The Connections conference started with a keynote from SANS about securing the human part of your network. Lance started talking about his background in Info Security, honeypots and work with Sun Microsystems (starting originally with work in tanks in the military). “the simplest way to steal your password is to ask for it – the simplest way to infect your computer is to ask you to do it”. Technology has been very well secured – its MUCH easier to get the human users to do the work for the bad guys. The change began in August 2004 – when Service Pack 2 was release for XP with the firewall being turned on by default. This started the drop of technology based hacking and began the era of human hacking. The human OS – you have Windows, Linux and human OS’s in your network. We’ve done nothing to secure that human OS (my note: why training is so very important – it’s updating and patching the human OS in your network).
90% of malware requires human interaction (Symantec)
100% of successful APT attacks compromised the human (Mandiant)
Humans have to click a link, install a program, insert a USB stick or interact in some way to make the malware work.
Humans are bad at judging risk – we overestimate visual risks (lions and tigers, as opposed to something we can’t see) and overestimate risks when we aren’t in control (flying as opposed to driving).
“If it’s on the news, it’s probably really safe, because it almost never happens – or else it wouldn’t be news”
Social engineering – we surf and feel like we are in control (and the hack is silent and not visual at all), we underestimate the risks of getting hacked because of those two factors. You check into your hotel room, get a call from front desk to clarify a problem with your card, you give them your card number, they’ve hacked you. (real problem at Disney World resorts)
Some worms now check keyboard settings before they send out their phishy emails so that they can send out a virus email to your friends in the language that you usually use (if your keyboard is set to Spanish, they send the spanish version of the bad email to your contacts, in order to increase the likelihood that your friends will click on the link in the email).
Many trojans disguise themselves as anti-virus programs so that you not only infect yourself, but you pay $100 or so for the privilege of doing so.
Twitter and Facebook make malicious social engineering attacks easy – Twitter bots search for keywords and respond to any tweet using that keyword with a “discount” link for that particular item.
Goals of Awareness training – compliance and changing behavior. Lance concentrates on changing behavior (more powerful than mindless compliance).
The Plan: who, what and how? Who do you target for training? (employees, admin staff especially, management, IT staff (privileged access to lots of resources – make sure they don’t post router configs (for example) on public listservs, use the same password for servers that they use for their Facebook account) What do you train about? (You are the target, social engineering, email and IM, browsers, etc.). Teach people that it’s not all just about protecting the organization, it’s about protecting the employee. How to train? Use imagery, videos, newsletters – make it as fun as marketing is these days. He showed an example video that promotes security awareness (social engineering, specifically).
SANS has a video awareness library – info in handouts. Newsletters are like patches – they have to be done regularly or people forget.
Inoculation – used to measure end user awareness, used to get their attention and reinforce training. Launch a phishing email of your own (benign, of course) and see who clicked and how many were fooled. Keep doing it as your awareness campaign continues and see how the numbers go down. Start with basic email and work up to targeted emails to test users.
Presentation and newsletters that can be redistributed are available on Lance’s blog.