Numerous research projects have proven that a large percentage (arguably a majority) of people fall victim to crime online – a percentage that is growing every year. I have always been of the belief that criminals operate on the bleeding edge of technology, and defenses are constantly playing catch-up with them. Research – and logic – also indicates that these ‘advanced’ attacks ultimately rely on the exploitation of human vulnerabilities to succeed, at least enough to get a foot-hold in the target system whereafter traditional methods are employed. Many organisations and security vendors fail to realise this, which may be intentional (to ensure the profitability of their products), and promote the use of active measures to protect users from such attacks, neglecting the root cause that is uneducated users.
In a bid to do things a bit differently I have spent considerable time putting together an education program for staff, their families and friends. After looking at what some other companies were doing, it seemed the trend was to publish a single document that listed a bunch of do’s and do-not’s and only required a signature to verify that the reader had digested it. Furthermore, the scope of it was really only limited to how their interacted with their workstations – not the wider network (including the internet). I see several issues with this:
- As it does not test the reader, it does not provide a measurement to security staff of their level of risk.
- The real risks users will face in our networks will be from the internet.
- It is inherently boring, so is likely to be treated like software T&C’s and accepted with little to no attention paid to it’s contents.
So, what I wanted to do was piece together a program that provides feedback to me, is enjoyable and adaptable to varying levels of existing knowledge.
The program is run out of Google App’s, using Sites to piece together a Wiki:
…and a Form+Spreadsheet to form a multichoice quiz:
An initial run through the quiz is used to establish a baseline score. Each element of the actual program has at least one correlating question in the quiz to reassure us that users have run through the full program. An incorrect answer explains why the answer is wrong, and what the correct answer should have been (and why).
Users start with a basic, condensed set of 3 main points with supplemental information:
- Think and Ask Before You Act (e.g. recognise fake URL’s, do not disclose confidential information to potentially unknown parties, if something is too good to be true it probably is).
- Secure and Protect your Information (e.g. use HTTPS, vary your passwords, do not use untrusted WiFi networks, use PGP encrypted email, never connect unknown storage media).
- Inform, and Be Informed (e.g. report suspicious activity, regularly review threat information).
- Common vulnerabilities (e.g. clickjacking, drive-by downloads, fake AV, phishing, rogue WiFi networks).
- Current threats (updated 6-monthly with whatever is most prevalent at the time).
With a very basic knowledge of what attackers are up to, some basic step-by-step guides then supplement this to show exactly how an attack might be undertaken:
- Browser attacks (a drive-by download attack, with 3 attack vectors).
- Mobile malware (trojanised Google Play app).
- Phishing (spoofed email with a Zeus installed attached) .
With a little fear instilled, a series of how-to’s then assist the user in bolstering their defenses:
- Using VirusTotal.
- Setting up KeePass (and generating secure passwords) and TrueCrypt stores.
- Sending, receiving and validating PGP encrypted email.
- Configuring OpenVPN.
- Locking down Gmail, Facebook, Twitter and LinkedIn (regularly reviewed to keep them up to date with changes the networks make).
- Mobiles (e.g. device encryption, setting up Lookout Mobile Security)
Given that the primary function of my company is to develop enterprise software and an object-oriented database technology, secure development is an absolute must. Up until recently I maintained a full set of secure development and penetration testing standards, however as the OWASP Application Security Verification Standard (ASVS) has reached certain maturity, it is now enforced as a standard by which developers must develop to and one I must test according to. Basic information on this standard is presented on the Wiki, along with links to the standard and other relevant information produced by OWASP.
After completing the program users then perform a followup run of the quiz and compare their scores. Anyone who scores lower than what the security team deem ‘safe’ is invited to attend a one-on-one session to clear up their shortcomings.
Initial results are – on the whole – very reasonable. The challenge is most definitely in making a technical topic interesting and easy to digest (particularly for those UX and marketing folks), whilst maintaining it’s purpose of preparing users for the big, nasty world that is the internet. To supplement the program I also offer team talks and both development and user security live demo’s, which negates the need to repeatedly explain complicated subjects via email. Following this exercise almost all users pass the quiz with flying colors, and the impact it has is certainly noticeable when people bring thoughtful questions to me on behalf of their friends and family who run through it as well.
It may take a while to put together and require ongoing effort to maintain, but I think that doing this is a very worthwhile task for any security administrator. If anything, it should be seen as a responsibility.