Your security maturity is low? Are you using your people the best way you can?

One famous saying attributed to Steve Jobs must be: « it doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do. »

It makes sense and security is no exception. How often do I see companies struggling to improve their level of security hiring external consultant while they have very talented and smart people capable of solving most of the issues… if you let them do it.

It might seem exaggerated but it is not so far from the reality. Your people may not have all the answers but they have likely solutions to a vast majority of your issues.

During lot of audit (or due diligence or GAP assessments), I interviewed managers and employees in order to get an idea of what works and what don’t in a company. Obviously, we check the incidents, the KPIs, the financial losses and all the possible indicators but its the discussion with the persons performing the jobs that give you the best insights. Rapidly, we can get a sense of where there is a bottleneck, a gap or an issue to fix. That’s normal, it is what we expect from external consultants. But what is often more surprising is that the same people are aware of the issues and have most of the time lot of ideas to fix them. It make sense as they are sometimes the persons suffering the most from these issues.

So, why are the issues still present? There is a lot of possibilities. One of the most common is the believe that the boss is always right (you know, rule #1). Hence, he likely know how to fix the problem, no reason to bother him with our stupid solutions. It creates blind spots. That’s probably why the space shuttle Columbia ended-up in ashes (see http://www.space.com/19476-space-shuttle-columbia-disaster-oversight.html).

Another possible reason is the difficulty of the people from the low level of the pyramid to talk the highest level’s lingo. Senior executives rarely want’s to have their hands dirty or to get involved in technical details or business processes considerations. I saw a few years ago a CIO meeting all the persons in its IT department (hundreds of people). Each meeting with a team gave him multiple hint on what was blocking or impacting the efficiency of his teams. And when you do, it’s easier to get the big picture and take the right decisions.

Another issue is the believe that the top management expect only green lights and positive outcome. « Failure is not an option » is a culture typically leading to failure. Also, sometimes, teams have opposed objectives, hence, they don’t work together to solves common issues but rather they fight each others or they continuously pass the hot potato. Not a good way to solve issues either.

A good and efficient security management, like any other corporate governance, requires an appropriate culture, fostering trust, empowerment, responsibility and so on. But these are more than words, they must be applied to be effective. bringing external consultants to fix internal issues is not always the best solution to improve your culture: it just send the message you don’t trust your team have the skills to do it.

You might want to try to express your expectations and discuss with everybody (or designated someone to do it) to figure out the best way to improve the situation. And if they need resources (what is likely the case) then maybe hire (external) people to reduce their current workload so they can start working on the changes.

 

Last tip: check your workforce’s skills… there’s sometimes people in your company who are doing work for which they are over-qualified and who could do jobs that could really provide you more added-value. Don’t look too far for your glasses, they might be on your nose.

Think about it.

 

Why is usability important for security management?

Why is usability important for security management? Is it even important? Obviously for a lot of people, it is not. And that’s a problem. But what is usability anyway?

Usability?

According to Wikipedia, and I find the definition pretty accurate, usability is “the ease of use and learnability of a human-made object such as a tool or device. In software engineering, usability is the degree to which software can be used by specified consumers to achieve quantified objectives with effectiveness, efficiency, and satisfaction in a quantified context of use”.

In other words, usability is the process of designing things so they can be easily used and mastered by their end users. Usability is not just about design, it is a science. It is about making our environment optimized for our brains and our bodies. As an example, usability is when you put handles to a box so it is easier to lift. Google, the most visited website in the world is an example in terms of usability: straight to the point, one field and you get what you need in one click. It even completes the words for you, as you type. There’s a reason they are number one and it’s called user experience (UX).

Nowadays, usability, neuroergonomics and even neuromarketing are at the heart of successful designs. Whatever you are selling, you better make it easy to use and even sexy. The traditional KISS (Keep it simple and stupid) design requirement has gained an additional “S” for sexy (KISSS, Keep it simple, stupid and sexy). The article I wrote about the ineffectiveness of SPAM awareness session was also an advocacy for the use of cognitive sciences insights in order to design more effective awareness material.

Why do I care?

If you are a product manager for a startup, you are probably already aware of all the usability requirements for your products. That’s were startups win the war against the old dinosaurs: “better engineered products with better usability and even sexiness”. We all learned from the master’s success: Apple. Steve Jobs knew the rules to make something usable, less buttons. Sleek design is all about simplicity.

