendation to read the upcoming book from the CISO of Intel (Malcolm) around security that covers various areas including – understanding the world and providing a reasonable level of protection (inc. BYOD, need to be agile etc.)
– Remove Obstacles
– Build subject matter expertise
– Global sharing is critical to success
- Who will attack you, using what methods in 2013?
- Where should you spend your time / money?
- Intelligence based security
– Security sophistication must keep pace with attack sophistication!
Eddie Schwartz – CISO, RSA and Uri Rivner – Head of cyber strategy, Biocatch
Talk started with some discussion around general Trojan attacks against companies, rather than long term high tech APTs, with the tagline; If these are random attacks.. We’re screwed!
Worth checking the pitch, but there was a series of examples from the RSA lab in Israel of usernames and passwords and other data that Trojans had sent to C&C servers in Russia. These included banks, space agencies, science agencies, nuclear material handling companies etc.
So what to the controllers of these Trojans do with the data? Remember these are random attacks collecting whatever personal data they can get, not specific targeted attacks. A common example is to sell the data, you can find examples of the criminals on message boards etc. offering banking, government and military credentials for sale.
Moving onto examples of specifically targeted attacks and APTs.. Examples of targeted attacks include; Ghostnet, Aurora, Night Dragon, Nitro and Shady RAT. These have attacked everything from large private companies, to critical infrastructures to the UN. All of the given examples had one thing in common – Social Engineering. Every one used Spear Phishing as their entry vector.
From this I think you need to consider – Do you still think security awareness training shouldn’t be high on your organisations to-do list?
The talk went onto discuss Stuxnet and Duqu, along with their similarities and differences, largely what was captured in my last post. The interesting observation here was their likely different plaes in the attack process. Stuxnet was at the end and the actual attack, Duqu likely much earlier in the process as it was primarily for information gathering.
A whole lot more targeted malware examples were given including Jimmy, Munch, Snack, Headache etc. Feel free to look these up if you want to do some further research.
In light of this evidence it is clear we need a new security doctrine. You will get hacked despite your hard work, if it has not yet happened, it will.. Learn from the event, an honest evaluation of faults and gaps should result in implements.
Things to consider as part of this new doctrine;
– Resist – Threat resistant virtualisation, Zero day defences
– Detect – Malware traces, Big data analytics, behavioural profiling
– Investigate – Threat analysis, Forensics and reverse engineering
– Cyber Intelligence – Threat and Adversary intelligence
Cyber Intelligence was covered in some more specific details around how we can improve this;
– External visibility – Industry / sector working groups, Government, trusted friends and colleges, vendor intelligence;
- Can this information be quickly accessed? For speed should be in machine readable format, but use whatever works!
– Internal visibility – Do you have visibility in every place it it needed, HTTP, email, DNS, sensitive data etc.
- Do you have the tools in place to make use of and analyse all of these disparate data sources
– Can you identify when commands like NET.. and schedulers etc. are being used?
– Do you have visibility of data exfiltration, scripts running, PowerShell, WMIC (Windows Management Instrumentation Command-line) etc?
– Do you have the long term log management and correlation in place to put all the pieces of these attacks together?
Summary recommendations and call to action..
– Assume you are breached on a daily basis and focus on adversaries, TTPs and their targets
– Develop architecture and tools for internal and external intelligence for real-time and post-facto visibility into threats
– Understand current state of malware, attack trends, scenarios, and communications
– Adjust security team skills and incident management work flow
– Learn from this and repeat the cycle..
Next steps (call to action!);
– Evaluate your defence posture against APTs, and take the advice from the rest of this post
– Evaluate your exposure to random intrusions (e.g. data stealing Trojans), and take the advice from the rest of this post
Useful presentation from a technical and security team standpoint, but completely missed the human and security awareness training aspect – despite highlighting that all the example APTs used spear phishing to get in the door. I’d recommend following all the advice of this talk and then adding a solid security awareness program for all employees and really embedding this into the company philosophy / culture.