This has been a post I have wanted to write for quite some time, having first mulled it over before the Christmas break
I had started listening to a relatively new podcast, called the Human Factor from Jenny Radcliffe and it was an episode whereby she was speaking to Quentin Taylor. During the course of the interview, they were discussing user awareness training, and how it needs to be personal – something Jenny has discussed on previous shows. Listening to this episode whilst driving back from (and reflecting on) an earlier meeting, I had an epiphany – more on that shortly……
The meeting was with an organisation on the doorstep of a customer we were having a service review meeting with beforehand. We entered to a room of technical guys (folded arms, always a great sign) who explained that they were “a Microsoft shop”, and went on to elaborate on their “mobility strategy”, whereby a key element of said strategy was to use VDI as a means to facilitate mobile working. I happened to enquire if they were prescribing this to tablet users, given that the end user experience is less than optimal (although some disagree). Their view was that it met their users’ needs and were continuing on that journey regardless.
I tried to explain how our consultancy might help in terms of strategy, to be cut short “we do the strategy”. To change tack, I asked “What challenges do you have currently?” Surprise, surprise; the rollout of the mobile working project was being held up because the user community wasn’t returning laptops in exchange for the new tablets! Instead of the urge to face palm, I decided to professionally – but quickly- wrap up the meeting. As I said to my colleague, they had been sold on the Vendorsaurs “vision” and hadn’t thought through the policy & process aspects – let alone the people. They were making the users fit the product, because they had an enterprise agreement.
So, fresh from this meeting and then listening to Jenny and Quentyn it hit me – blatantly obvious perhaps.We forget about the users!
In fact, its worse because not only do we forget about the users – we actually criticise and ridicule them. I’ve done it myself – both during my years as a “proper” IT person, and more recently.
Clicked on the phishing email? Stupid user!
Project rollout stalled? Luddite users!
(Cue the old alleged Wordperfect helpdesk chestnut)
Its easy to engage in this user slating, however we need to remind ourselves of a simple fact;
Most users probably don’t care about the computers and software that we foist upon them – certainly not in the same way IT folks do. It is merely incidental – something they are forced to use in order to do their job.
Contrast this to the rise (and rise) of smartphones and tablets and it becomes clear why everyone has one or both (and thus the resurgence of Apple and then others in their wake). Regardless of your Mobile OS or manufacturer allegiance, it is impossible to argue that consumerisation and ease of use has subsequently driven up peoples use of websites, apps etc. way more than laptops have. Walk round any city and look at how people are transfixed with their gadgets – to the point of either getting run over or bumping into people.
I recently explored this topic with a CIO (given his views on “Guerrilla working”) during a meeting last year. Whilst embracing the benefits of mobility, etc. when I asked about the low volume of tablet users the reply came “they haven’t been beating a path to my door”. I conjectured that perhaps they weren’t aware of what was possible, not least due to the disconnect between the technology they are forced to use – versus the technology they enjoy using.
The more I reflect on this, the more I come to the conclusion that IT teams are guilty of making both assumptions and decisions about how their users will use technology – which means it’s no surprise projects fail, we have breaches and there is increasing move to “Shadow IT”. Put simply, we forget about the users – until it turns to crap, then we blame them
I would love to know if anyone has actually done a TCO or ROI calculation and taken into account the cost of slippage and/or failure – set against the incremental cost of using a “not bundled as part of an ELA” software solution or service that their users like using.
To quote Quentyn “Humans are the root of all of our problems, but they are also the root of all of our profit”. So, maybe its time we started to think about the users – put them at the centre of what we do. Thus, the most important question in any new IT initiative should be;
“What about the users?”
I’ve intentionally chosen the provocative title in the hope it helps to further raise awareness and provoke (sensible) discussion. It was prompted by yet another “outing” of user carelessness (or ignorance) on LinkedIn recently – something that folks in the Information/Cyber Security field are doing more and more.
What I mean by outing, is where someone has posted a picture of a laptop left unattended and unlocked, for more than enough time for the poster to have had a good poke around, steal data, plant some malware – or just physically steal it to do any/all of the above at leisure later on.
One of my team posted something similar a few weeks ago, and was then subjected to an online backlash for daring to post it – with many clearly not reading his post properly and jumping to other conclusions too! He had simply suggested that he “could have had free access to the computer for 5 minutes” and that “a call to the head of Infosec might be in order”, but too late – blue touch paper was lit. Stand back….
