Do we ask and can we answer the question “Why?” when talking about security? Not just for our employers, but for our peers, and our kids?
If we can’t or we don’t, does it matter?
A while ago I saw Jane Franklin share an excerpt from Metro UK. It’s an old chestnut I’ve seen wheeled out by various media outlets to fill space. Learning to budget is something we have to teach our kids, but in the ever more speedily-interconnected and multiply-smart-deviced future, I thought it needed an Information Security spin.
I got two challenges that gave me significant pause for thought; Firstly, paraphrasing: “Where’s the why?” and secondly, also fairly: “What about the jargon?”.
My response to the former was that good teachers never just dictate, they put knowledge in an engaging context that creates mental hooks to help retrieve and use that information. My response to the latter…fair cop:
- 2fa (2 factor authentication): Not just relying on a password (or any other single thing) to prove you are entitled to access something. Often talked about as combinations of things you know (e.g. passwords), things you have (e.g. tokens or phones), and things you are (e.g. finger or voice prints). The commonest version is using a password and a code generated by or sent to a phone
- Clean Install: Wiping your computer and starting again with a completely fresh installation of your operating system and programmes.
- VPN (Virtual Private Network): Creating a tunnel around information you exchange with the internet that scrambles traffic en-route. It makes it harder to snoop on if it’s grabbed by a bad guy.
To unpick a couple of the woolier terms.
This time of year, when we are all considering whether or not to torture ourselves with resolutions, mine involve that kind of teaching. Not just for my kids, but for parents at my local school, and staff at a couple of firms who have signed up to know more about basic security.
It’s a growing professional focus since I refuse to subscribe to the idea that training and increasing security awareness is pointless. Not to mention the great weight of evidence that there’s still a dire need.
Not just that, if you delve into the ‘how’ of exploits behind breaches, so many succeed (at least in part), due to lack of basic security knowledge and fundamental good practice.
“But it’s never worked before” or “Better to point all funds at tech solutions that take imperfect people out of the decision making process” some will always cry.
My challenge back? Was it expertly designed, delivered, tailored, monitored and measurable education that failed? Was it training sponsored and financially supported from the top down? Was it about all aspects of trainees’ day jobs that incrementally improve or chip away at security, or was it just about passwords, clear desks and links in emails? Was it a yearly dose of tick-box dictates, or woven engagingly around real motivations, group norms and business realities?
Did you see this Fortune Magazine article? “Does Employee Cybersecurity Training Do Any Good?” Paraphrasing: We found that education was almost universally one-size-fits-all and many didn’t invest in it at all… ergo, it’s pointless
A ridiculously reductionist and destructive point.
[tweet https://twitter.com/S_Clarke22/status/670242153084399617 align=’left’ hide_thread=true width=300]An immunisation effect is achievable. By that I mean persuading a critical mass of people to treat one or more secure behaviours as the norm, and recognise then refuse requests to behave insecurely. That’s when it embeds as a fact of local cultural life. Thereafter, if reinforced, it’s passed on through peer influence as a natural part of acclimatising to work, or more general interactions with technology.
It’s not a pipe dream. It’s a result of investment, expert effort, and (almost more than anything else), time. Twinned with, but not replaced by, ethical and targeted use of defensive, detective, and behavioural analytics tools. That’s what we haven’t even started to do well. That’s what might start to tackle all but the most persistent residual people risks.
If behaviour couldn’t be changed, then every educator and ad person on the planet would be out of work. Not to mention every nation state and social media giant working overtime to adjust how people interpret, retain and act upon what they’re fed online.
In other words: Does education it fix all our security problems? Hell no! Does it constitute an essential part of the security puzzle? There’s not a single doubt in my mind.
Start them young
Back to the list at the top, shall we create hooks now, or wait until our exploding ‘easy, quick, cheap’ tech economy normalises a profit-driven disregard for online safety and data security? Shall we let our kids play with clunky kit and encourage them delve inside, fix and tweak, or should we allow an ‘upgrade-to-fix’ culture for bandwidth, processing, memory and storage (all the more space and speed for whatever bloats, infects and misuses our machines). Shall we equip them to deal with the online jungle, or strip them of power to interact in the social mediaverse until that power is out of our control?
