Security awareness, it is a huge topic these days. It seems like we hear a lot about it, and we even hear questions such as; why does this continue to happen and why can’t we stop viruses, ransomware, and hacking attempts? These and many other questions continue to baffle the technology professionals and corporations around the world; these and other questions are some of the items I am going to try to tackle. According to an IBM Cyber Security Index, more than 95% of cyber security incidents involve human error. As part of your corporation’s security protocols and practices one of the most overlooked areas is ongoing and active security awareness training for employees. I am also going to discuss how these programs work and what should be included in them to make them effective, interesting, and fun to be more security aware.
Technology can only go so far in protecting your company. As technologists, we could tighten down the security so tight that it hampers, and ultimately hurts the productivity of your employees and lowers moral. Even worse, it could give so much control and influence in the management of your company to IT that it can make you wonder who is actually running your business. As a technologist that has spent my entire professional career in educating business owners on how to manage their businesses better through the use of technology, I have always believed that as technology experts we are a supporting and empowering role within the organization. We need to realize that we need to design systems that empower business growth and employees to achieve more. However, now we have to do it in a manner that protects the company we support at a level that has never been seen before and shows no signs that security awareness is not going to be a hot topic well into the future.
It is estimated that 59% of security breaches were done by insiders who had access to sensitive data and exposed it by accident, not through malicious activity. When you think about what fuels human error, or as I call it - the human factor that creates mistakes that exposes sensitive data, you have to consider the following factors.
1) Fatigue; a common and accepted definition of fatigue as it relates to human error is based on a decline in mental or physical performance that is related to lack of sleep, disruption of your internal body clock, high workload, disruption in the workplace, or prolonged physical exertion, or a combination of any of these factors.
2) Audible and Visual Noise; a Cornell University study on Human Computer Interaction showed that simple tasks such as pairing a Bluetooth device, that people failed more often on the first try in a noisy environment verse a quiet environment. In addition, human noises such as a baby crying or talking increased the failure rate more than natural noises. It would be a reasonable assumption that human mistakes are going to happen at a higher rate when working in an environment that is going to produce a lot of human interaction and distraction.
3) Consistency in the workplace; according to Don Norman, the author of “The Design of Everyday Things”, he puts human mistakes into two categories “Slips and Mistakes”. Slips happen when humans are on autopilot and make assumptions. Such as when typing an email message and not verifying the addressee to ensure that you are sending to the right Karen if you have more than one Karen in your email address book or cached in your Outlook, resulting in confidential information being emailed to the wrong person. A mistake happens when a human has created a mental model that is not correct, so your mind incorrectly interprets what it sees. An example might be that we all know our email address. However, if someone spoofs our email address and makes minor changes such as adding an “S” to the end of your company name, or instead of using “.com” they use “.eu” would you notice that or would your mind incorrectly interpret that email address and think it was someone you knew? These types of activity create opportunities for hacking, the spread of viruses, identity theft, and fraud.
4) Training; one of the biggest shortcomings when it comes to using technology to address human behavior. Technology is reliant on predictable conditions and humans are anything but predictable when it comes to technology, if at first it doesn’t work, we will try and try again. In most cases technology does not take into account human error prevention in the design of systems, it might prevent you from doing something but that is only one small part of training and end user awareness that needs to be addressed.
When it comes to security mistakes that lead to lost data, misplaced data, data being sent to the wrong person, or unauthorized system access typically it is not a matter of “If” but a matter of when something is going to happen that puts your company at risk. In order to understand how to put together a prevention model, we have to understand the most common mistakes that people make so that countermeasures can be put in place to correct them. Companies have to understand, security is a tug of war between protection and convenience and at times convenience is going to win. This happens because when the system is blocking certain user activities that the system concludes are putting you at risk, people get frustrated and demand relaxing security protocols to make it more covenant without fully understanding or measuring the risk to reward factors.
