So I have tried to keep my comments and rage limited to Twitter, but with this last echo chamber pile up on Security Awareness, I felt an obligation to put my asshole (opinion, .02) out there once again. @Krypt3ia and @iiamit  have both posted their rebuttals “Throwing out the Baby with the Bathwater”  and Security Awareness and Security Context – Aitel and Krypt3ia are both wrong? respectively  calling each other wrong of course, but where’s the excitement without debate. I mostly agree with my stabby counterpart on this topic..

Dave Aitel had posted “Why you shouldn’t train employees for security awareness” to the CSO Blog. Which by the title alone will probably confuse a majority of the CISO’s out there. Dave talks about how Security Awareness is no match against RSA, Shady Rat and all of the APT nonsense we have all ranted about.  He goes on to say that your users have no responsibility over the network which is only a half truth. Yes your users don’t have any operational responsibility over your network, but they damn sure are accountable for what happens to your environment or at least should be.  I know the whole “Don’t Click shit” (Sorry Ian, It’s not stop clicking shit as you wrote in your rebuttal) is more of a humorous way for us to deal with our frustrations, but the underlying truth is there is fundamental truth to infections being introduced by end users.

Dave had made an interesting comment about the vulnerabilities found in some of the training software used by many of his clients. This leads me to believe he has absolutely no idea what an awareness program is and equates it back to the CYA computer based training solutions that regulated organizations throw at their users once a year and forget about it.  This does not make an awareness program Dave, this is similar to a CISSP Boot Camp (Yes, I had to throw that in here). A Security awareness program is focused on training, reinforcement and integrating security responsibilities into the organization.  That is a security program Dave, and coming from both Offense and Defense I can damn well state that it works when layered on top of other security controls. It is not and will never be that silver bullet.

Dave had mentioned that only technical controls stop his social engineering attacks and I’d like to ask what technical controls are in place to prevent one of your users from disclosing their credentials or exposing their machine to an attacker through a phish? Are you selling some unicorn cream that can be applied to the endpoint? Or perhaps some fairy dust that will stop the user from disclosing your IP over the phone? Let me guess DLP?

You had suggested the following 7 things that organizations should do instead of wasting their money on employee training… Well, let me take time time to address each one..

1) Audit Your Periphery

While auditing your environment is a good process, audit is after the fact. This will not stop you from the Rat. Implementing Change Control Procedures, Access Controls, segregation of duty, and maybe even I don’t know Secure Coding Training??

2) Perimeter Defense/Monitoring

Perimeter Defense is also a good compensating control, but when your administrators start adding rules and such because I dunno, maybe No one told them that this is bad.. I’m hoping you don’t think Perimeter security is a magical concept. Intrusion Detection is almost never rolled out properly because the primarily goal of your organization is to make money. Most of the time and IDS is just about checking a box and sufficing a requirement. If you don’t classify the data, then you really don’t have any idea what you should focus your resources on?

3) Isolate & Protect Critical Data

This is one of the points where I agree with you. This should be the very first step in your Security Program. Identify your data, Identify where your data lives, and how important it is to the business.  This is where the majority of companies fail, not in training and awareness programs.

4) Segment the Network

Again totally agree.. Endpoints should never live on the production segment. All access should be through choke points that can be tightly controlled. Treat all endpoints as they were hostile (My Self Serving statement, More on this at You Can’t Buy Security Coming to a country near you)

5) Access Creep

Access Creep or Access Controls are a big part of protecting your organization. However, this naturally comes after classification of your Data. How do you know who should have access to what if you don’t where it is?

6) Incident Response

To me Incident Response is one of those funny things that people think they want but have no idea how to implement. How do you implement an incident response program if you don’t have any processes around training your users in identifying incidents? Magic? How do you know if you have a root kit if you don’t have any build standards? I’m hoping you see the points I’m trying to make.

7) Strong Security Leadership

Strong Security Leadership is definitely a big part of the security program, however I don’t think I have seen a CISO in the last 10+ years who has had sole responsibility to pull the “Kill Switch”. The decision is a shared business decision and the CISO has responsibility to syndicate the risks and make every body at the table aware of them. If you don’t build security awareness into your operating model, then how do you personalize the risk to the stake holders? I’m stopping this because??? Are you going to use fancy calculations and pull out your ALE Formulas?

In closing, Security Awareness/Training programs are not a once a year watch this video, or use this app initiative. It is the integration of the security mindset into the fabric of the organization.

As Ian had pushed one last self serving statement so will I. Go check out “You Can’t Buy Security” coming to DerbyCon, T2infosec and Security Zone 2012.

3 comments so far

Add Your Comment
  1. In my experience, end user security training establishes or helps to further establish:
    1. We really care about security.
    2. We want you to care about security.
    3. (Most important) – Tell us when something is happening that’s violating our security policy. I’ve heard from many people I may not normally talk to say “Joanie in dept X subscribes to an online service they use quite a lot”.

    Users will always be the source of the unknown and many times you can’t control their moves (as much as we try). In the end of the day, they have to produce a product/service that keeps us in business. You can’t train everyone. Those you train may forget it a few days later. But the one guy who remembers it six months later may tell you about something you may not know, challenge someone who isn’t displaying their ID badge, or, best of all, train others.
    Good online training like SANS “Securing the Human” cost next to nothing and do the job quite well.

  2. what next. Don’t teach people about contraception and safe sex?

  3. Well said