Yesterday, while workers had a day off, I had the pleasure of talking with Wolfie at the MichSec and BSidesDetroit community. We discussed information security in general, and the human factor specifically.
You can listen to the podcast here.
And you can hear my keynote if you attend BSidesDetroit!
My take on security awareness training is not exactly a secret. One reason is that my company specialize in helping organizations create effective security culture programs. More important is my deep interest in the human mind, and human interaction.
I am going to share with you some of the techniques we apply when we communicate security awareness, security culture, and how the human mind interact and intersect with security. This first post will look into mental models. Later posts will discuss personality types, how to communicate with different types, and how to design a complete security culture program for success.
Mental models
According to scientists like Daniel Kahneman, our brain comes with different modus operandi. One requires a large amount of energy, is slow and inefficient and usually quite accurate, and another is fast, efficient and – flawed!
If we accept this idea, we can think of our brain as a child’s sorting box – the box where you have different holes which match different shapes. Your quick brain takes the input (what you read, hear, see, smell and so forth) and try to match it to an existing pattern. It´s like the child picking up a piece, and trying out different holes in the box until it finds one that fits.
When a matching model is found, your brain reports back to you “Job´s done!” release some “feel good” drugs, and move on.
This method is very efficient and it allows you to quickly digest large amounts of data and deliver the results your are expected to.
It is, however, not without flaws.
One drawback of this method is that the number of models in your brain, matters. If you do not have the right model (i.e. you have not yet learned it) in your mind, your brain is likely to try to fit the input into one of the existing models. Just like a toddler trying to fit a square into the circular hole in the sorting box. Sometimes that square fit in that round hole too – and the toddler is happy. Your brain acts the same way – if your input match a model, it stops searching for a better match. This may be you, jumping to conclusions.
Another approach your brain use if it is not able to find a matching model, is to just dismiss that information. “If I can´t understand this information, it simply does not matter.” it tells itself, forgets about the information and continue to save energy. This may be you, not believing what you read.
More importantly, most people we security people interact with, lack the same mental models we use when communicating with them. Since they do not understand us, they are not able to relate to our message in a way that makes sense to them, and their blanks go down. You´ve seen this, I´ve seen this.
Does this mean we should stop teaching them? Does this mean that security awareness training is a lost case? Of course not. It simply mean you must be:
Helping people “get” you
Understanding and accepting that your brain use mental models may help you make more sense of other people, and of yourself.
If we accept the premise that mental models matters, we can start working with introducing new mental models to our co-workers. We can also adapt our message to their existing mental models. The first step is for you to realize that your co-workers mental models differ from your own. Next, start learning as much as you can about their models, and finally adapt your message to make them understand.
Being stubborn
If you prefer not to learn about your co-workers, and continue to force them to adapt to your message, you are less likely to succeed. You will continue to complain that training is not working.
The funny thing is that the more you complain, the more you enforce your own mental models. And guess what? Your brain starts to filter out anything that may prove you wrong!
So even if I can show you training programs that work, you will not believe it.
Funny, isn´t it?
Im proud to announce that I am a columnist at Help Net Security. My first column is about security awareness trainings.
Go ahead, read!
Europe (Photo credit: Wikipedia)
The infosec community in Europe may not be as visible as the one in the US. One reason may be our different languages, cultures and country borders. The community is, however, very vital and alive.
To prove this fact, the EU Security Bloggers Awards is kicked off by Brian Honan.
I am humbled to be included as a nominee in this celebre list of amazing talent and insights from some of the brightest infosec extraverts of Europe.
Of course, I would love for you to vote for me and this very blog, too! The only thing better than being a nominee, would be to win the category – Best Personal Blog. And I could use your help with that!
Vote here: https://www.surveymonkey.com/s/EUSecurityBloggerAwards
Fear not, though, you can vote for many of the other great blogs too!
Will you help me win?
This is the presentation I gave at Hackcon #8 in Oslo.