Some of the most common security mistakes:
1) Sending sensitive data to the wrong destination. A 2008 AOL study found that 32% of people admitted to sending emails to the wrong person, in a more recent study it was found that number had climbed to 78%. This is a real problem and can create real issues with your customers and vendors.
Six Tips to Preventing Email mistakes by the Creative Group.
a. Give your undivided attention, avoid multitasking when drafting or responding to important messages.
b. Save the distribution list for last, when writing a confidential message wait until it is complete before selecting the recipients.
c. Take care with those you copy, think twice before you hit reply all and copy only those people who need to be part of the conversation.
d. Review it on a big screen, emailing on smart phones and small devices can increase the likely hood for mistakes and change the intent of the message.
e. Check Attachments, confirm any attachments by opening them again prior to sending them.
f. Keep it professional, keep in mind electronic messages are easily forwarded, and copied and company email can be monitored.
2) Clicking on unknown links or funny pictures. There are real risks when it comes to links and pictures whether it is on websites or email. Nowadays websites and email systems use the same basic code so there is very little you can do on a website that couldn’t be done in an email at the same time. This would include links, active pages, HTML coding, and background tasks. A couple of the most common email risks come with Phishing, which is when you receive an email that takes to you a fake website. Once on the site you are asked to enter sensitive data about yourself or an account. The most common phishing trick sites are sites that look like they are your bank, or the IRS, or somewhere that you may commonly do business. Malware and viruses, which would include Ransomware, can come in the form of a picture, a link, or some other executable type file. In some cases today, they may not execute with the primary file but be a sub file to the file you downloaded that executes independently of the first file.
How would you know what links to click on and which ones not to? If you just ordered something online, you should be expecting to get a confirmation email and shipping information. Take the time to look at it first and make sure that it is what you were expecting. Another one could be that you just signed up for an online account, you should be expecting to get an confirmation email from them, however they should not be asking you to verify the information you should already know and have already entered that into the registration form.
What should you avoid? An unexpected email from your bank asking you to log in and verify your information or account. Unless you initiated that activity it would be recommended to assume the unexpected email is a fake and you should delete it. An unexpected email from a friend asking a question that would not typically be in character for them or if they are asking you to verify personal information that a friend should already know.
If you need to verify the person sending you the email is real or not, or if the link is real or not, there are a couple of things you can do to verify. In the example of the bank, do not click on the link, open your own browser and manually type in the link that you know and log in, if you have a message from your bank it will be there, if not then the email with the link is a fake. In the example of your friend, it is easy to text them and verify that they sent you something, or you can open a browser and manually type in the link and verify the spelling as you type, creative spelling or misspelled words in a link are a key indication that the link is fake and will take you somewhere you don’t want to go.
3) Copying data to flash drives, lost or stolen mobile devices, and use of personal equipment for business.
Flash drives and USB drives have gotten so popular that a British dry cleaner reported finding more than 9,000 of them that had been left in coat pockets and pant pockets in a single year. In a separate survey Credant Technologies found that more than 12,000 of them were left in taxi cabs in a single year. USB and Flash drives have become so popular they are the target for specific worm viruses and malware that will use them as a transport method between systems.
Some basic steps to protecting USB and Flash drives according to Symantec are:
a) Protect your data, don’t copy personal information such as social security numbers, credit card information, bank account information or other personal data to a USB flash drive.
b) Use encryption, if you must put confidential or personal information on a flash drive make sure that it is encrypted first.
c) Use secure devices, some of the newer flash drives have features such as finger print authentication, and some have built in encryption features or use some form of two factor authentication.
d) Pick a storage spot, since these are small devices make sure to designate a spot in your desk, counter, brief case that you store these devices so you can find them and they are kept secure.
e) Keep home and office separate, never use the same device to store both business and personal information lose one device you but both at risk.
Cell phone thefts are on the rise and will continue for the near future. In most cases, cell phone thieves are not after the data but after the actual phone. However, there has been a significant rise in identity theft due to stolen smart phones and the data contained on them. According to a Business Insider report 44% of smart phone thefts were due to the owner leaving them in a public place, 14% were taken from a house or a car, and 11% were due to pickpockets or street theft.
