Folks, I am thrilled to announce that Honeytech and SANS have partnered to offer the absolute best in security awareness solutions.  Many of you may already know about SANS, the world’s leader in  information security training.  Any SANS student knows they have the most skilled and experienced instructors from around the world.  As you may also know, we at HonyTech pride ourselves in providing the latest in security awareness solutions.   We are now combining the resources of these two organization to become the world leaders in security awareness.

We are already moving at an amazing pace, expect to see some very exciting developments in the coming months.  Meanwhile, if you have any questions feel free to email me at my new email address, lspitzner@sans.org.

One of the most common questions I get working on security awareness programs is “What is an LMS and why do I care“?  Lets take a moment and answer that question. Often most security programs have two shared goals. The first goal is to change behaviors of employees, to create a more secure environment.  If employees are aware they are a target and what they can do to protect themselves, organizations will be less likely to be compromised. The second goal is compliance, to meet certain standards or regulations that require an awareness program, such as PCI DSS or ISO 27001.  Such standards require organizations prove they have an active awareness program and document which employees have been through the training.  This is where a LMS comes in.

A LMS (Learning Management System) is really nothing more then a software application used to manage, distribute and track online training. Organizations take their security training videos and then load them into their LMS (or one hosted by someone else).  Each employee is then given a login and password to the LMS.  They are then required to login to take the training.  As a result, organizations can now track who took what training when, and if there are quizes what the employee’s score was and if they passed. Thats it.  Some LMS’s have far more advanced functionality (such as offering courseware at universities) but for the world of security awareness this is usually what I see it used for. There are many different vendors for  LMS software (including open source versions).  To ensure operatbility they all share a standard called SCORM.  If you are considering using a LMS, make sure your security training is SCORM compliant.

Still confused or want to try out a LMS?  Just shoot me an email and I’ll be happy to give you an LMS account to try.

One of the things I absolutely love about security awareness is how I’m constantly learning about human behavior and the challenges when dealing with different cultures.  One example is languages, many things we may take for granted in our native language can be very different in other languages or cultures.  If you are a large organization, or if your security awareness program encompasses many different groups, these differences become a big issue.  One of my favorite examples is the concept of Safety versus Security. In English these two words address two different concepts. Safety is focused more on environmental or accidental threats, such as storms, earthquakes, car accidents, food poisoning, etc.  Security is more focused on deliberate threats, such as cyber criminals or malicious insiders.  Most awareness programs focus on deliberate threats, i.e. Security.  At this point, if you are a native English speaker you are probably asking asking yourself what is the big deal?  The challenge becomes when you start translating these concepts into other languages. For many languages, especially European ones,  the word Safety and Security is actually the same word. Seriously, go to translate.google.com and try these two different words in other languages such as German, Spanish, Norwegian or Polish.  If you design your awareness materials in English, you may confuse users if your materials are literally translated into other languages.  For example, the term “Securing The Human” may sound like in Dutch how to walk in the Netherlands safely without getting ran over by crazed byciclists (if you have ever been to Netherlands you know what I mean :).  It is challenges like these that require you to have people who really understand the local cultures and languages.

By the way, another lesson learned.  Humor does not translate well into other languages.  If your awareness training will be used in many different cultures, be very careful how you use humor.  I learned this the hard way in Japan at a presentation I did.  What favorite stories do you have about things Lost In Translation?

I’ve just finished updating the content for my upcoming two day class Securing The Human at Blackhat Vegas next month.  If you or anyone you know is interested in learning how to address the human factor, this is the class for you.  I’ve updated about 60% of the course with new content,based on lots of lessons learned in the past twelve month. If you have any questions about the class just email me.  If you are not attending the class, but are still attending the conference let me know and lets meet up.  Blackhat is one of the best places to meet other people in this field and learn from each other.  First round on me!

One of the key points I covered in my “Securing The Human” presentation at both SANS and NY was the idea of having a monthly or annual security awareness program.  Specifically, which is a better approach, an annual program requiring all employees to go through full training once a year, or a monthly program were a new topic is covered every month?  Each approach has its advantages and disadvantages.

Annual:  An annual program is when all employees get training on all security topics in a single event (usually online training or an onsite workshop).  In addition, this full training is usually required for any new hires.  The advantage with this approach is it ensures that everyone learns the all key topics. The problem is people will quickly forget most of the information.

Monthly:  In this approach organizations focus on continously reminding employees about security risks and how to best protect themselves.  Instead of covering all security topics at once, the training is broken down into smaller modules, with a new module or topic covered every month.  The advantage to this is employees are constantly reminded about security.  The disadvantage is the content is spread out over a year.  If your awareness module on phishing is scheduled six months from now, that means you are vulnerable for the next six months.  If you have an employee that missed the module on data protection, that means they most likely will not get the training for another year.