Although the master thesis is very old (2005) by modern standards, I believe the content is becoming more relevant also outside of defense and high-end enterprise. The most important find in the thesis is that netflow can be used as both a very efficient and cheap tool to discover slow portscans. In addition, the thesis details how to build your own netflow collector and viewer.
As Bjarte states in the thesis, using tools like these requires a certain degree of competence on the part of the organization. Competence that is beginning to emerge at fast pace thanks to universities around the world. Another important point he makes is the fact that not every organization can (or will) afford the state-of-the-art tools and solutions available. If that is your current situation, setting up your own slow-portscan tool may be a viable, cheap and efficient replacement for more expensive solutions.
As we have seen properly demonstrated in the past, signature based systems – be it AV, AS or IPS – lacks the capabilities to stop all threats. We need additional systems, strategies and mechanisms to discover and mitigate non-signature based threats. In his thesis, Bjarte points to one such method.
If we turn the table, and look at this detection method from an attachers point of view, one way to avoid detection could be to use bot-nets to scan – instead of one single IP scanning a series of ports on your side, a range of IP’s could scan one or two ports on your side only – leaving a much smaller footprint. To detect a scan like that, one might have to keep a record of all ports scanned at all times, and look for patterns in time-spans, IP’s and port-ranges, and compare those scans to known bot-net IP’s.
Which leaves an important question: What, where, and for how long should we be logging?
The thesis can be downloaded here.
Webinar on security in virtualized environments.
In this webinar by Infosecurity Magazine, I had the pleasure of discussing security in virtualized system with Tony Lock and Chris Merritt. As always, Stephen Pritchard was the perfect host!
With statements like «I am amongst the smartest 1% on this earth» and «I am lazy. And it’s not even my fault!» I raised eyebrows this week. I was invited as a speaker to three different information security conferences, with similar yet different presentations.
I started the week with The Cloud Security Rules presentation, describing what is important when evaluating which cloud service to buy. The audience came from the public sector, mainly municipalities in Norway, and I adjusted the message to accommodate their special needs.
Tuesday arrives, with Tekna’s conference «Risiko og sårbarhet i IKT-systemer». I had 30 minutes to excite and waken the crowd. The topic was «Security culture in the cloud», and I used a mix of humor and imagination to explain my point: We, the security people, need to realize that we may not be the right people to create awareness – at the very least, we should look for inspiration and competence outside our own group. I pointed to how ASTD points to seven factors that drive business results, and that technology is only one of those. Three of the other areas are: People, Culture and Training&Development.
My point? It is time for us to humble down a tiny bit, and use HR, Marketing, T&D and so forth to design a complete awareness program.
Look to other areas of success – like the gaming industry. Ask yourself (yes, you, the infosec pro) – what are they doing, that engage so many people? When you understand that, the second question becomes: How can we replicate those mechanisms?
I believe the answer is gamification.
My last slide showed an image of some people who clearly came from QHSE – accompagnied with my claim: «We should learn about successful implementation of behavior change from those who have done it for decades – the QHSE-folks».
Wednesday, I moved on to «Sikkerhetskulturkonferansen», a security culture and awareness conference organized by NorSIS and NSM, the Norwegian NSA. I was quite nervous, as I pictured the audience to be up-tight, stiff, military-types, and I knew my presentation was not exactly «up their alley». The conference is started by Roar Sundseth, the General (boss-man) of the Norwegian Cyber Defense, and we end up having lunch together, a treat I enjoyed very much.
When it’s my turn to take the stage, my hands are moist, and I have decided that I’ll do my usual best, and handle the consequences later. I have a message to share, take it or leave it!
The message is simple enough – we, the info-sec people, need to open our eyes and realize:
1. Humans are different, and are motivated by different things. If you want your message to be understood and adopted, you have the responsibility to alter the message in such a way that your audience can relate to it.
2. Our brain is flawed, we are all lazy. Research by Daniel Kahneman and others suggests this fact, and points to several areas where our «fast» brain makes errors, may also explain why our users continue to click on those pop-ups and e-mail links. My message is: Learn about human behavior, and use that knowledge to adapt your awareness programs.