Some easy Smart Phone protections according to Ctia Everything Wireless.
a) Be aware, know your surroundings and how you are using your smart phone, do not carry it in your back pocket or loose fitting clothes.
b) Lock it, set a strong password on your smart phone and change it often.
c) Add Apps, there are apps that can track, lock, and erase personal information on your smart phone.
d) Save it, like your computer you should be backing up your smart phone and saving your pictures to a secondary media source.
e) Insure it, just makes financially getting a replacement a little easier to swallow.
Using personal devices for business or what some people call BYOD “bring your own device” to the workplace. In some cases the development of a good BYOD policy can have some benefits such as improved moral in the form that employees like to select their own device type and manufacture. There are also many challenges that come with BYOD such as ensuring that work data will not be mixed with personal data, verifying that non-employees or family members will not use the device, and determining what happens if an employee is terminated or loses the device. These are all things that must be determined prior to initiating a BYOD policy, along with very tight written policies around confidentiality, intellectual right ownership, and data destruction.
According to Computer Weekly the ICO guidance recommends for BYOD companies the following steps:
a) Determine which type of company data can be processed on personal devices.
b) How you are going to secure access and encryption of company data
c) How the corporate data should be stored on personal devices
d) How and when corporate data should be deleted from personal devices
e) How the data should be transferred from the personal devices to the company servers.
4) System misconfigurations, poor patch management, use of default usernames and passwords.
We all would like to think that hacking has simply evolved into a highly sophisticated process that is always keeping technologists on their toes. However, that is not the case and according to the Gartner Group they are suggesting that 99% of firewall breaches through 2020 are going to be due to human error and misconfiguration.
How could this be? Configuration of a firewall can be a very difficult and time consuming process, and the difference between being properly configured and misconfigured could be as simple as a missed period, or misspelling simple mistakes that open thing up to the outside world. In 2015 it was a misconfigured router that grounded 90 United Airlines flights for more than 2 hours. An AlgoSec State of Automation survey found that 20% of organizations had a security breach, 48% had an application outage, and 42% had a network outage due to errors in a manual security related processes.
According to Info Security there are some steps you can take to minimize the human error factor during security change processes:
a) A request for a change is made, one of the biggest complaints is that it takes too long to make a requested change. This is one area where taking your time is well worth it, make sure that you understand the change, make sure that you understand the risks prior to implementation.
b) Planning for the change, make sure that your team has a full understanding of your infrastructure, making a change in one area may open up holes in another.
c) Understand the risks, make sure that all potentially exposed areas are reviewed, what may seem like a simple change could affect applications, open up inward and outward traffic, or expose other parts of the network.
d) Making the change, make sure that someone who knows the firewall rules and configurations makes the changes, should it be added to the existing rule or should it be its own rule or abandon all together.
e) The change is validated, make sure that you test your change and the rules in totality, again the difference between properly configured and misconfigured could be very small.
f) Documentation, make sure that the change was clearly and completely documented.
5) Poor security policies written and automated.
Having strong written policies are key to the overall success of any security initiative and awareness training. If you do not have policies, what are you going to train on and enforce? In addition, without strong policies, you open your company up to interpretation of existing policies. Worse yet, without a policy a legal argument could be made that if you do not say we cannot do it, then we can - but then legally where does the liability for misdeeds done lay? What are some of the things you should cover in your security awareness training policy?
a) Acceptable use policy for electronic communications
b) Confidential data policy
c) Email policy
d) Mobile device policy
e) Incident response policy
f) Network security policy
g) Password policy
h) Physical security policy
i) Wireless Network and Guest Access Policy
The power of social engineering is staggering and the risk and exposure to your corporate systems is extremely high. In a study performed by Carnegie Mellon University they found that people were willing for as little as $1 be convinced to download and install a program on their computers. The research showed that for the promise of payment of $1 that 67% of people were willing to download the program and 63% were willing to actually run the program. Security attacks are increasingly dependent on human interaction in order to achieve their goals, so accounting for the human factor within your security strategy and awareness is becoming even more critical in today’s corporate environment.
