There is one attack vector that all
users are susceptible to and unfortunately to some degree – always
will be. Social Engineering. The mere mention of Social Engineering
can cause some CIOs / CISOs / Information Security Heads to begin to
shake and tremble and to those who don’t, I would argue, they have
not entirely understood the full effect a skilled Social Engineer can
impact on their business. Social Engineers rely on the big bag of
fluid that is sat behind the computer (otherwise known as the
wetware) to make a mistake. Wetware, most commonly known as “people”
or to the management among the reader “employees” (or in some
cases “minions”) are currently and have been for some time - the
biggest headache to security professionals.
It is commonly agreed that effective
employee Security Awareness Training is the best answer to Social
Engineers. Effective Employee Security Awareness training should
raise awareness of this dangerous cyber-attack vector, including the
different methods usually employed by a Social Engineer. However,
following Security Awareness training how do we assess and test how
effective Security Awareness training has been? Can this truly be
tested?
Social Engineers will not just attack
an employee at work, they will attempt to steal sensitive information
no matter the environment. Remember, sensitive information is in the
eye of the beholder. It may not relate to just your business, it may
be sensitive or personal to your employees. A good Social engineer
will use various techniques to maximise disruption to your business
which will include targeting your employees when they leave the
logical and physical security fortress built for them by your IT
Security team and or department. So, in reality, Employee Security
Awareness Training asks that the wetware be on the constant lookout,
have an uninterrupted vigilance against Social Engineers - which can
be tiresome and draining on the employee. Keep in mind that the
ultimate aim of any Social Engineer is to get your employee to lower
the drawbridge and bypass the security controls of your CIS Security
fortress entirely.
Effective employee Security Awareness
Training is something that must be entrenched into your employee,
almost as part of their behavioural DNA when surfing the internet,
using apps, talking on the phone, dealing with email, doing their
online shopping, during all digital dealings, without delay, disdain
or derision - security must remain at the forefront of their
consciousness. Sounds almost impossible, right? Most likely, but it’s
said that your best teacher is your last mistake.
In what seems to me now looking back -
a past life, I was a JNCO in Her Majesty’s Royal Air Force. As part
of the annual RAF competencies I had to keep up to date with
including fitness tests and getting gassed once a year (Armed Forces
Veterans and Regulars will know the pain…), one element was Human
Factor (HF) training. It was a necessity that all MoD personnel were
subjected to HF training in an effort to improve Air Safety at MoD
bases. It operated on the premise that MoD site supports a system
(the MoD uses Defence Aviation Error Management System or DAEMS)
which encouraged Airmen to submit ideas to improve safety or own up
to mistakes freely, it would change the behaviour within the
workforce. The system would highlight issues with policies,
procedures or introduce a new way of working to prevent mistakes or
even improve an Airman’s environment.
The philosophy behind Human Factors training is this. How much concentration is lost on a particular task if we as human beings are stressed, hungry, (or in my wife’s case - “hangry”) tired, too cold, too hot, etc? The list goes on and on, we are of course - only human. Dr Abraham Maslow published his “Hierarchy of Needs” way back in 1943 and it has been the basis for psychology students since. The logic behind the hierarchy is simple: the essential survival needs in the lowest level of the pyramid must be satisfied before the individual can turn his or her attention to the next level, then the next level must be satisfied before proceeding up; and so on. All the human body’s needs stated on Maslow’s Hierarchy have been proven to affect performance. It is these slips in performance that a skilled Social Engineer will aim to exploit and take full advantage of.
An
interesting footnote to the hierarchy – in today’s modern world,
there is an argument1
that Wi-Fi, mobile phones and social media should be appended to the
hierarchy at the very base, at the physiological needs stage. They
are being rated as important to humans today as the things we need to
exist! Food, water, clothing etc! I’m sure it is in jest, but it
does highlight how important a digital life has become and how some
employees might be distracted or stressed if their digital existence
is under threat.
It occurs to me that HF training could
be adapted to Cyber Security. How excellent would it be to have a
system that captures and harnesses the Human element? Using a
business’s greatest weakness and morphing it into its greatest
asset. Instead of having HF to improve Air Safety, have it to improve
Cyber Security. Let’s say your MoD Site (your business) decides to
develop and introduce a system which allows its Airmen (employees) to
submit ideas on how the organisation can improve Cyber Security,
their environment and in turn being rewarded for practical ideas that
can be implemented. Please note, I am not advocating that this system
will not prevent mistakes all together. Albert Einstein once said,
“Only two things are infinite, the universe and human stupidity and
I’m not sure about the former.”
Nevertheless, it is a step in the right
direction. I believe it will (when implemented correctly) allow
others to learn from a common blunder, improve policies and
procedures and allow your organisation to improve the life of its
employees by implementing practical ideas where applicable.
A lynchpin to the whole scheme was that
no matter whether an idea submitted could improve Cyber Security or
not, the submitter was given feedback. Either “yes - that’s great
we can implement that,” or “no, we won’t adopt this idea
because of x y z reasons”. The feedback has to be given to allow
learning. Feedback will demonstrate to the submitter the reasons why
a procedure is designed the way it is, the security reasons behind
it.
In implementing HF training with an aim
to improve Cyber Security, an understanding must be reached that
humans will always make mistakes, but it’s how the entire
organisation can learn from one mistake, to prevent future
occurrences or even spot improvements to the Security posture from a
unique point of view that will prevent a mistake entirely. The bottom
line is this – you know your environment, this is an idea which
could potentially harness the human element and use it as a force to
improve the Cyber Security posture of your organisation.
"All men make
mistakes, but only wise men learn from their mistakes”
Winston Churchill
1
http://blog.dlink.com/maslows-new-hierarchy-of-needs/
Nice post. Thank you for this work. The travelers need to apply e visa to Kenya through online visa application. Check the details and read the guidelines before you fill up the application form.
ReplyDeleteThanks for this article... keep it up... Is India issuing tourist visas? Good news for international travelers India started issuing tourist visas again and travelers have more time to explore India because the Indian government restored long-term visas.
ReplyDeleteThanks for your marvelous posting! I genuinely enjoyed reading it, you are a great author. I will be sure to bookmark your blog and may come back very soon. Travelers who are planning to visit Turkey. It is important for them to be aware of the Turkish visa requirements to avoid an inconvenience during the visa application process.
ReplyDelete