Responses ranged from “why didn’t you confront him”, “have a quiet word”, “lock his machine”, through the more terse “why post on linkedin”, “mind your own business”, and up to the likes of – “snitch”, “bed wetter”, and some even more abusive. All of this from so-called professionals. (I tried to have a meaningful offline conversation with the “bed wetter” accuser, who descended into abuse – staggering, given that they are allegedly a head of department at a major retail bank!!). And my colleague had nothing personally to gain from this, as we aren’t in the user training business – it was simply a case of pointing out “how stupid?” once again.
So, I’d like to deal with the main themes of the negative responses one at a time;
Bad idea IMHO. No matter how politely you try and put this, there’s more than a slight chance that the perpetrator will be aggrieved by a stranger telling them what to do. Will it change their behaviour? Unlikely – they’ll probably be thinking “who are you to tell me?” and (like the folks who posted negatively), probably see this as an intrusion. Besides, is it the job of any of us to deliver ad hoc InfoSec training – and will it be effective? As an avid listener to Jenny Ratcliffe’s “The Human Factor” podcasts, the words “personal” and “relevant” spring to mind (as being the only way for training to be effective.)
“Why post on LinkedIn – its not Facebook?”
For the first half of the question, it is to highlight the issue, the blatant recklessness of the action, and to hopefully help people realise the risk. This is a professional network (allegedly), so why not appeal to “professionals” to behave as such. For the second half, see No. 3
Name calling and profanities
Calling someone names on a professional site – and abusive language? Really?? My observation is that this behaviour IS actually for Facebook. Any moral high ground you felt that you were on, has collapsed once you descend into abusing people online.
“Just ignore it”
Sorry, but no. It is difficult enough to keep pace with the threats posed by “the bad guys” without making it easy for them. “The Human Factor” is key to most of the cyber threats we encounter, and speaking as someone passionate about this, I can’t just ignore it. And I’m not alone.
“Does it really matter?”
I’ll actually share a little more about the incident that my colleague encountered – specifically, that the perpetrator of the unattended laptop he snapped and shared was an employee of a national funeral service. Someone whom clearly had information on deceased people, and, worst of all, was ordering coffins on his phone when he returned to his laptop!! Let’s just think about this for a moment; one of your deceased family’s details are left unattended by someone………hello? Identity fraud?? And the distress that goes with it.
The crux of this issue is that to those of us in this space (i.e Information/Cyber Security), we recognise the importance – yet to those outside, it is seen as something relatively innocuous. I mean, come on – its hardly putting anyone at risk leaving a laptop unattended is it?……..
To those people outside of InfoSec who are wondering “why all of the fuss?” – here’s a question for you;
Would you walk around naked with nothing more than a sandwich board that displayed your personal information, perhaps information about your family, the company information you access regularly, your browsing history, etc?
Chances are the answer is no – so why justify people leaving their laptop, papers, or anything else, in a public place and completely unattended and unprotected?
I completely get that there is an increasing amount of crap posted on LinkedIn that is certainly more for Facebook, etc. – however IMHO this kind of exposure absolutely needs to continue AND continue via this platform until these behaviours change. Perhaps we should have a “cluelessness exposed” group on LinkedIn that is set aside for this, whereby CIOs and CISOs can go and check to see if their organisation has been called out? (clearly it would be smart to publicly call out the individual – but could be shared privately)
It’s bad enough that people are blissfully ignorant or careless – it’s worse when people are criticised for raising awareness. For that is surely, the preserve of a fucktard (widely accepted definition here in case you need it!).
At the time of writing this, the news about Talk Talk’s breach is all over the news. It broke last night (22nd October) at around 10pm and was clearly serious for it to be “breaking news” on the BBC app. fast forward 12 hours and it is all over the BBC – including the CEO getting grilled on Radio 4.
Like others, I have a little insight into the background and whilst I’ll not comment further, it is fair to say it could have been avoided. The immediate question will be around the security team, however it would be completely unfair to point at the CISO and the team – and more about why the board didn’t take the risks seriously that will invariably have been highlighted before. In fact, whilst it is commendable that the CEO has spoken and warned their customers, the fact that she could not/would not confirm whether the data was encrypted (clearly it wasn’t!) is not going to help their image. The damage to their reputation will be huge.