But if you are working in security management, or as a security project manager, or even as a security architect, it seems it is more likely that you won’t care about usability. You might think that your job is to make your company secure, not sexy. And you’re right about that. Except that, when it comes to humans, you’re probably failing (in a large part). You may think: « These stupid end-users still don’t get it. » Of course, they still manage to use weak passwords. If you force strong passwords, they write them down or they use the same everywhere. They still don’t know the security policies. They watch you’re very nice slide you showed them during the mandatory security training during their induction but the next day they are already sharing their passwords with their colleagues. Don’t speak about their inability to spot a fishing attempt! Let’s not speak about your system administrators. These fools who believe they are the kings of the realm and have left so many vulnerability open in their system that the latest vulnerability report you received was so long you couldn’t finished it in one day. Hopefully, you will make a strong point during the next security steering committee to ensure these operation guys’ boss understands he must bring them back to the righteous path.

Ring a bell? Not even a little bit? I think so.

If we believe an old saying, wisdom is being able to differentiate between what you can change and what you can’t. The goal here is to focus your energy and your efforts where it matters. So, think again about your problems. What did you do? You made awareness sessions? You wrote very thorough policies and standards? You made sure they were obliged to read them, to sign with their blood that they had read your literature and that they will abide to your rules?

Did it work? How well? Be honest, some miscreants continue to refuse to follow the rules of the holy god of security. They are probably psychopaths! Or could they be just humans? What if you could increase the probability they will read your policies. Even better, what if you could improve the odds of having them changing their behaviours and embracing your security culture? You don’t believe in Santa Claus? Me neither, but I do believe in sciences!

Neuroergonomics & neuromarketing of security!

Neuroergonomics and neuromarketing are the catchwords to refer to the use of social psychology and neuro-cognitive sciences to improve your desire to use a product and to improve your ability to handle concepts, to remember things or to become addict to some applications (think about Facebook or Twitter). If people can influence what you eat, what you drink, what you wear, what you watch or what you read, why couldn’t we use this knowledge to change your people’s attitude towards security?

Does it worth it? Well, are you already paying people to communicate, to make videos, to draw cartoons but you still have too many incidents and non-compliance? Yes, so maybe you should start investing in better designed solution and put usability as a requirement for all the projects and for all the tools or “product” security wants to sell.

Concretely?

POLICIES

  • If you have an Intranet, your security policies must one click away from the first page.
  • You must have a clear organization, a hierarchy and a search engine allowing anybody to quickly find the policy he needs or the procedure.
  • Policies should go straight to the point, from the reader’s point of view, as soon as the first pages.
  • Forget lawyers or technical talks, use common vocabulary.
  • Do’s and Don’t are likely more efficient than long descriptions.
  • Use words and situation your audience are familiar with.
  • Ensure your rules are translated into actions in their process and procedures.
  • Ensure these procedures are pragmatic and easy to read.
  • Use pictures, screenshots, beautifully designed templates. Make it look more like a fashion magazine than an old book.
  • Use positive words. Any command that can be better performed by a dead man is a bad command (example: « Don’t use short passwords« … a dead man can do that very well. Rather prefer « use long secure password« ).
  • Group similar things together.
  • Be consistent. You even better be congruent (use multiple association together) like Red + Triangle to signal Don’ts and Green + Checkbox to signal Do’s. Keep consistency with the colors (Red Negative, Green, positive).
  • Use consistently the same word to designate one thing. Even if synonyms can make reading less annoying, always using the same word to designate one object or concept makes it easier to understand (even more for new concepts)
  • Prefer lists
  • Keep it as short as possible (More than 10 pages, is clearly too much)
  • Use symbols, signals, icons, pictures
  • Keep the rule of 3 in mind: if you want to explain a concept, break it down to 3 parts/steps/components, then explain the 3 sub-concepts (using 3 other steps/concepts/parts) and so on until people can understand it. You can go up to 5 « objects » but not higher.

