Friday, November 18, 2005

Security Awareness Training: A Waste of Time?

Extrusion Detection contributing author Rohyt Belani told me about his new SC Magazine article Changing End Users' Security Mindset. Here are some astonishing excerpts:

"[M]y company [Red Cliff Consulting] has conducted numerous social engineering exercises for Fortune 500 companies whose success relies heavily on the protection of intellectual property.

These exercises involved scripted telephone calls to the organizations' customer service departments and mass phishing emails targeting a randomly selected set of employees. The objective was to collect sensitive data, the results were astounding.

627 of the 1000 people targeted by 'spear phishing' emails (aimed at pilfering the employees' corporate VPN credentials) succumbed to the attack and only 4 of the 373 that did not respond reported the issue to information security staff.

It's not so much those statistics that made the results astounding; but the fact that all these organizations had recently conducted user awareness workshops that addressed the threats posed by social engineers."

Wow. Maybe their Human Firewall was down?

I crack myself up. Anyway, Rohyt mostly blames the staff who offer security awareness training:

"[T]he information security staff must assume the onus of taking the initiative of developing innovative user awareness programs that pique the employees' interest. The majority of the security awareness sessions I attended were unstimulating affairs couching the do's and don'ts of security."

I think it is time to face the fact that security awareness training is generally a waste of time. Trainers can stand on their heads and juggle flaming swords, and some attendees will take a nap. People who handle the most sensitive classified data in the world will happily click on the dancing donkey that appears in their inbox. All it takes to suffer an internal compromise is for one of Rohyt's 1000 respondents to provide their corporate VPN credentials.

In the remainder of Rohyt's article, he does provide good guidelines for improving the quality of security awareness training. However, there is no way to achieve 100% compliance with security policies and sound practices.

So what is my answer? The people with the best capability to address the problem must be given the authority and resources to do so. Those people are the information security staff. They should have the power to remove administrative accounts from normal desktop users. The should have the resources to deploy a proxy to filter and block malicious inbound and outbound traffic. Their concerns should not be sidelined in order to meet "business requirements."

Disagree with me? Well, there are many aspects of business that individual employees should care about. The quality of their work environment is important. I have worked in numerous buildings with asbestos and water problems (thanks .mil). Was it my job to become an environmental engineer? Corporate financial health is another important aspect of a business. Should employees receive accounting training?

Speaking of business concerns: am I the only person who is sick of hearing media pundits tell technical people we need to spend more time and effort understanding "the business?" There are only so many hours in the day. Who is supposed to understand the technical issues facing an organization if we are also tasked with making business decisions?

Why don't I read about business managers being advised to understand TCP/IP?

This is called division of labor, and it's what enables companies to scale to their present size. I am forced to perform business and technical functions by virtue of the size of my small company. As a person who enjoys technical issues, I am not pursuing business issues by choice!

What do you think?

5 comments:

John Ward said...

Good topic Rich,

I have a few points, being that I am the middleman for both the IT Staff and the Business. So I will play this one on both sides of the fence. Keep in mind, this may not be the case for smaller organizations since the company I work for is about as big as you can get.

You are correct. It really is not their responsibility to understand the business logic, it is their responsibility to design, implement, and maintain the infrastructure that allows that business to function. Businesses change their minds way too often for the overwhelmed IT staff to learn what the hell managers are thinking when half the time the managers themselves have no frigging clue what they are doing. Most of the time, managers see pretty shinny lights in magazines and hop on board with crappy product A.

On the other hand, IT is not a revenue-producing department in most organizations; therefore they have no say, although I remember a discussion once about why ROI couldn’t be measured for information security. All too often the IT staff is too small and too centralized to understand business needs and effectively communicate best practices. Business personnel do not respect IT staff because in quite a few cases, the IT staff are condescending, belligerent, and outright liars. To the business employees, IT staff is about as reputable as car mechanics, so what do they care what these guys have to say about information security, to them it sounds like job justification.

For a company as large as the one I work in, security training for employees is not a good solution and is generally a waste of time. You cannot educate people who can barely work in Microsoft Office and can barely navigate through Windows on how to identify security threats. They just don’t have the aptitude.

What I have found to be the problem is one of organization. It is not something that can be treated as a separate entity anymore in the business world. Too often IT is perceived as a business unit in the same respect that Auto Finance, retail banking, and commercial banking are. As such, IT staff dictating policy is like having a commercial bank rep tell consumer bank they can't do something when neither has anything to do with the other and different laws apply. One solution I have found here that does seem to make some progress is allowing the business units to have their own IT staff that works with a centralized Technical Infrastructure group. TI’s responsibility is to maintain the infrastructure of the company’s networks, set policies regarding approved use of assets, and monitor for violations. The business IT groups responsibility is to work with the businesses they represent to understand their needs and help them devise solutions suited to their work environment. The smaller groups work with the business managers to educate the employees and perform audits on company assets to ensure compliance. Its easier for the smaller groups who know the managers personally and have that relationship with the employees to work with them than it is for the cagey geek in the basement managing the firewall and can only speak CiscoSpeak. The trick is to find the right people who have that combination of people skills and technical skill to work in the smaller groups.

Mileage may vary depending on the size of the organization, but I feel that is a much better approach than having a centralized IT department separate from the business with no real teeth. Plus, when something goes wrong, its much easier for someone the employees know to explain what happened and educate them to not open the "dancing donkey" email than have some moontanned Company Computer Guy scream like an idiot, which usually results in a quick ignoring by staff.

Jason Huggett said...

I'm actually a believer in security training for staff and have seen the positive effects. It's like anything else in the security field, another level of protection. No one thing is going to provide absolute protection. Even with those agreeably shocking statistics. The numbers may have been 700 or more that fell for the attack if no training had been provided. If one of those that learned something was the one being attacked, you just saved yourself from being compromised.

The above argument sounds like a work culture issue more than anything and if training were provided as to why security policies are in place there might be a little understanding.

Gary Hinson said...

I'll admit my bias up-front: I write and sell information security awareness materials through http://www.noticebored.com/

It really worries me when I see people saying 'security awareness doesn't work'. It worries me that organizations will just give up on security awareness. Security awareness can and does work, if done properly. The trouble is that it is not a simple matter of running a training course once a year. Security awareness is not something that can be 'enabled' and 'configured' like firewalls.

Creative, comprehensive and interesting security awareness activities, delivered continuously, gradually change the corporate culture. The changes are almost imperceptible at first but gradually manifest themselves in little ways throughout the organization. Well designed awareness programs address everyone, in language and styles that suit their preferences and on subjects that matter to them.

I unreservedly recommend Rebecca Herold's new book on 'Managing an information security and privacy awareness and training program' http://tinyurl.com/dlgjx

Gary.

Anonymous said...

Richard, I believe the statistics are an accurate measure of ineffective awareness programs.

But I don't think that end users are useless appendages to a security strategy. I believe they can be useful. Making them useful, however, requires that the organization's culture change. Security has to become a measurable part of everyone's job.

To paraphrase Fred Cohen, "Security is what you do, not what you might actually remember from that one hour mandated not-my-job security training session given when you really had something else on your mind."

Jason said...

Maybe the key here is that the wrong training is being performed. I recently published a paper after reading Rohyt's blog entry on the subject.

http://infosecalways.com/2007/09/21/extreme-social-engineering-paper/

This type of training is a little more engaging and might provide more real life examples to understand the problem and increase executive awareness too.