Can we nudge schools towards this kind of wide focus? A real-life risk-based set of skills for the future. Skills beyond being able to basically code…despite that also being rare. I think we can. I think we can re-attach the ‘why’.
And there you have the point. That ‘why’ is the risk, and the risk is the ‘why’. From the financial hit, to the kids who suffer due to personal data abuse and vicious bullying. The parents who lose their savings to fraud, and with them chunks of the dreams they had for their family’s future. Companies who lose their credibility, reflected briefly in the market, and far longer in the minds of existing and potential customers.
Reinjecting the professional ‘why’
In a trade context, it’s as much about justifying what you chose to do, as justifying what users shouldn’t do. Recently there was a plea from Mayur Agnihoti (InfoSec Officer and Trainer at Ninja InfoSec Services) for Indian hacking teachers and students to scrupulously keep practices in an explicitly ethical context. Acknowledging the extra-delicate tightrope pros in that country often have to tread. In it the focus on ‘why’ was equally strong:
“Teach them clearly that Ethical Hacking is not a game & not for fun. Tell them how important it is and tell them real life scenarios of how it could save a lot of people”
“Real life…” Yes. Please. Always. The only bit I disagree with for hackers (and pros in all other disciplines), is the ‘fun’ part. There is always space for joy in creativity, the buzz of competition, and pride at being the best. It just shouldn’t outweigh the implications of sharing and using knowledge gained.
From a security purchasing point of view, it’s about nailing requirements and assessing the benefits of the next big shiny beepy thing. Avoiding the questions; “Why did we buy this?”, ” Why are we paying you?” and “Why did this happen again?” (OPM, TalkTalk, etc, etc, etc).
From a development and change point of view it’s again about requirements, risk assessment, knowledge and embedded top-down accountability: “Why should security be built in to the process?”, “Why is the testing budget that big?”, “Why are we going live when critical vulnerabilities (or legally doubtful functions) still exist in this program/website/app?”, (Cyber Barbie, Sony PS, Ashley Madison, various car systems, VW emission monitoring etc, etc, etc), and “Why don’t you want to sign this risk acceptance to explain why, and formally accept accountability for that decision?”.
Circling all the way back to the title, perhaps it can be boiled down to simple mantra. A mantra that I thought was obvious, but bore emphasis from the person who challenged me:
NEVER without the ‘WHY’
Say, think, do, repeat
A mantra that translates more formally into risk management and more general awareness of personal, business, industry, and global security context:
Why care? Why spend? Why are we accepting this risk? Why is this tool the right solution? Why would criminals expend effort to attack? Why expend effort to defend? Why is this more or less serious than the other hundred things vying for business and personal attention? Why is this more or less likely to affect a target audience?
Things we are bad at adding to our pen test reports, threat intel offerings, sales pitches, budget applications, research papers, exploit showcases, and metrics. Drums (in both my InfoSec and parental worlds) I will never stop banging. Drums we have to teach pros in all cyber/info/data security disciplines to play clearly, while introducing the same to our kids as a foundation for their relationship with technology.
“Why don’t you share personal details with your Minecraft friends?”
“Why are we updating the computer?”
“Why do you use a password safe?
“Why do you have a VPN”
“Why do you have to check with me before downloading new apps?”
If you don’t ask and can’t answer does it matter?
Yes, if you don’t want them to become the next generation of cybersecurity threats, or tunnel visioned security pros, it very much does.
Diary Of An InfoSec Kid – Mindfulness, Moshi Monsters & Minecraft (with links to straightforward advice)
Missing Context Is The Greatest Cybersecurity Threat
Security Awareness Is For Life Not Just For Compliance
There Is No Such Thing As Cybersecurity Risk