3. One major flaw we have is how we tend to see a problem (or solution) from only one perspective. No matter how smart (or not) we are, we seems unable to think someone else can be smarter, more ingenious. Think of the BMW key fob – a great idea by German engineers to make it easier for me to unlock and start my car. Yet it turns out to be so easy to circumvent.
In addition to the presentations, I have had a number of very interesting meetings, which mean I will be very busy for a long time ahead. I will participate in projects of both local and national scale, where I will be sharing my thoughts, ideas and research.
—
I was also approached by one of the international infosec magazines – Help Net Security this week. Mirko, the editor, asked if I would like to write a monthly column for them. A request that I cannot refuse. So starting in April, I will write a monthly column on security over there!
—
What I have learned throughout the week, is that people start to relate to the message. It starts to gain a foothold among security people and academics, at least here in Norway. If we want a successful awareness (or security culture) program, we must adopt our message to the target user. Which in turn means we must understand them – the user!
Last week, Mandiant, a security consulting company in the US, chose to publish a report on alleged Chinese government sponsored hacking against the US. The report is a fascinating mix of technology analytics and far-fetched conclusions.
I have no issues with Mandiant, I trust them to be serious in their work and analysis. And I do not mind much that they point a finger at the Chinese government as the originator of such attacks. It is quite likely that the Chinese government is involved in cyber intelligence, just like most other modern country is.
What I am concerned about is the fact that the proof Mandiant offer in the report, at best can be called anecdotal. In my opinion, a report with such accusations, must be provable and scientific. As some critics say, there are a number of possible explanations for the timing of the report, including creating a new bogeyman in order to get acceptance for more laws and regulations.
Let me take a look at the report and some of it’s shortcomings.
No connection to the building
The report has one full chapter describing a building in Shanghai, a city with some 9 million inhabitants, adding proof that this building is owned by the Chinese military.
Fine, I can accept that the building may be owned by the Chinese government. The fact that the Chinese military have buildings in Shanghai, does not prove that the attacks are state-sponsored. There is no proof in the report that clearly and without a doubt show that the attacks come from this very building.
It may very well be a coincidence.
Just like the fact that I live in Oslo, and so does the Norwegian government. It does not mean I work for them, nor does it imply that what I write here is on their behalf.
The fact that Mandiant’s research suggest that the attacks origin from Shanghai may also be a mistake. Hiding your location using proxies is not exactly a secret receipt, especially not amongst infosec people. The fact that Mandiant could not find any further locations does not mean such locations does not exist.
My point is that the location in Shanghai may very well have been planted. Either by the hackers in control of the APT1. Or by someone who want to place blame. Most likely, we will never know for sure.
The attackers
The report goes into details about three of the alleged hackers behind APT1: Ugly Gorilla, DOTA and SuperHard. They show that someone using the handle Ugly Gorilla registered at a state-sponsored forum in 2004, and asked a question containing the words «cyber troops» (page 52). From there, they go on to claim that all subsequent use of UG in domains, subdomains and code found from then on, means that the handle Ugly Gorilla is
a. The same person;
b. Someone within the Chinese government;
Let me discuss both points:
A: I used to use the handle SirChief back in the day. In the start, I was probably the only one using the nick but over the years many other people decided it was a cool handle. I am no longer associated with the handle, yet using the same logic Mandiant apply, any instances of SirChief would be tributed to me. This kind of logic does not hold, and thus exhibit A must be dismissed.
B: The only connection the report is showing that Ugly Gorilla (and therefore the other hackers mentioned) is even connected to the Chinese government, is the registration form in the aforementioned forum in January 2004. It would be the same as if I, at any point in my history, had joined a forum hosted by the government (which I have) and then draw the conclusion that I must be working for the same government. This is not a valid argument and there can be many possible explanations as to why my name and handle show up in a registration form at any given forum (including someone else using it). Hence, it should not be used as proof.
A nice try
I will commend Mandiant on writing up a report where they take complex technology and explain it in a way (advanced) lay-mans may understand.
