So I have tried to keep my comments and rage limited to Twitter, but with this last echo chamber pile up on Security Awareness, I felt an obligation to put my asshole (opinion, .02) out there once again. @Krypt3ia and @iiamit have both posted their rebuttals “Throwing out the Baby with the Bathwater” and Security Awareness and Security Context – Aitel and Krypt3ia are both wrong? respectively calling each other wrong of course, but where’s the excitement without debate. I mostly agree with my stabby counterpart on this topic..
Dave Aitel had posted “Why you shouldn’t train employees for security awareness” to the CSO Blog. Which by the title alone will probably confuse a majority of the CISO’s out there. Dave talks about how Security Awareness is no match against RSA, Shady Rat and all of the APT nonsense we have all ranted about. He goes on to say that your users have no responsibility over the network which is only a half truth. Yes your users don’t have any operational responsibility over your network, but they damn sure are accountable for what happens to your environment or at least should be. I know the whole “Don’t Click shit” (Sorry Ian, It’s not stop clicking shit as you wrote in your rebuttal) is more of a humorous way for us to deal with our frustrations, but the underlying truth is there is fundamental truth to infections being introduced by end users.
Dave had made an interesting comment about the vulnerabilities found in some of the training software used by many of his clients. This leads me to believe he has absolutely no idea what an awareness program is and equates it back to the CYA computer based training solutions that regulated organizations throw at their users once a year and forget about it. This does not make an awareness program Dave, this is similar to a CISSP Boot Camp (Yes, I had to throw that in here). A Security awareness program is focused on training, reinforcement and integrating security responsibilities into the organization. That is a security program Dave, and coming from both Offense and Defense I can damn well state that it works when layered on top of other security controls. It is not and will never be that silver bullet.
Dave had mentioned that only technical controls stop his social engineering attacks and I’d like to ask what technical controls are in place to prevent one of your users from disclosing their credentials or exposing their machine to an attacker through a phish? Are you selling some unicorn cream that can be applied to the endpoint? Or perhaps some fairy dust that will stop the user from disclosing your IP over the phone? Let me guess DLP?
You had suggested the following 7 things that organizations should do instead of wasting their money on employee training… Well, let me take time time to address each one..
1) Audit Your Periphery
While auditing your environment is a good process, audit is after the fact. This will not stop you from the Rat. Implementing Change Control Procedures, Access Controls, segregation of duty, and maybe even I don’t know Secure Coding Training??
2) Perimeter Defense/Monitoring
Perimeter Defense is also a good compensating control, but when your administrators start adding rules and such because I dunno, maybe No one told them that this is bad.. I’m hoping you don’t think Perimeter security is a magical concept. Intrusion Detection is almost never rolled out properly because the primarily goal of your organization is to make money. Most of the time and IDS is just about checking a box and sufficing a requirement. If you don’t classify the data, then you really don’t have any idea what you should focus your resources on?
3) Isolate & Protect Critical Data
This is one of the points where I agree with you. This should be the very first step in your Security Program. Identify your data, Identify where your data lives, and how important it is to the business. This is where the majority of companies fail, not in training and awareness programs.
4) Segment the Network
Again totally agree.. Endpoints should never live on the production segment. All access should be through choke points that can be tightly controlled. Treat all endpoints as they were hostile (My Self Serving statement, More on this at You Can’t Buy Security Coming to a country near you)
5) Access Creep
Access Creep or Access Controls are a big part of protecting your organization. However, this naturally comes after classification of your Data. How do you know who should have access to what if you don’t where it is?
6) Incident Response
To me Incident Response is one of those funny things that people think they want but have no idea how to implement. How do you implement an incident response program if you don’t have any processes around training your users in identifying incidents? Magic? How do you know if you have a root kit if you don’t have any build standards? I’m hoping you see the points I’m trying to make.
7) Strong Security Leadership
Strong Security Leadership is definitely a big part of the security program, however I don’t think I have seen a CISO in the last 10+ years who has had sole responsibility to pull the “Kill Switch”. The decision is a shared business decision and the CISO has responsibility to syndicate the risks and make every body at the table aware of them. If you don’t build security awareness into your operating model, then how do you personalize the risk to the stake holders? I’m stopping this because??? Are you going to use fancy calculations and pull out your ALE Formulas?
In closing, Security Awareness/Training programs are not a once a year watch this video, or use this app initiative. It is the integration of the security mindset into the fabric of the organization.