One of the key points I covered in my “Securing The Human” presentation at both SANS and NY was the idea of having a monthly or annual security awareness program.  Specifically, which is a better approach, an annual program requiring all employees to go through full training once a year, or a monthly program were a new topic is covered every month?  Each approach has its advantages and disadvantages.

Annual:  An annual program is when all employees get training on all security topics in a single event (usually online training or an onsite workshop).  In addition, this full training is usually required for any new hires.  The advantage with this approach is it ensures that everyone learns the all key topics. The problem is people will quickly forget most of the information.

Monthly:  In this approach organizations focus on continously reminding employees about security risks and how to best protect themselves.  Instead of covering all security topics at once, the training is broken down into smaller modules, with a new module or topic covered every month.  The advantage to this is employees are constantly reminded about security.  The disadvantage is the content is spread out over a year.  If your awareness module on phishing is scheduled six months from now, that means you are vulnerable for the next six months.  If you have an employee that missed the module on data protection, that means they most likely will not get the training for another year.

So, which one do you go with?  You don’t, you need to apply both. Have an annual program that covers the full training (ensure your new hires take this also).  This ensures that everyone receives a complete foundation in key security risks and how to protect both themselves and the organization.  Then, you combine this with a monthly program.  Not only does this remind and reinforce key topics, but  this also allows you to update your content, as threats, technology and your organization are always changing. The key to a combined approach is having your full training program broken down into specific topics (I recommend no more then ten).  Then, reinforce each of those topics in the months following the annual training.  Then repeat this process every year, ensuring you update the content.

Is your organization doing something similar or are you using a radically different approach that you think works better?  Let us know!

I just finished presenting “Securing The Human” at the 13th Annual New York State Cyber Security Conference in Albany, NY.  As promised, you can find the slides online here. If you have any questions about the presentation, I would love to hear from you, email me at lance.spitzner@honeytech.com.

After being involved in information security for over fifteen years, I have grown very passionate about “Securing The Human“.  There are several reasons for this, but the biggest is I feel the human is where we can make the greatest difference.   Ever since the release of Windows XP Service Pack 2 in August, 2004, I’ve seen cyber threat’s focus more and more on the human. The simplest way to own a network has become to own the employee. So why in the world is the information security community still so focused on technical issues?  Go to any security conference or workshop, the talks are focused on the latest tools and exploits. Read almost any security blog, article or maillist, the discussions are focused on the latest technology.  I’m stunned at just how little has changed in the past fifteen year, everything seems to still be focused on the technical side of information security.

The lack of any emphasis on the human issues reminds me of my early honeypot days in 1998.  Back then just about everyone was focused on technical exploits (buffer overflows were all the rage), very few people were interested in the concepts of cyber intelligence, in gathering information on threats.  After publishing the paper “To Build A Honeypot” I received numerous emails telling me the concepts of honeypots would not work or could not make a difference.  Fifteen years later, I like to think honeypots and the concepts of cyber intelligence have had a tremendous impact on the community. What frustrates me now is we are facing the same challenges with the human issues. Compared to the technical field, there has been very little invested in this area.  Often if you bring up the human issue, many people simply give up, saying you can’t solve the human problem. Just as I feel many people were wrong about honeypots, I truly feel people are wrong about human issues today. Can we solve all the challenges of information security by focusing on the human? Absolutely not, we are human after all. However I am convinced we can make a big difference. Think about it. How many different variations of intrusion detection, data loss prevention, or application firewalls can we come up with?  Even if we eliminate all the technical vulnerabilities (i.e. we implement the perfect SDLC for all software) threats will just continue to exploit the human. On the other hand, almost nothing has been invested in “Securing The Human“. That is why I feel this area has the greatest potential to make a difference, and that is why I am so excited about it.

I’m curious, what are your thoughts on the state of “Securing The Human“?  Do you feel we are as far behind as I feel we are?   Do you feel it can make a difference? What exciting areas of research or advances am I missing?

I just finished presenting Securing The Human at SANS Baltimore.  This presentation defines the challenges in securing the human (primarily why we are so bad at judging risk) and the key steps to a successfull program to address these challenges (humans have vulnerabilities just like technology).  As always, SANS has a great crowd.  What I love best are not only the challenging questions, but the lessons learned others have to share.  As promised, you can download the presentation here.   Missed the presentation?  I’ll be presenting again next week in Albany, NY for the 13th Annual New York State Cyber Security Conference.

NOTE: I’ve updated the presentation since SANS, the link above is the latest version of the presentation, not the version I presented at the conference.

Traditionally one of my favorite resources on social engineering (a common methods for exploiting the human) has been Kevin Mitnick’s book The Art of Deception.   In this book Kevin describes in detail many of the social engineering attacks he used in the past.  While most of the attacks he describes do not use today’s technology (he simply used a phone as opposed to today’s Twitter, Facebook or Smartphone apps), he does a great job explaining how the attacks worked, especially his more sophisticated ones.  Specifically he explains how he progressively built the trust of people within an organization with a series of short phone calls, and building on those calls was able to access an amazing amount of information.  What I liked best is he explains why these attacks worked, he demonstrates how the trust is being built step by step. If social engineering is something you are interested in, this book is a must read.

Recently the guys at Social-Engineer.org are taking this idea to the next level.  At Defcon this year they will be hosting a Capture The Flag (CTF) event for Social Engineering.  CTF is traditionally a technical event where attendees attempt to hack each other’s networks. The more computers a team hacks (and the better they defend their own computers) the more points they earn.  The team with the most points at the end wins the event.  This has been going on for many years now at Defcon and is one of Defcon’s most popular events.  However, the CTF sponsored by Social Engineer is different, it is one of the first that focuses on the human issues.  Specifically, participants are challenged to see how much information they can recover using social engineering techniques.  It will be interesting to see what techniques prove to be the most successfull and why.  Also, this has the potential to provide some very good metrics for the security community. However, it will also be interesting to see how the Security Engineer team construct the rules of the event to ensure things don’t get out of hand, especially ethical issues.

One of the things I’ve been looking for is a good statistic that demonstrates just how actively targeted the human element has become.   I’ve had several discussions about this topic with the malware community (not just anti-virus employees but researchers, operations, etc) and I knew the numbers were high.  I often get estimates that up to 70% of malware can be totally dependent on exploiting just the human, while another percentage involves exploiting both the human and technical vulnerabilities.  I just read a very interesting statistic from Symantec at Network World, where Symantec states that 97% of the malware they now encounter either totally depends on exploiting the human, or involves a combination of exploiting both the human and technical vulnerabilities.  In other words, only about 3% of malware they are seeing depends purely on exploiting technical vulnerabilities.  Now, you always have to take statistics with a grain of salt, especially from a vendor. They do not explain how they achieved those metrics. However, regardless of what the exact numbers are, this helps demonstrates that purely technical exploits are the thing of the past, at least at the desktop.  The vast majority of attacks against the desktop (the world of malware) now either totally depend on or at least involve the human.

With numbers like these, I still don’t understand why the vast majority of the security community still focus on just the technical issues.  My guess is because technical vulnerabilities are the simpler of the two to solve, and simpler to demonstrate that you have solved it.

The Honeynet Project just released their latest forensic challenge.  You have an opportunity to analyze a real VoIP attack and submit your analysis for judging.  Your submission will then be compared and judged against your peers from around the world. This is an amazing opportunity to learn, as the top three submissions are shared with the world so we can all learn from each other.  In addition, the challenge is also being offered in Simplified and Traditional Chinese, expanding the possible submissions to another 1 billion people.  You can find more about the challenge at the Honeynet Project VoIP Challenge site.

Sometimes the most difficult people to reach about information security is management. They often do not have the time, nor interest, to learn more about these challenges.  To help address this I’m playing with the idea of security training videos for decision makers.  Below is my first attempt at this.  In this video we explain to management why the human factor is important and what can be done about it (if you are going to explain a problem to management, be sure you also have a solution).  Since management time is so short, I’m thinking its best to keep such videos under three minutes.  Input appreciated, not only on how to improve these types of videos but suggestions for future topics.

You can also download a standalone version in Apple Quicktime here.

I just saw a fascinating ten minute video on human motivation by RSA (no, not that RSA, the Royal Society of Arts).  The title of the video is RSA Animate – Drive, it focuses on human motivations in the workplace, especially in today’s globally connected world.  The video is fascinating for two reasons.  First, how they use animation to tell the story.  The have high speed video of a person drawing the key points discussed in the presentation.  I’m a big fan of imagery, and not only is the concept but the imagery they use very powerful and creative.   Thumbs up! In addition, the key points of the video are also fascinating. Specifically how in today’s information world, tasks at work that involve cognitive processes or creativity – money is not the primary motivation.  Money is obviously important, but once people are paid enough to meet their needs, what really motivates them is the ability to make a difference. In fact, at some point throwing more money at people actually brings productivity down. The video brings up several interesting examples, including opensource projects. After being involved with the Honeynet Project for over ten years, I can definitely agree with many points discussed. Anyways, I highly recommend you watch the video.  Not only will you learn something, but hopefully you may get ideas on how to improve presentations in the future (especially the idea of how to use imagery to convey your ideas).

Shouts out to Michael Hendrix for the link!