Their use of graphics is nice, and is sure to sway people to think the report holds water, even if they do not read it (or understand). And when it comes to media, and media consumption, we know that very few actually read the background materials (i.e. the report), they just cut and paste the press release. Then they call some security expert who will say anything to get his face on TV. No-one (or very few) care to check the facts.
And as we seen in this report, even if a company like Mandiant actually do check the facts, they can draw the wrong conclusion.
China not alone
There is no secret that the Chinese are not alone in their cyber intelligence efforts. They didn’t even start it, and I am quite certain that they are not even in the fore-front of this game. Consider the following: who designed and deployed Stuxnet; who controls drones; and who is having a very hard time coping with the fact that there is a global power-shift going on; who will benefit from creating such an image of a biting dragon? Is it coincidence that the report is published in the US, by a US security company?
Me thinks not.
Seriously, neither Iran nor Afghanistan make believable digital villains, so it has to be someone else. China is a given.
Spelling as proof
Back to the report. Another so-called proof is found on page 47, where a domain name registrant have miss-spelled the name of a US city, and also used a chinese phone number. I can accept that using a chinese phone-number may point to China.
But put 100 Americans in a room, how many do you really expect to be able to spell Yellow Springs correctly? This is not proof, it is just a poor example of how to fit data to your hypothesis, which is not an accepted method of science.
It is, however, an error non-scientists fall victims to time and time again.
I do not believe Mandiant decided to make a poor report with make-up proof just to point fingers. I believe they are victims of faulty logic and time constraints, the same things that makes us all vulnerable to jump to conclusions, a dangerous habit.
My advices are simple:
The next time you read a report and decide to join the screamers, do yourself and the world a favor. Take time to understand before you spread possibly erroneous information. Be brave enough to ask questions. Nothing is ever only black and white, especially not in the infosec world.
Image credit: http://www.flickr.com/photos/vkreay/
Participants from a training in Tunisia, 2010
As I was going through my speaking engagements for 2013, I realized that 2013 will be more busy on the speaking front than I first anticipated. I am not at all complaining – I love the opportunity to be on a stage to engage and inspire!
There are two topics that seems more relevant than ever this year:
At first glance, these topics may seem far away from each other.
The truth is, as usual, somewhere in between.
As soon as we lift the topic Security to contain culture and awareness, we have to include people in the equation. And when you take a moment to consider what security is about, you may quickly realize that it lies in the center of human activity. Security is not about technology (although we use technology and thus may choose to secure the technology too), but about making a safe and risk-aware life.
Since the dawn of life, people have been forced to adopt security measures – from clothing and heating, to food and weaponry, security is always about the human. Building a secure culture is something humans have done since the beginning.
The basics of a secure culture is a common ground. We use language, behaviors and organizational structures (think of the structure of a company, or that of a society) to create a general understanding of what “we” do, and how “we” do things. And we use education to teach this culture, and technology to enhance and enforce it. Upon others, and upon ourselves.
In a picture like that, it becomes evident that communication and understanding is key to survival, both individually and in the group. To me, that means security culture and awareness quickly boils down to understanding each others, understanding the common goal, the what and why of doing the “we”.
From a personal perspective, it does not take much observation that I am different from you. On the surface it may only be the looks that differ. If we dig a little bit deeper, research suggests that there are traits that makes us unique. The mixture of these traits creates unique combinations of human beings. Some are more like us than others, and those others may be very different from us.
I hold that understanding that we are different is one key to effective communication. The more we understand of the differences, and how those differences affects how we learn, how we filter information, how we are being motivated, how we prefer to communicate – the easier it becomes for us to adapt our communication to the receiving party.
Thus, I believe that if we want to create security culture and awareness, we must understand people. And one of the first things to understand is that people are different. To me, that means we must adapt and adjust the message in such ways that the message is received and understood. We, as security professionals, cannot and should not expect the user to do what we tell them (in trainings, policies, rules and so forth) if we do not make an effort to make them understand.
In other words: if we do not treat them as humans, do not be surprised when they don’t do as you expect them to.
If I want you to understand, I am responsible to adapt and tune the message in such a way that you can understand. Understanding how humans function is vital in such a perspective.