PROCESSES

  • Imbed security processes into existing processes.
  • If a process works, don’t fix it.
  • If you can streamline it, do it, even if it is not you first job. Making people life easier will facilitate the acceptance of the controls and it might even improve the attitude of people towards security.
  • Create links between all processes so they can benefit from each other e.g. ensure Vulnerability scans feeds the CMDB to ensure consistency. (It is supposed to be like that in a perfect world, but that’s just theory)
  • Forget long swim lane drawings or decision trees spanning on 3 pages, keep it short by splitting the process.

AWARENESS

  • Changing behavior is something we do out of emotion, not based on rational thinking. Even if rational thoughts can lead to a change, we initiate this change only if we connect these thoughts with some emotion.
  • Use real concrete situation (something that happened or could happened)
  • They must be relevant for your audience (use scenario involving your audience, allowing them to identify themselves to the character)
  • Use as much as possible what they already know well (places, situations, products, application, organization, but also more personal things kids, sports, cooking, walking in the street, …)
  • Show them the concrete consequence on people when they don’t comply with the rules or the secure behavior (its easier to have feelings toward people than organization)
  • Foster self-identification to your character by using little positive details to which your audience can relate to (« Sam likes to take a coffee with his colleagues, Alice likes
  • Songs, rimes, jokes, kittens, anything that will be outstanding will help memorize. So use it when it is important (if you use the same trick too often, its efficiency tend to fade down)
  • Associate non-« sexy » items (like security rules) with more attractive one (a nice place, a smile, a cute cat picture, a beautiful woman – yes, it works for both man and woman -, a good song)
  • Repeat, repeat & repeat the message but change the format so it doesn’t get boring and so you can use various way to reach people.
  • We are all different, what works for you doesn’t absolutely work for everybody.

PS: Yes, I could make this list more « sexy » and it will likely come, but it will be in the (near) future 🙂

Is Cybersecurity a good buzzword?

For years now, Information security is a fast growing market. At least for a couple of years, the cyber security market is growing fast. Even in these times of budget cut in many sectors, quite often the cyber security department manages to negotiate an increase of its operational budget. That’s significant, isn’t it? Moreover, nowadays it becomes nearly impossible to ignore the wave of “cyber-“ words: cybercrime, cyberterrorism, cybersex or cyberbullying.

You could not have missed also the news about the CERT.be, the federal cyber emergency team (CERT used to be the Computer Emergency response team, likely less “sexy” than Cyber emergency Team) which is, according to its website, “a neutral specialist in Internet and network security” (So Cyber security is Internet and Network Security?). With the CERT.BE, you probably also read about the Belgian Center for Cyber-security (CCB). Neither could you haven’t noticed the buzz around the new Belgian Cyber Security Coallition or the 1.8 billion € allocated by the European Commission to a private-public partnership made to increase Cyber Security. In the latter, the private sector is being represented by the newly born European Cyber Security Organisation (ECSO). That’s a lot of Cyber-related news, isn’t it? Does Azimov’s vision become a reality? It sure sounds like we are in one of his Robots series book.

But what does Cyber mean? How is Cyber Security different from Information security or IT security? Which one of both is it?

According to the NIST, Cybersecurity is “The process of protecting information by preventing, detecting, and responding to attacks”. So, is it Information Security? But according to the new worldwide reference, Wikipedia, Cyber is « part of the “Internet-related prefixes added to a wide range of existing words to describe new, Internet- or computer-related flavors of existing concepts, often electronic products and services that already have a non-electronic counterpart”. So, Cyber Security should be the Internet or Computer related flavor of information security that we used to call IT security. But is it?

Because lately I’ve heard the “cyber-buzzwords” used in so many different contexts by so many person (including some executive clearly not knowing what they were talking about), I have difficulties to understand what we are talking about exactly.

Understand me well, I like the fact that our country’s leaders finally decided to address the increase of the Internet related threats more seriously. As our risk surface is drastically expanding, it is more than time to address those risks at a more global level (but we are still far from a clearly necessary worldwide cybersecurity agency, for a lot of obvious political reasons). I also like the fact that my clients’ board of directors give more focus to “cybersecurity”, whatever they think it is. At last, it provides us a momentum to raise awareness and improve the governance maturity to the necessary level.