When I was actively working within the Infosec world, I used to use an analogy to describe the attitude to Infosec from some organisations – its like selling car insurance to young drivers. When you passed you test and got your first car, chances are you were given sage advice by parents to buy something sensible and insure it Fully Comprehensive to cover all risks. Of course, if you were like me you will have ignored the advice and chose to spend the savings made by going Third Party Fire and Theft on the “important stuff” – like car stereo, noisy exhausts, go faster stripes, etc.
You probably then proceeded to bomb around and one day the inevitable happens – you have a crash, car is damaged (maybe wrecked) and you are left with a pile of mess on your parents drive and staring in the face of a big repair bill, because you weren’t “Fully comp”. All of a sudden you realised that it wasn’t that expensive after all…….
There will invariably be lots of conjecture, analysis, and of course legions of my former peers and their employers espousing the importance of good controls (and of course, how they could have prevented this from happening). Just like the young person with the wrecked car, Talk Talk will have to spend much more to try and fix the problem – and they’ll probably do it through gritted teeth – which means that they might still “go cheap” to limit the cost.
The most important thing here is the customer’s data – and the real focus should be to help them protect themselves from the inevitable risks in terms of their banking information and the wider ramifications of their data being “out there”
Like many, I had predicted some time ago that there would be a big one and that I hoped it might just make organisations start taking this seriously – not just in word, but in deed. So, to all of those organisations that have had a “Third Party Fire and Theft” attitude to their security posture, the message is clear. Time to go “Fully Comp”!!
I took the decision to move out of Information Security a few months ago, having become a little jaded with the same themes, the same problems, and the same old vendors re-labelling old technologies as the new panacea. It caused me to reflect and then go back to a blog post I’d started 6 months ago.
Events such as the Experian hack, the suggestion that millennials are free and easy with their online habits, and more recently Dridex help to keep Cyber-Security in the public eye (and the addition of “Cyber” is intentional, as it would seem it isn’t enough to just say “Information Security” these days!). Yet despite all of this publicity, despite all of the “new” solutions, people are the problem. And even worse, there still isn’t enough board participation – according to the latest report from Stewart Room’s team at PWC (click on explore the data, then the leadership tab!)
Ah…users. They were just as feckless back when I was an IT practitioner (88-96) as they are now – possibly a little more these days. Controversial statement maybe, but you only have to be a Facebook or LinkedIn user to nod your head in agreement, given the howling things people do (or don’t do) online. I did make a comment on this before in my blog post “Beyond the looking glass”, although a item shared by one of my contacts shared seemed to fly in the face of this – suggesting that 83% of 18-34 year olds are concerned with online privacy, along with 8 out of 10 people surveyed overall.
I had been meaning to write something along these lines for a while, and it was seeing Graham Clulely’s recent video that prompted me to get around to it. In his video, he is appealing to all users to take some responsibility – which whilst I wholeheartedly agree, I wonder if it will ever change. Just recently at IP Expo, I was chatting with a couple of InfoSec professionals, who were bemoaning a recent incident whereby users had opened one of the recent phishing emails that had “your invoice” attached. Like them, I could not understand why someone would want to open an email from a person I did not know – especially if my day job has nothing to do with receiving invoices. But for whatever reason, the end user opened it, and the rest was history…..
As Graham points out in his video, Dridex wasn’t exploiting any vulnerability “per se” – apart from the “pink interface”. So in other words, all of those very clever anti-malware/APT protection/“emperor’s new clothes” solutions have zero effect on stopping it. In fact, having worked around this space for a few years, the newer methods of pushing out malware are that sophisticated that each piece of malware is made unique for every email (bang goes your traditional and heuristic AV!), it is often intelligent enough to detect counter-measures (they detect IP addresses of the security vendors – and can recognise machine based VM’s used in sandboxing) so bang go the shiny new APT solutions – ultimately you are chasing a diminishing return. Arguably, the only effective way to (try and) stop this is to implement an application whitelisting approach such as AppSense or Avecto – although this presents other challenges, such as making sure patched versions of “allowed” applications are maintained to avoid false positives.
