Archive for the ‘Security Awareness’ Category

The Soylent Green of “Epic Hacks” – It’s Made of PEOPLE!

August 7th, 2012 3 comments

Allow me to immediately state that I am, in no way, attempting to blame or shame the victim in my editorial below.

However, the recent rash of commentary from security wonks on Twitter and blogs regarding who is to “blame” in Mat Honan’s unfortunate experience leaves me confused and misses an important point.

Firstly, the title of the oft-referenced article documenting the series of events is at the root of my discontent:

How Apple and Amazon Security Flaws Led to My Epic Hacking

As I tweeted, my assessment and suggestion for a title would be:

How my poor behavior led to my epic hacking & flawed trust models & bad luck w/Apple and Amazon assisted

…especially when coupled with what is clearly an admission by Mr. Honan, that he is, fundamentally, responsible for enabling the chained series of events that took place:

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.

Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.

Those security lapses are my fault, and I deeply, deeply regret them.

The important highlighted snippets above are obscured by the salacious title and the bulk of the article which focuses on how services — which he enabled and relied upon — however flawed certain components of that trust and process may have been, are *really* at the center of the debate here.  Or ought to be.

There’s clearly a bit of emotional transference occurring.  It’s easier to associate causality with a faceless big corporate machine rather than swing the light toward the victim, even if he, himself, self-identifies.

Before you think I’m madly defending and/or suggesting that there weren’t breakdowns with any of the vendors — especially Apple — let me assure you I am not.  There are many things that can and should be addressed here, but leaving out the human element, the root of it all here, is dangerous.

I am concerned that as a community there is often an aire of suggestion that consumers are incapable and inculpable with respect to understanding the risks associated with the clicky-clicky-connect syndrome that all of these interconnected services brings.

People give third party applications and services unfettered access to services like Twitter and Facebook every day — even when messages surrounding the potential incursion of privacy and security are clearly stated.

When something does fail — and it does and always will — we vilify the suppliers (sometimes rightfully so for poor practices) but we never really look at what we need to do to prevent having to see this again: “Those security lapses are my fault, and I deeply, deeply regret them.”

The more interconnected things become, the more dependent upon flawed trust models and the expectations that users aren’t responsible we shall be.

This is the point I made in my presentations: Cloudifornication and Cloudinomicon.

There’s a lot of interesting discussion regarding the effectiveness of security awareness training.  Dave Aitel started a lively one here: “Why you shouldn’t train employees for security awareness

It’s unfortunate the the only real way people learn is through misfortune, and any way you look at it, that’s the thing that drives awareness.

There are many lessons we can learn from Mr. Honan’s unfortunate experience…I urge you to consider less focusing blame on one link in the chain and instead guide the people you can influence to reconsider decisions of convenience over the potential tradeoffs they incur.


P.S. For you youngsters who don’t get the Soylent Green reference, see here.  Better yet, watch it. It’s awesome. Charlton Heston, FTW.

P.P.S. (Check out the sentiment of all the articles below)

Enhanced by Zemanta

Why Security Awareness Campaigns Matter

February 29th, 2008 No comments

The topic of security awareness training has floated up to the surface
on a number of related topics lately and I’m compelled to comment on
what can only be described as a diametrically opposed set of opinions
on the matter.

Here’s a perfect illustration taken from some comments on this blog entry
where I suggested that many CIO’s simply think that "awareness
initiatives are good for sexual harassment and copier training, not

Firstly, here is someone who thinks that awareness training is a waste of time:

As to educating users, it’s one of the dumbest ideas in
security. As Marcus Ranum has famously pointed out, if it was going to
work…it would have worked by now. If you are relying on user
education as part of your strategy, you are doomed. See "The Six Dumbest Ideas in Security" for a fine explanation of this.

…and here is the counterpoint offered by another reader suggesting a different perspective:

Completely disagree. Of course you’re not going to get
through to everyone, but if you get through to maybe 80-90% then that’s
an awful lot of attacks you’ve prevented, with actually very little
effort. The reason I think it hasn’t worked yet is because people are
not doing it effectively, or that they’ll ‘get around to it’ once the
CEO has signed off all the important projects, the ones that mean the
IT Security team get to play with cool new toys.

What’s my take?

I think this is very much a case of setting the appropriate
expectations for what the deliverable and results should be from the
awareness training.  I think security awareness and education can bear substantial fruit.  Further, like the second reader, if the goals are
appropriately and realistically set, suggesting that 100% of the
trainees will yield 100% compliance is simply nonsense.

Again, we see that too often the "success" of a security initiative is
only evaluated on a binary scale of 0 or 100% which is simply stupid.
We all know and accept that we’ll never been 100% secure, so why would
we suggest that 100% of our employees will remember and act on 100% of
their awareness training?

What if I showed (and I have) that the number of tailgates through
access controlled access points went down over 30% since awareness training?
What if I showed that the number of phishing attempt reports to IT
Security increased 62% and click-throughs decreased by the same amount
since awareness training?  What if I showed that the number of reports
of lost/stolen company property decreased by 18% since awareness
training?  How about when all our developers were sent to SDLC training and our software deficiencies per line of code went down double digits?

What if I told you that I spent very little amounts of money and time
implementing this training and did it both interactively and through
group meetings and everyone was accountable and felt more empowered
because we linked the topics to the things that matter to THEM as well
as the company?

As to Marcus’ arguments
regarding the efficacy of education/awareness, he’s basically
suggesting that the reason awareness doesn’t work is (1) human
stupidity and (2) a failure of properly implementing technology that
should ultimately prevent #1 from even being an issue.   

I suggest that as #2 becomes less of an issue as people get smarter
about how they deploy technology (which is also an "awareness" problem)
and the technology gets better, then implementing training and education for issue #1 becomes the element that will
help reduce the residual gap.

To simply dismiss security awareness training as a waste of time is
short-sighted and I’ve yet to find anyone who relies solely upon
awareness training as their only strategy for securing their assets.
It’s one of many tools that can effectively be used to manage risk.

What’s your take?

Categories: Security Awareness Tags: