Human Element in IT Security

28 02 2012

IT security has become critical component for the success of the business. Companies have successfully deployed multitude of technologies, policies, procedures, and other technical solutions to address their IT security challenges. However many companies have often underplayed role of humans in IT security. Rationales for such behavior include internal politics and surprising amount of chaos[1].

Companies must recognize that humans play a pivotal role (see Table 2) in ensuring success of IT security mechanisms. Following initiatives will enable companies to harness human capital to ensure success of IT security mechanisms:

  • Awareness:
    • Management must demonstrate commitment and support for the IT security.
    • Educate the need to be compliant with industry standards (see Table 1) and internal policies.
    • Repeat – Repeat – Repeat: Implement mandatory training program under supervision of C-suite executives.
    • Setup constant communication emphasizing the importance of the IT security.
  • Execution:
    • Based on security risk analysis, focus on the highest threat first and deliver role based training. Avoid one-size-fit all when training employees across organization[2].
    • Setup central service center to address security concerns and clarify policy and procedures.
    • Develop mechanisms to monitor and review effectiveness of the security mechanism in place.

In addition to the above tactics, company must encourage a collaborative environment to develop a culture of teamwork to ensure data confidentiality, integrity and availability (CIA).

In summary, rapid pace of changing technologies, coupled with human’s inherent resistant to change and close monitoring are key roadblocks for a successful security strategy. As discussed above, awareness, tailored education and cultural changes can be important enablers to ensure successful implementation of IT security mechanisms.

Table 1: Information Security Regulation[3]

Table 2: Root Cause of Information System Failure[4]


[1] The Importance of Defining and Documenting Information Security Roles and Responsibilities By Charles Cresson Wood, http://www.informationshield.com/papers/SecurityRolesAndResponsibilities.pdf

[2] The People Dimension of Security and Privacy – Eight training and awareness habits of highly effective organizations; Deloitte http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_consulting_PeopleDim_Security%20Privacy062309.pdf

[3] The Importance of Defining and Documenting Information Security Roles and Responsibilities By Charles Cresson Wood, http://www.informationshield.com/papers/SecurityRolesAndResponsibilities.pdf

[4] The People Dimension of Security and Privacy – Eight training and awareness habits of highly effective organizations; Deloitte http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_consulting_PeopleDim_Security%20Privacy062309.pdf





Does Security Awareness Training Work?

17 02 2012

We have long been conditioned to believe that security awareness training is not just encouraged by the standard bearers in our field, but that it is required, if we’re ever to achieve the vaunted goal of confidentiality, integrity, and availability. Indeed, an entity no less influential than the National Institute of Standards and Technology (NIST) declares that a strong IT security program cannot exist “without significant attention given to training IT users” [1]. Bruce Schneier, another luminary in the field of information security, argues that because computers are hard to maintain, training the user community is the only way to combat their inherent lack of security [2].

But does security awareness training really work? Is there a real, quantifiable difference in security at the user level for groups that have been trained on the dangers of phishing, social engineering, malware, or any of the other types of potential attacks? The studies completed so far have produced largely varied results. At our own Carnegie Mellon University, a study with a small sample size produced positive results — test subjects who received visual training that included a sample attack were exponentially better at identifying a test phishing message than those who had not received any training at all. By contrast, in another study an unnamed military academy provided all of their students with classroom-based awareness training, only to see 80% of them click on a link in a fake spear phishing attempt [3].

Based on the ambiguity of these results, there is a growing voice in the information security community that argues against the value of security awareness training altogether. One such camp believes that, since it only takes one careless user to compromise a network, any money spent on information security awareness training is money wasted.  Others believe that training may have some value, but not at the expense of more tangible security controls that produce real, quantifiable results. This point of view has existed since as far back as 2002, when The Gartner Group, a collection of researchers, concluded that information security dollars were better used for the purchase of hardware and software security applications designed to harden network and workstation security [4].

However, recent data suggests that in practice this security approach can backfire if used on its own. A 2011 survey of 649 Canadian organizations showed that those who banned social media at work suffered more security incidents than those who didn’t [5]. This indicates that more stringent security controls do not always mean that your data is more secure, at least in the age of social media. Users at these companies likely used non-trusted sites or personally-owned devices to circumvent the ban. In this case, user education on the perils of using those non-trusted sites (or on the misuse of company time and the browser monitoring capabilities of the IT department) may have been more effective than an outright ban. So, beefed up security controls don’t always trump security awareness training after all.

            Lance Spitzner, a SANS instructor who writes for their Securing The Human blog, argues that security awareness training only fails if it’s “boring, condescending, and outdated” [6]. Granted, he has a product to sell (SANS’ excellent Securing The Human training package), but he’s not totally off base. A truly balanced information security program includes both technical controls and user awareness training. The truth probably lies somewhere more in the middle. Some form of security awareness training for your user base is a good idea, and although the results will be hard to quantify, it will do more good than harm for your security efforts as long as you keep your users engaged.

_____________________

[1] Hash, J., & Wilson, M. (2003). NIST SP 800-50: Building an Information Technology Security Awareness and Training Program. NIST. Retrieved on February 7, 2012 from http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

[2] Schneier, B. (Unknown). Face-Off: Schneier, Ranum debate security awareness training. Searchsecurity.com. Retrieved on February 7, 2012 from http://searchsecurity.techtarget.com/magazineContent/Face-Off-Schneier-Ranum-debate-security-awareness-training

[3] Dekay, S. (2008). Does Security Awareness Work? Some Answers from Experimental Research. Bloginfosec.com. Retrieved on February 1, 2012 from http://www.bloginfosec.com/2008/04/03/does-security-awareness-work-some-answers-from-experimental-research/

[4] Cokenour, M. (2003). The Value of Security Awareness Training in Relation to Asset Expenditures on Commercial Security Products. SANS. Retrieved on February 4, 2012 from   http://www.giac.org/paper/gsec/3350/security-awareness-training-relation-asset-expenditures-commercial-security-p/105518

[5] Hinson, G. (2011). Applying Newton’s third law to information security. (ISC)2 Blog. Retrieved on February 4, 2012 from http://blog.isc2.org/isc2_blog/2011/11/applying-newtons-third-law-to-information-security.html

[6] Spitzner, L. (2012). Top 3 Reasons Security Awareness Training Fails. Securing The Human. Retrieved on February 15, 2012 from http://www.securingthehuman.org/blog/2012/02/15/top-3-reasons-security-awareness-training-fails





Sophisticated Phishing Attacks

6 12 2011

Most of us have experience with traditional phishing attacks where we receive emails luring us with various financial incentives or asking us click on links which lead to web pages asking for our SSN, Credit Card details, and other personal information. The Nigerian Prince is one of the most popular phishing attacks and the majority of us might have come across similar attacks multiple times[1]. Fortunately most of us have become aware of these attacks and follow best practices when it comes to handling such emails. Today, phishing attacks have become extremely sophisticated and attackers have novel ways to collect our personal information. Let us look at a few techniques below:

In session Phishing:  Unlike most phishing attacks, this attack does not rely on the user’s ignorance or negligence. It has nothing to do with them clicking on links sent via emails. In a typical attack, a user may legitimately log in into their bank account, and once they are done with their work they might move over to another tab or a different browser window leaving the bank website open and logged in. The user then may encounter a website injected with malicious code. The malware now opens a pop up asking the user for his login credentials. The user believes the pop up is from their bank website and enters details which now the attacker has access to.

There are two conditions needed for this attack to be successful. Firstly, the website must be compromised and infected and secondly the downloaded malware for this site must be able to identify whether the user is logged into the secure website (online banking). Users can avoid this attack by logging out of the online banking account once they are done viewing their account details. Also they should be weary of popups that that ask for their login credentials. Typically, most banks use security mechanisms which log the user out if they have been inactive for more than a specific amount of time. Users have to be aware that banks do not ask users to log into their online banking accounts using a popup.[2]

TabNabbing: This is another innovative sophisticated phishing attack whose name was coined in 2010 by Aza Raskin, a security researcher and design expert. This attack takes into account that a user verifies the URL of the website they are viewing only the first time they open it. Once the browser tab with the website is kept open, users don’t expect it to change into a malicious website. A video depicting this attack is given in this link.

Most users have multiple browser tabs open at the same time. When they are switching between various tabs, they don’t necessarily remember which website is open on which tab. So when they come across a fake Gmail look-alike webpage, they don’t realize the malicious intent in it because they already have their gmail account open in one of the tabs. They tend to assume that the Gmail account session timed out or they previously opened the webpage and forgot to sign in. Once they sign in on this fake webpage using their credentials, these details are acquired by the attackers, and the user is redirected to the authentic Gmail account because they had already signed in. This can be practically experienced by going to this webpage, switching to another tab and then going back to the initial tab. You will notice a Gmail look-alike sign in the initial webpage.

This is clearly one of the toughest attacks to be prevented in any manner. One of the ways in which you could prevent this attack, according to Aza Raskin is by the use of a password manager i.e by actively involving the browser in the process of securing your identity and credentials.[3]

Social Networking Websites: Another form of sophisticated phishing that has become common in the recent years is through Social Networking Websites such as Facebook. In Facebook, you tend to know all the details of friends on your friends list. This is further established by personal pictures or status updates posted on their wall. Phishing in this case is not just about a random email or a fax as in the case of the Nigerian prince email. The attackers are making use of the trust between users and their friends for financial gains.

A typical case of this attack is when your friend starts a conversation with you and indicates that he or someone in his family is in big trouble and needs you to help with some monetary aid. Since they have access to the profile they hacked into they can substantiate their impersonation by verifying names of his family members etc. If the person in question is a really close friend, you may respond immediately by transferring money to the bank account provided. The risk involved in this attack is significantly lower if the user is aware of such attacks on Facebook. A few suggestions are to cross verify with information only known to you and your friend such as details about where you first met, where you last hung out, etc. Sometimes the attacker makes it easy to detect by using incorrect grammar, different style of speaking than your friend, etc.[4]

The use of Social Networking websites as a medium for phishing is a cause for concern. According to Microsoft, the number of phishing attacks seeking personal information on social networking sites users rose from 8.4% in Jan 2010 to a staggering 84.5% at the end of 2010. It also states that 43% of all social networking users have been at the end of phishing attacks as of Dec 2010[5].

To conclude, though companies have been incorporating filters to protect their clients from phishing emails and browsers have been doing their best to protect their users from these attacks, the easiest and the most feasible way is for the users to stay well aware of these attacks. There are quite a few organizations such as Anti Phishing Working Group (APWG) which provide detailed advice on how users can identify and escape phishing attacks as well as what they need to do if they do become a victim of such an attack.[6] There have been several attempts to develop an interactive phishing tool that helps educate users about various ways to identify phishing attacks in a very simple yet efficient manner. One such tool that I tried and highly recommend is the Anti-Phishing Phil developed by CUPS (Cylab usable privacy and security laboratory)[7].

_______________________

1) http://www.katu.com/news/34292654.html

2) http://arstechnica.com/security/news/2009/01/new-method-of-phishmongering-could-fool-experienced-users.ars

3) http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

4) http://techcrunch.com/2009/01/20/latest-facebook-scam-phishers-hit-up-friends-for-cash/

5) http://blog.zonealarm.com/2011/07/how-phishing-hooks-users.html

6) http://www.antiphishing.org/consumer_recs.html

7) http://cups.cs.cmu.edu/antiphishing_phil/





Social Engineering: Why hack a computer when a person is easier?

10 09 2011

So what is social engineering? Merriam-Webster defines social engineering as the “management of human beings in accordance with their place and function in society”[1]. In terms of information security, I would define a social engineer as someone who modifies human behavior to extract useful information and to achieve a desired result. Because social engineering is quickly becoming more and more popular, it is essential to learn both how social engineering is performed and the methods that are used to prevent these attacks.

Earlier this year, I read a review praising the book Social Engineering: The Art of Human Hacking[2]. The review led me to purchase the book and find out more information on the subject. I can tell you that the information on social engineering in the book is worth reading. The author, Christopher Hadnagy, covers everything from the basics of social engineering (information gathering and elicitation) to the tools and techniques of a social engineer.  Along the way, many real life examples and case studies are presented to show the methods that social engineers use.  More information, along with the social engineering framework developed by Hadnagy, is available on the website[3]. I would strongly recommend that you look at this website if you are unfamiliar with the concept of social engineering.

The book walks through using a social engineering toolkit that comes standard in BackTrack linux[4]. The tool kit can be easily used to set up a spear phishing attack. I say “easily” because it only requires going through a few menus before the whole attack is produced for you, no code required. This method of attack could be used for many different reasons, including taking control of another’s computer or wiping the memory.

One of the reasons that social engineering is so interesting is that it can be adapted to nearly any situation. In his blog post called “Classroom Ethics 101”, behavioral economist Dan Ariely discusses an experiment where a fake copy of a past exam was sent out to members of his class.[5] The email came from a fake classmate, and he found that about 69% of students accessed the document. If he included an honor code, that number dropped to 41%.  That makes a great way to infect 69% of your peers’ computers during finals week (and to get kicked out of the program yourself).

It is definitely worth knowing that these types of attacks can easily happen and the ways to prevent them. A great real world example comes from something that happened at my former employer. One day, people were walking around installing Microsoft Office upgrades. These people were allowed to plug flash drives into computers without question, and everyone in the company who received the upgrade typed in their password to allow the software to install. While the install was occurring, people would leave and go get coffee.  People trusted them because they had name tags and wore uniforms.

I’m sure that with a little research and practice that you could walk into a company, say that you’re there for the upgrade, and use a flash drive on multiple computers.  From that point, there are easy ways to get passwords[6]. You were just the upgrade guy wearing a fake nametag and uniform. Now imagine that you actually work for a company and have regular physical access to machines.

As security professionals, we will have to deal with these types of attacks. What policies would you put in place to stop something like this from happening?