So, which one do you go with?  You don’t, you need to apply both. Have an annual program that covers the full training (ensure your new hires take this also).  This ensures that everyone receives a complete foundation in key security risks and how to protect both themselves and the organization.  Then, you combine this with a monthly program.  Not only does this remind and reinforce key topics, but  this also allows you to update your content, as threats, technology and your organization are always changing. The key to a combined approach is having your full training program broken down into specific topics (I recommend no more then ten).  Then, reinforce each of those topics in the months following the annual training.  Then repeat this process every year, ensuring you update the content.

Is your organization doing something similar or are you using a radically different approach that you think works better?  Let us know!

I just finished presenting “Securing The Human” at the 13th Annual New York State Cyber Security Conference in Albany, NY.  As promised, you can find the slides online here. If you have any questions about the presentation, I would love to hear from you, email me at lance.spitzner@honeytech.com.

After being involved in information security for over fifteen years, I have grown very passionate about “Securing The Human“.  There are several reasons for this, but the biggest is I feel the human is where we can make the greatest difference.   Ever since the release of Windows XP Service Pack 2 in August, 2004, I’ve seen cyber threat’s focus more and more on the human. The simplest way to own a network has become to own the employee. So why in the world is the information security community still so focused on technical issues?  Go to any security conference or workshop, the talks are focused on the latest tools and exploits. Read almost any security blog, article or maillist, the discussions are focused on the latest technology.  I’m stunned at just how little has changed in the past fifteen year, everything seems to still be focused on the technical side of information security.

The lack of any emphasis on the human issues reminds me of my early honeypot days in 1998.  Back then just about everyone was focused on technical exploits (buffer overflows were all the rage), very few people were interested in the concepts of cyber intelligence, in gathering information on threats.  After publishing the paper “To Build A Honeypot” I received numerous emails telling me the concepts of honeypots would not work or could not make a difference.  Fifteen years later, I like to think honeypots and the concepts of cyber intelligence have had a tremendous impact on the community. What frustrates me now is we are facing the same challenges with the human issues. Compared to the technical field, there has been very little invested in this area.  Often if you bring up the human issue, many people simply give up, saying you can’t solve the human problem. Just as I feel many people were wrong about honeypots, I truly feel people are wrong about human issues today. Can we solve all the challenges of information security by focusing on the human? Absolutely not, we are human after all. However I am convinced we can make a big difference. Think about it. How many different variations of intrusion detection, data loss prevention, or application firewalls can we come up with?  Even if we eliminate all the technical vulnerabilities (i.e. we implement the perfect SDLC for all software) threats will just continue to exploit the human. On the other hand, almost nothing has been invested in “Securing The Human“. That is why I feel this area has the greatest potential to make a difference, and that is why I am so excited about it.

I’m curious, what are your thoughts on the state of “Securing The Human“?  Do you feel we are as far behind as I feel we are?   Do you feel it can make a difference? What exciting areas of research or advances am I missing?

I just finished presenting Securing The Human at SANS Baltimore.  This presentation defines the challenges in securing the human (primarily why we are so bad at judging risk) and the key steps to a successfull program to address these challenges (humans have vulnerabilities just like technology).  As always, SANS has a great crowd.  What I love best are not only the challenging questions, but the lessons learned others have to share.  As promised, you can download the presentation here.   Missed the presentation?  I’ll be presenting again next week in Albany, NY for the 13th Annual New York State Cyber Security Conference.

NOTE: I’ve updated the presentation since SANS, the link above is the latest version of the presentation, not the version I presented at the conference.

Traditionally one of my favorite resources on social engineering (a common methods for exploiting the human) has been Kevin Mitnick’s book The Art of Deception.   In this book Kevin describes in detail many of the social engineering attacks he used in the past.  While most of the attacks he describes do not use today’s technology (he simply used a phone as opposed to today’s Twitter, Facebook or Smartphone apps), he does a great job explaining how the attacks worked, especially his more sophisticated ones.  Specifically he explains how he progressively built the trust of people within an organization with a series of short phone calls, and building on those calls was able to access an amazing amount of information.  What I liked best is he explains why these attacks worked, he demonstrates how the trust is being built step by step. If social engineering is something you are interested in, this book is a must read.

Recently the guys at Social-Engineer.org are taking this idea to the next level.  At Defcon this year they will be hosting a Capture The Flag (CTF) event for Social Engineering.  CTF is traditionally a technical event where attendees attempt to hack each other’s networks. The more computers a team hacks (and the better they defend their own computers) the more points they earn.  The team with the most points at the end wins the event.  This has been going on for many years now at Defcon and is one of Defcon’s most popular events.  However, the CTF sponsored by Social Engineer is different, it is one of the first that focuses on the human issues.  Specifically, participants are challenged to see how much information they can recover using social engineering techniques.  It will be interesting to see what techniques prove to be the most successfull and why.  Also, this has the potential to provide some very good metrics for the security community. However, it will also be interesting to see how the Security Engineer team construct the rules of the event to ensure things don’t get out of hand, especially ethical issues.