Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Dress Like A Gnome: 6 Security Training Essentials

Offer home security clinics, make security messages fit for Twitter, and don't be afraid to dress up, say Infosecurity Europe presenters.

LONDON -- Infosecurity Europe 2014 -- System security is getting better, so attackers are going after a softer target -- people.

Security awareness was a key theme at the Infosecurity conference last week, as speakers and other experts offered their views on how to improve training and education programs.

"What's happened over the last 10 years is the operating system that the adversary is going after has really changed," Eric Cole, chief scientist at Secure Anchor Consulting and a SANS Institute instructor, said Thursday during his induction ceremony into the Infosecurity Europe Hall Of Fame. "If you put enough energy and effort in, you can secure those operating systems -- lock them down, turn off services, patch them -- and we've done a good job of that.

"Now, what operating system is the adversary targeting?" he said. "It's very hard to secure... and hard to patch."

That predicament has led some information security experts, such as Bruce Schneier, to propose more drastic measures, arguing that security training simply isn't salient for nonsecurity experts, because they won't ever really learn. From a big-picture standpoint, furthermore, Schneier has argued that, if engineers designed their software better, people wouldn't have to learn.

Until that happens, information security professionals are left with a triage situation, as many speakers at last week's conference readily acknowledged. To help, they offered the following six strategies:

1. Seek Twitter-like brevity.
Participants from both sides of the pond agreed that attempting to educate users, and to keep them extra vigilant about the types of social engineering attacks that continue to compromise so many organizations, remains challenging. For starters, Andy Jones, CISO of the global container company Maersk Line, said during a panel discussion that effective security messages must find ways to be both direct and brief. "I want my message [to be relayed] in 140 characters. I want a Twitter-type awareness."

2. Unleash the gnomes.
One creative -- and reportedly successful -- user-education approach practiced by Lee Barney, head of information security for Home Retail Group, a leading UK home and merchandising retailer, has been to dress up his information security staffers as gnomes.

Barney said these security gnomes are then placed at strategic locations around the office and used to deliver this line: "Hi, we're from security, talk to us." Cue a training opportunity -- for example, how to spot and avoid phishing attacks. After trying this approach, Barney said, his company launched a fake phishing attack spot test, and no one fell for it. "We had a 100% success rate," he said. "Not right away, but a few weeks later."

3. Offer drop-in home security clinics.
On the user-education front, Michael Colao, head of security for the investment firm AXA UK, recommended during a panel discussion that information security departments hold regular sessions for employees to pose personal information security questions, such as those pertaining to home security or "parental controls that your 12-year-old can't get past in four minutes."

The bigger benefit, he said, is that this type of computer security transfers to people's day jobs. "If you are talking about the steps you have to take to protect your home computer, it's weird, but it's actually quite similar to the steps you have to take to protect your work computer."

4. Play big brother to developers.
Security training can also be supplied to in-house IT staff, of course. For example, it can help developers
write more secure code. According to research recently conducted by White Hat, however, inside organizations that emphasized secure coding practices, training alone didn't result in web application developers writing more secure code. Developers needed to know that their managers would also be reviewing the code they wrote, White Hat founder and interim CEO Jeremiah Grossman said in an interview at the conference.

"It came down to accountability. If the developers were accountable for the code they wrote, then they'd get something out of training," he said.

5. Rethink business questions.
Per Schneier's comment, the best approach to security awareness and training is to design security systems that don't require users to think about security. To help make that happen, AXA UK's Colao said, information security teams must take security-related requests from the business side of the house and then extrapolate the question that would have asked if they'd been security experts.

For example, at an investment bank for which he used to provide security, and which had a small number of customers, the business team asked the security group what password policies it should use to allow partners to log into the investment bank's systems. Taking a step back, Colao said, his group proposed and then implemented a system based on digital certificates.

What was the benefit? "I went once to one of our partners, and there on the wall were all of the main investment banks, and the company's passwords [for logging on to each one], except for ours, because they had a certificate instead," he said. "But if we'd answered the question that the business had originally asked... we would never have gotten there."

6. Lock down Office.
The reality today is that the security of so many systems still succeeds or fails based on user decisions, and users won't always make the right decision. As a result, businesses must look beyond training as a be-all and end-all, said Infosecurity Europe inductee Cole. "We have to do a better job of not allowing the adversary attack effort to make it directly to the person," for example by blocking today's four most prevalent phishing attack strategies: "executable attacks sent to emails, macros in Office documents, active scripting, and HTML content" in emails.

Thankfully, blocking those types of attacks doesn't mean preventing users from employing email or Microsoft Office altogether. Rather, it involves excising specific types of high-risk functionality. "How many of you need that asset from the Internet in order to run your organization?" he asked, referring to the four types of functionality noted above. "It's typically 1%. So if 1% of us need that, and that's the main vector that adversaries are targeting, then why aren't we shutting it down?"

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
5/6/2014 | 12:14:11 PM
Re: Dress like a Gnome
Ed,  speaking as a user that is relatively attuened to InfoSec issues, I couldn't agree with you more about the importance of technical controls to enforce good security hygiene. I want to do the right thing, but so often the demands of the day-to-day lead to the path of less resistance (bad behavior)...
Ed Moyle
Ed Moyle,
User Rank: Apprentice
5/6/2014 | 9:37:36 AM
Re: Dress like a Gnome
Security training is hard to pull off well generally.  Even when done well and using creative approaches as this article describes, the economics of it are challenging.  There are two reasons for this: attrition and human nature.  To keep pace with attrition, training needs to be done over and over and over and periodically refreshed in new and creative ways.  Plus, human nature is contrary to what we want.  People want to be helpful to each other - in fact, I'd argue (as many behavioral scientists believe) that helpfulness is "hardwired in" as a trait required for the human species to survive (think for example about what helping others means for a hunter/gatherer society - Dawkins has an excellent discussion of this in the Selfish Gene).  

Anyway, point is... In general, my preference has always been to try to find technical controls that enforce the right behavior (even if doing so requires recouping some of the costs from the training budget).  For example, rather than training helpdesk staff not to give out passwords, modify the system so they don't know it in the first place - rather than training people not to send out personal information, change the process/system so they can't.  I'm not saying "don't train", I'm just saying minimize the surface area - a technical control is almost always less expensive long term since it's a one-time investment vs. ongoing cost.  It also tends to work better since you're not fighting against human nature.  

Anyway, just food for thought and my humble two cents.  
Randy Naramore
Randy Naramore,
User Rank: Ninja
5/5/2014 | 3:07:24 PM
Re: Dress like a Gnome
Maybe you are correct but it is a good thought.
Robert McDougal
Robert McDougal,
User Rank: Ninja
5/5/2014 | 2:48:12 PM
Re: Dress like a Gnome
You are exactly right Randy!  People, for better or worse, have a vulnerability that cannot be patched.  All people want to be helpful to other people.  Social engineers use this fact to get people to do what they want to do.

Additionally, if a social engineer can display an air of authority and sound like he knows the subject matter he is talking about, most people will not question him or her.  

The sad truth is awareness is extremely important but, we will never be able to secure the human completely.
Randy Naramore
Randy Naramore,
User Rank: Ninja
5/5/2014 | 12:59:35 PM
Dress like a Gnome
People have always been the easier target for hackers, they have emotion and can be reasoned with and can be breached easier than windows (believe it or not).
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.