You Shouldn't Train Employees for Security Awareness: Rebuttal

Monday, July 23, 2012

Boris Sverdlik


So I have tried to keep my comments and rage limited to Twitter, but with this last echo chamber pile up on Security Awareness, I felt an obligation to put my frak (opinion, .02) out there once again.

@Krypt3ia and @iiamit have both posted their rebuttals "Throwing out the Baby with the Bathwater" and Security Awareness and Security Context – Aitel and Krypt3ia are both wrong? respectively calling each other wrong of course, but where's the excitement without debate?

I mostly agree with my stabby counterpart on this topic...

Dave Aitel had posted "Why you shouldn't train employees for security awareness" to the CSO Blog. Which by the title alone will probably confuse a majority of the CISO's out there.

Dave talks about how Security Awareness is no match against RSA, Shady Rat and all of the APT nonsense we have all ranted about.  He goes on to say that your users have no responsibility over the network which is only a half truth. Yes your users don't have any operational responsibility over your network, but they damn sure are accountable for what happens to your environment or at least should be.

I know the whole "Don't Click shit" (Sorry Ian, It's not stop clicking shit as you wrote in your rebuttal) is more of a humorous way for us to deal with our frustrations, but the underlying truth is there is fundamental truth to infections being introduced by end users. 

Dave had made an interesting comment about the vulnerabilities found in some of the training software used by many of his clients. This leads me to believe he has absolutely no idea what an awareness program is and equates it back to the CYA computer based training solutions that regulated organizations throw at their users once a year and forget about it.  

This does not make an awareness program Dave, this is similar to a CISSP Boot Camp (Yes, I had to throw that in here).

A Security awareness program is focused on training, reinforcement and integrating security responsibilities into the organization.  That is a security program Dave, and coming from both Offense and Defense I can damn well state that it works when layered on top of other security controls. It is not and will never be that silver bullet.  

Dave had mentioned that only technical controls stop his social engineering attacks and I'd like to ask what technical controls are in place to prevent one of your users from disclosing their credentials or exposing their machine to an attacker through a phish? Are you selling some unicorn cream that can be applied to the endpoint? Or perhaps some fairy dust that will stop the user from disclosing your IP over the phone? Let me guess DLP?  

You had suggested the following 7 things that organizations should do instead of wasting their money on employee training… Well, let me take time time to address each one..  

1) Audit Your Periphery  

While auditing your environment is a good process, audit is after the fact. This will not stop you from the Rat. Implementing Change Control Procedures, Access Controls, segregation of duty, and maybe even I don't know Secure Coding Training??  

2) Perimeter Defense/Monitoring  

Perimeter Defense is also a good compensating control, but when your administrators start adding rules and such because I dunno, maybe No one told them that this is bad.. I'm hoping you don't think Perimeter security is a magical concept. Intrusion Detection is almost never rolled out properly because the primarily goal of your organization is to make money. Most of the time and IDS is just about checking a box and sufficing a requirement. If you don't classify the data, then you really don't have any idea what you should focus your resources on?  

3) Isolate & Protect Critical Data  

This is one of the points where I agree with you. This should be the very first step in your Security Program. Identify your data, Identify where your data lives, and how important it is to the business.  This is where the majority of companies fail, not in training and awareness programs.  

4) Segment the Network  

Again totally agree.. Endpoints should never live on the production segment. All access should be through choke points that can be tightly controlled. Treat all endpoints as they were hostile (My Self Serving statement, More on this at You Can't Buy Security Coming to a country near you)  

5) Access Creep  

Access Creep or Access Controls are a big part of protecting your organization. However, this naturally comes after classification of your Data. How do you know who should have access to what if you don't where it is?  

6) Incident Response  

To me Incident Response is one of those funny things that people think they want but have no idea how to implement. How do you implement an incident response program if you don't have any processes around training your users in identifying incidents? Magic? How do you know if you have a root kit if you don't have any build standards? I'm hoping you see the points I'm trying to make.  