What I don’t like in the “Cyber” fashion, is having a so important subject becoming more and more vague and focused, again, on the technological aspects. With the new buzzword came a lot of new supposed-to-be-panacea products claiming they will solve all the problems overnight (or in a few months, but at our timescale, it is the same). I heard of CISO (Chief Information Security Officer) being rebranded CCSO (Chief Cyber Security Officer).

Is it really a progress? For years we fought to have the CISO positions created at a board level in order to get out of the IT ghetto. The aim was to be also present where information security belongs: in the organizations processes and workforce. In 2016, the latest IBM security survey still attributes 60% of attacks to inside jobs. 1 employee out of 5 is ready to sell his corporate’s network credentials. The biggest weaknesses are still in the business processes and in the human being behind them. Most ethical hackers and red team members know that they don’t need a zero-day exploit to get into a target’s systems, they just need a charming smile and a couple of beer to get what they need to get in. With all the good this new Cyber buzzword brings, there is an evil: we are going back to a computer and technologically focused perception of corporate security issues. Human, processes and facilities are relegated to the second position while they still represent more than 70% of the risks. Does it make sense? Is Cyber Security an evil buzzword after all?

Few will share this article as a lot of cyber security professionnal won’t dare to challenge the marketing machine that is actually feeding them. And as I wrote, there was some good coming out of this, but it is necessary to see all the side impacts and ensure marketing people are not the one deciding where you should put your focus.

Red team exercises are like vaccination against attacks?

Yesterday, I have been asked what exactly RTEs are and why are they useful?

As I believe a good analogy worth a thousand words, I tried to find one than can be understood by any layman. The vaccine principle stroked me as the perfect one.

Baby was receiving his scheduled vaccine injection in his right

Red Team Exercises principle is to launch an attack against your organisation like a vaccine will do to your body. The mechanisms used by the vaccine are exactly the same as the real virus except it doesn’t destroy or weakened your body. Instead it allows your body to learn how to fight it in order to be better prepared when he will face the real deal.

That’s exactly what RTEs are about: boosting your company’s immune system by allowing your white cells (your security personnel) to learn how to fight the intruder.

How often did we hear that a risk assessment was extravagant because the system administrators thought the system was not so sensitive for the company business? How many times have we been told that a kind of attack was difficult to carry or that we had view too many James Bond like movies? Rarely does that happen after an RTE as vague threats become concrete and evidenced. It allows your operational teams to better understand that the reality of this “war” against criminals is not about isolated risks but systemic risks. It is about preventing viruses to enter your body. Any breathing, any wound, any contact with an external source can be start of a chain of events that will lead to your infection. And sometimes, infection means death if you don’t threat it well on time.

As there is as many vaccines as there are viruses, there are as many RTE scenarios as possible attacks and threats: Cyber-attacks, credit-card fraud, identity fraud, espionage, theft, industrial espionage and so on.

So, what disease are you the most afraid of?

How to detect fake or stolen IDs?

Identification is one of the big challenges faced by security managers. It is a challenge when it comes to IT systems but even before that, to identify people. Even with the rise of national electronic identity cards (like eID in Belgium), fake or stolen IDs are still possible.

Even better, you might just make a Google Image search using a picture of an eID (like the one below) and find some other pictures of legitimate ID available on the web (not to say it is a breach of the European Data Privacy regulation).

Fake-eid

Sometimes, you might just receive a photograph of an eID or even just an ID card number or National Register number in a registration form or in a job application form. Shall it be for recruitment, background check or customer identification (like de KYC, Know your Customer, process for financial institutions), you might need to check, as much as possible, if the credential you have received are legit or not.

In Belgium, luckily for us, the ministry of interior provides a partial access to its database to validate an ID card number or an national register number. This application, Checkdoc, will just tell you if the number is still valid (No Hit) or if it is outdated or stolen (Hit).

You need to register first before being able to use Checkdoc (https://www.checkdoc.be/) .Also, notice you have to inform your customer or contacts that you will run their information through the database before doing it.

Additionally, you’ll find also pictures of every type of ID card being used at the moment and an explanation of the various security features you can use to spot a fake.

(Updated on 13/08/2016)

At the international level, Interpol provides the same kind of services to airlines operators through its Stolen and Lost Travel Documents (SLTD) database. Although there is plance to extend the access to this service to other industries, it is not the case yet.

 

Good hunting!