Traditional security processes and tests typically ignore the human factor all together because it is difficult to incorporate the human factor into a tool that is measuring conditions, assessment models, and legal strategies. The newer models are starting to understand that we have a human target that has to be accounted for so security planning must include more than IT, it must include Human Resources, Legal and Communication departments, and Upper Management whom all have to understand and commit to a new security model.
Where does the social engineering process start? Ernest Hemingway said it best, “When people talk, listen completely. Most people never listen”. People that are into initiating online conversations and phishing are great listeners and these conversations may come through common accepted media like Facebook, LinkedIn, Twitter, and other social media websites. It is widely understood but rarely protected that information is the most valuable commodity today, but we have become a society that wants to share and that is putting our companies and us at risk. People that have become experts in social engineering typically have skills in the area of psychology, a wide understanding of human emotion, IT skills, they are good at reading body language, and reading people response to verbal and written communications.
What are the actual risks associated with social engineering? A study by CFRIEL “Social Driven Vulnerability” which included multiple organizations with more than 12,000 employees combined using a Social Driven Vulnerability Assessment tried to gain insight into the actual level of risk they were exposed to through social engineering. The tests contained several simple common tasks such as phishing and links to condition the tests. In the phishing tests more than 34% actually followed the link, and 21% actually entered company credentials into the fake site. The scary thing is that by simply adding certain logos, and changing the wording these numbers quickly went above the 50% mark and continued to rise and the phishing attempt was socially engineered.
How do you mitigate the risks for social engineering? This is very difficult because we do not all fit into the same education level, we are all at risk to manipulation, we are all human and make human mistakes. The research still suggests that on top of the technological countermeasures that we put in place the best way to combat social engineering is through awareness and training for all employees. This awareness training has shown to improve moral and institute a culture of employees being security minded and security aware and not to be afraid of confrontation and challenging things that just don’t seem right.
It is understood it’s important, we have talked about a lot of things throughout this article, but what is the next step how do we get to the point where we have an effective Security Awareness Training Program? First, I think it is important to understand that if you think you can put this together internally, or without senior management commitment to its success through implementation and enforcement of the objectives and results, then you are already undertaking a difficult and perhaps, an impossible road. Security Awareness starts at the top this is where the success or failure is going to lie. The senior management is going to have to support the initiatives through both policy and enforcement of that policy, through budget allocation for security measures and countermeasures, which could be in the form of software, hardware, or both.
Some of the key components of a Security Awareness Training Program are:
1) Company Security Awareness: This is the formation of the security awareness team, not all organizations operate the same and the level of tolerance for security is going to vary from company to company so, it is important that you develop your own internal team that becomes the champions for the rest of the company. This team would establish corporate wide security metrics, determine appropriate training content, and interface throughout the company on security initiatives.
2) Security Awareness Content: Due to the difference in management processes, corporate goals and objectives determining the Security Awareness Content is critical to the overall training processes.
3) Security Awareness Training Checklist: Checklists are critical in assisting employees and companies through the awareness processes. The ongoing development of content, information dissemination processes, and employee participation process can easily be managed through a checklist process.
4) Identification of Threats, Vulnerabilities, and Countermeasures
5) Mobile Device Security
6) Continued Education Programs
Security awareness is the key component to combat security threats of all kinds whether is it data protection, viruses, malware, external and internal hacking, ransomware, and the emerging threats through the increase in mobile technologies. Protecting yourself and your business has to be an ongoing process and something that gets culturally engrained in your organization. It takes effort, time, commitment, and it has to be a budget item to ensure that you are funding the cause to countermeasure new threats as they emerge. If you think it won’t happen to you, you are wrong, statistically speaking it already has, you may just not know it, and you may have gotten off easy. The threats are getting smarter, harder to detect, and they are doing more damage than ever before.