So, what has 15 years in InfoSec taught me? That the AV vendors from years gone by have done a great job in maintaining their revenues, yet offering little innovation, while everyone focuses too much on the tools to protect the infrastructure – instead of focusing on the “tools” using the infrastructure. All of the risk assessments, the “best of breed” products, the “cyber” solutions are nothing without a well thought out awareness campaign that actually resonates with users and makes them think about what they’re doing.
The question is, will it ever change?…..
At the time of writing, the news about Regin is lighting up Security news, blogs and tweets. The full facts still haven’t surfaced, and whilst some security vendors might try (foolishly) to spin their inability to protect their customers into positive news, it surely must prompt a radical rethink of the way we approach malware.
Personally, I’ve always had a view that the Anti-Virus/Malware approach is a little backward, because it is predicated on trying to protect against the unknown – which is an impossible task. Unless you dedicate a machine’s CPU and memory to sandboxing, it’s a trade-off – net result being a combination of signatures and some basic heuristics. Given the proliferation of malware and the various iterations that come from polymorphic malware, these old fashioned approaches are simply no good any more.
If we sit back and think about what malware is, it is simply a piece of unauthorised code. In other words, it’s an application or sub-routine that the user will most likely not want to run – be it a virus, worm, Trojan, spyware, adware, etc, etc. This being the case, it begs the question why we have continued for so long with a back to front approach to the problem? By this I mean why are we still saying “allow any code to run unless we think – or know – it is malicious/bad”?
Of course, I’m not the only person to say this – with the alternative suggestion to only allow “whitelisted” applications or code to run and blocking anything else. For many IT managers, this approach is considered too onerous – primarily because it requires ongoing monitoring and checking of permitted apps. There have been several ways of achieving this; e.g. using host-based firewall/IPS type solutions, closing down the rights of users to prevent installation of apps or any code that wishes to embed itself within the host OS , or even very OS-specific (i.e Windows) solutions, such as AppSense that creates a “wrapper” around a host and applications. A more recent addition in this space is from Avecto
One thing is for certain, if the level of sophistication seen with Regin is the shape of things to come, then perhaps its time to rethink the approach to malware. So maybe it finally IS time to junk that AV or Anti-Malware solution?…..
The recent Target breach provided the security industry with much to talk about, with wildly varying views on “what happened”, and no doubt with many of the vendors jumping up with their panacea for such incidents.
Now the dust is settling on the incident and more of the detail is starting to filter through into the public domain, the background is becoming clearer – with respected blogger and security writer Brian Krebs offering probably the best view of “what happened”. You can read his article here, although in short he states that the combination of a 3rd party supplier breach utilising an industrialised version of spear phishing is most likely to blame.
Let’s take those 2 items one at a time and think about them a little. First of all, the 3rd party supplier consideration; Here is a major retailer, using a 3rd party organisation whom it may have considered to be relatively harmless given the work engagement, yet it is alleged that this organisation had access to a billing system (along with other 3rd parties) which was in the core of the Target network – and potentially with a simple login (i.e. no 2-factor authentication)
For the 2nd part, to quote Krebs directly “Many of these email malware attacks start with shotgun attacks that blast out email far and wide; only after the attackers have had time to comb through the victim list for interesting targets do they begin to separate the wheat from the chaff.” In other words, what we at Proofpoint would describe as a “longlining”
So, to the lessons to be learned from this recent attack:
1) Ensure that 3rd party supplier assessments are robust and are appropriate to the the potential risk
2) Ensure that any 3rd party access to internal systems is subject to the same stringent access as an internal user
3) Segregate systems that are accessed by external parties
4) Review processes and controls for email and advanced threat detection
In the case of 4, this incident has arguably proven that once again the humble email and clever obfuscation techniques were the first step to the very expensive breach for one of the largest retailers in America. We know that traditional email filtering isn’t enough – and nor are the new advanced sandbox technologies in isolation. New attack methods are highly sophisticated and require the same level of sophistication in order to combat them. Target won’t be the last to fall victim like this – and chances are there are many other compromised organisation that don’t yet realise they are on the hook.