7) Strong Security Leadership  

Strong Security Leadership is definitely a big part of the security program, however I don't think I have seen a CISO in the last 10+ years who has had sole responsibility to pull the "Kill Switch". The decision is a shared business decision and the CISO has responsibility to syndicate the risks and make every body at the table aware of them. If you don't build security awareness into your operating model, then how do you personalize the risk to the stake holders? I'm stopping this because??? Are you going to use fancy calculations and pull out your ALE Formulas?  

In closing, Security Awareness/Training programs are not a once a year watch this video, or use this app initiative. It is the integration of the security mindset into the fabric of the organization.  

As Ian had pushed one last self serving statement so will I. Go check out "You Can't Buy Security" coming to DerbyCon, T2infosec and Security Zone 2012.

Possibly Related Articles:
Security Awareness
Information Security
Enterprise Security Security Awareness Training Advanced Persistent Threats Employees Infosec Network Security Monitoring Network Segmentation Dave Aitel
Post Rating I Like this!
Gregory MacPherson
A somewhat abbreviated repetition of what I said in response to the rebuttal article - users have been proven beyond a reasonable doubt to be clueless ch0ads unable to secure their own data.

Ideally, implement security by removing the choice from the users. Place responsibility for security squarely in the hands of 'the competent' AKA security engineering.

Yes, I am advocating "securit-ism", a quasi-Socialist framework in which 'deny everything that is not explicitly permitted' includes the CEO's video cameras to watch his house in Belize and his new iPad because they violate the security policy that he signed off on without looking.

Expending time and money to educate the unwashed messes (AKA everyone who got on the Internet after 1994) about 'security' is a waste of time and a waste of money because...

(a) They are ignorant
(b) They want to stay ignorant

They (the aforementioned unwashed masses) want to 'do facebook' and read /. and gossip electronically.

They want to remain unconcerned about "the enterprise". If they cared, you wouldn't see user stratfor, password stratfor in the password dump.

The argument in favor of educating the masses is based on the supposition that 'teaching security awareness' is a process of educating those who both can be educated and want to be educated.

My position is "don't bother". Instead, remove the decisions from their hands, and leave them with fewer concerns. Let the geeks - who both understand and care about the CIA triad - handle the heavy lifting.

ellie hurst 1. Audit can actually be a proactive activity, identifying near misses and potentials and not just used to find post event non-compliance – but only if it is planned properly and well conducted by properly trained and experience personnel, and not if it is tick box auditing.
2. I agree
3. This is good. It should also be a pivotal part of the education and awareness programme. Once you have identified and classified information then you can identify who should and who should not have it, where it can be handled and stored and sent. THEN EDUCATE USERS ABOOUT THIS
4. ok, although technical segmentation is only part of the solution and certainly is not a panacea. Works very well when intelligently combined with data segmentation though.
5. I agree
6. I agree. Incident response is massively lacking in many organisations. Look at Natwest. Also Incident Response needs to take into account C, I AND A, it isn’t just about C. Should also be well integtrated through the underlying management system into the orgaisations CA/PA processes and in so doing can also be utilised to manage near misses and therefore become a proactive and not just a reactive mechanism. Works really well if fully integrated into Protective Monitoring, Forensic Readiness and Business Continuity
7. Strong security leadership is not just about having a CISO though. Leadership is about setting example, setting risk agenda, managing culture and leading by example etc and runs through all tiers of the management structure. Embedded and integrated security leadership is the key, not just having a single figurehead. Indeed having a CISO or similar can be counter productive leading to a ‘security is his problem’ mentality. The reality is security is everyones responsiblility

Without education no security programme can succeed. The counter arguments are usually posed by those who try and treat security with a pure technical solution. Security technology is an enabler and not a panacaea. Look at encryption for heavens sake!!!!!

Security is about people more than anything else. People lose information not systems. People manage systems poorly allowing them to be compromised, not the systems themselves. People take Top Secret documents and leave them on trains. People (like senior management) leave laptops logged on and viewable on trains while they go for a coffee
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.