The beauty of working for a technology company is that every once in a while, your nerdy world transcends across into the real world – with a new discovery, or some other piece of breaking news. This week I had the good fortune to have a bit of both, whereby my organisation seemed to discover proof of a theory that has been doing the rounds in Information Security and Technology circles for some time – namely that internet enabled, always connected devices could be used for nefarious purposes. These devices come together under what is called “The Internet of Things” (IoT), whereby they can communicate and inter-operate in order to help improve everyday life. For the general public, this can include domestic products that can call out for service repair, heating systems that come on ahead of the timer cycle if there is a cold snap, alarm systems that call the homeowner and display live streaming from a surveillance camera – the list goes on….
So back to the story and our researchers figured out that during a recent email attack, in addition to being orchestrated from “conventional” machines (i.e. typically laptops and PCs – aka a BotNet) approximately 25% of the attack was coming from “unconventional” ones. Machines such as home media centre’s, games consoles, and other domestic appliances. This made for great headlines, hitting all of the usual online news channels (BBC, Register, Guardian, Independent) – but as a first we also made the printed media, including treating UK commuters to this new world as front page news in The Metro
Aside from the great press for Proofpoint and the brief prodding of the public’s consciousness, those of us in the security world ought to see this as a wake-up call. Rather like the early days of networking and internet, with poor passwords and flaky firewall rules (if you even had a firewall!), this highlights how laziness and lack of planning has led to devices running a stripped down Linux kernel that is unprotected, an SMTP server unsecured, and a web server that is perhaps running some archaic version of Apache. Of course, manufacturers can run updates – even have an auto-update feature – but as we all know this rarely happens well. Furthermore, having architected these devices to be low cost, you can be certain that security was at the bottom of the list of considerations when set against convenience and ease of use (i.e. zero user configuration required – given the target audience)
Of course, you could say “Who cares?” – after all, what harm could come from a bit of internet “noise”? Personally, I’d be concerned that once compromised, one of these devices could be then used to compromise the home router from the inside – then it’s open season. Every bit of household traffic (online banking, etc.) would be in complete view – much easier to compromise than constantly trying to craft clever spear phishing to snare the user. And that’s just one example – how about a brand new “thingbot” army to carry out DDoS attacks? What about a compromise on Android (or iOS)? The list goes on….
Twenty years ago, we might have laughed at the recent headlines – and some may be laughing now. Let’s hope the nerds don’t have the last laugh.
So after a day of major email outage for Google mail users (i.e. that were Postini originally), things have finally settled down. Like many others working in the email security space, this provided mild bemusement – although not enough to start embellishing the potential ramifications (or pointing out how wonderful our SLA is). Unsurprisingly, other vendors have found it difficult to contain themselves – with one blog entry trumpeting the 100% uptime SLA.
Now vendors making “interesting” claims and SLA guarantees is nothing new – MessageLabs offered a 100% SLA against known and unknown viruses years ago. However, using this tactic to seduce customers – especially ones who are suffering at the hands of their current provider – is arguably immature and also prone to disaster. In fact, any sizeable organisation with half clued-up IT professionals/CIO will pull apart such claims – or at least insist on some stringent additions to the “teeth” said vendors claim they have in their SLA. For instance, how can you truly offer and guarantee 100% when you do not own the premises, the fibre, and simply lease space in the data centre? Crazy!!
Irrespective, back to the point of this – namely ambulance chasing or winning trust. Instead of jumping on the bandwagon and selling on the pain that has been caused by the outage, why not try a different approach? An approach that talks about the higher-level, strategic challenges that will (or have) manifest once a technology company has been acquired; whereby the acquirer sweats the asset, then strips the asset, and then slowly allows the old service/product to degrade – whilst offering inducement to come aboard the new one. This is of course not unusual, and you can look at the email market to see examples of large acquisitions over recent years to see this pattern repeated. For example; Symantec acquired MessageLabs for circa $700m, the founders (quite rightly) cashed in on their 10+ years of hard work, the talent slowly drifted away from the corporate beast that was night and day from the exciting startup they joined, and the service receives little or no significant investment.
This is no criticism of Symantec – nor anyone else. It’s a commercial reality. You don’t spend that kind of money on a business and then throw in the same again just for fun! Anecdotally, I often hear of a once great business or technology that has become a pile of rubbish after the big IT giant opened its war chest and offered the VC and founders the right price. Because of this, perhaps the trick is to have a rational and sensible conversation with a CIO, hopefully well ahead of the winding down of the original product or service – and certainly before a major outage. Have those “succession planning” conversations, but above all discuss the merits of the alternative you are proposing. Kind of basic sales stuff really.
So back to my ambulance chasing peers who are enjoying this current malaise – please remember that every VC has an exit, every founder a price, and above all, people who live in glass houses……
Within the subject area of Information Governance, we very often talk about privacy and confidentiality. Even the lowly sales folk like me who are generally considered stupid appreciate the basics around good information security practices and confidentiality.
This week I have found myself in an interesting scenario, whereby I could potentially put myself at risk of a breach of confidentiality simply by trying to be helpful and improve a product. I’ll explain….
One of my 2013 New Years resolutions was to properly embrace GTD, figure out a system, and find a good to-do app/service, that would hook into my preferred way of working. Cue buying the GTD ebook, lots of reading, lots of research, revisited apps previously bought, hung around on LinkedIn discussion groups, etc. etc. (You get the picture)
I’d subscribed to Evernote a couple of years ago and was starting to use it more and more, so decided to try some of the emerging apps that would work with it. My thinking was that Evernote would become my “bucket” or “inbox” (in GTD parlance) and then I would find an app, service for this methodology. Enter 2 interesting services that I saw mentioned on several discussion groups; Zendone and IQTell. Both are in a private Beta, which you apply for, answer a few questions (to make sure you aren’t wasting anyone’s time) and away you go.
Cutting to the chase, I tried both and decided that Zendone seemed the more likely one to fit my needs, so out of courtesy I responded to a “how are we doing” email from IQTell. My email response basically said that i found the other interface more intuitive, which suits my way of working. Also, I found the Evernote integration was more slick Then came the questions, which sit me squarely on the horns of a dilemma; “Which aspects of the interface are more beneficial?” and “What made the integration slick?”
Having gone back through the emails I received during sign-up (and also scouring both websites) I cannot find anything relating to a confidentiality agreement or similar. On the one hand, I would like to share some information in order to help the IQTell team improve – but equally, it would be unfair to share the “secret sauce” of Zendone’s interface. Of course, journalists publish reviews and comparisons all the time (as do normal Joe Public types like me) – the question is, at what point does sharing views and opinion cross the boundaries of confidentiality? Furthermore, in view of the fact that there is no obvious agreement, does this exonerate me?
In the meantime, the email is still in my inbox…..
After a weekend without any connection with the wired world, I returned to the “biggest story on BBC Radio 1” -specifically the police and their tough approach to trolling on Facebook and Twitter.
Of course, the news item (repeated often) had soundbites from politicians, pop stars and public alike – offering reasons for and against. There was also comment offered from international visitors stopped in the street by intrepid reporters – with a shocked “ooh” from a Japanese girl after being told of the fate of the 17 year old who posted comments to Tom Daley’s twitter feed.
This provoked much debate in the car journey – with the ultimate conclusion being that whilst draconian, the people posting abusive comments are basically publishing and therefore as liable as they would be had they put up a billboard poster or published a TV or newspaper ad.
Regardless of your point of view, this actually highlights a challenge faced everyday in the exciting world of Information Assurance – namely education. Almost every meeting I attend, and everywhere I see discussions online, the same issue is highlighted – i.e. the general inability (or unwillingness) of users to appreciate the ramifications of their actions (or inaction)
For quite some time, I have been saying how I believe that users of technology seem to disassociate their gadget or piece of technology from the rest of the wired world and instead labour under the misapprehension that the device (and therefore any interaction) is personal. In my experience – both direct and anecdotal – there are strong signs of this, whereby users seem to be unaware that their device is fact a window into the outside world.
Of course, the reality is that users will actually see this window as a mirror – it is their world that is displayed back to them. Therefore as part of the education process, perhaps we need to emphasise that the whole world can see whatever they do in front of this mirror; pick nose, clean teeth, laugh, cry, – in fact anything. And that it is all recorded forever – or at least until Internet storage runs out and things are deleted……..
After all, whilst there is arguably nothing more cringeworthy than seeing your junior self having been recorded singing & dancing to Fame/Grease/SpiceGirls/etc. from years ago, I would proffer that there is nothing more sobering than a rejected job application, a transaction declined due to lack of funds, or a knock on the door from the police for posting abusive messages.
Maybe we need a few more prosecutions to wake up these mirror gazers and protect them from themselves…..