Home  |  Sarah  |  Services  |  Blog  Contact

Monday, 28 Dec , 2015

Never Without The Why: A Cybersecurity Mantra

Share this article

Do we ask and can we answer the question “Why?” when talking about security? Not just for our employers, but for our peers, and our kids? If we can’t or we don’t, does it matter? A while ago I saw Jane Franklin share an excerpt from Metro UK. It’s an old chestnut I’ve seen wheeled out […]

Do we ask and can we answer the question “Why?” when talking about security? Not just for our employers, but for our peers, and our kids?

If we can’t or we don’t, does it matter?

A while ago I saw Jane Franklin share an excerpt from Metro UK. It’s an old chestnut I’ve seen wheeled out by various media outlets to fill space. Learning to budget is something we have to teach our kids, but in the ever more speedily-interconnected and multiply-smart-deviced future, I thought it needed an Information Security spin.
Kids InfoSec Skills
I got two challenges that gave me significant pause for thought; Firstly, paraphrasing: “Where’s the why?” and secondly, also fairly: “What about the jargon?”.
My response to the former was that good teachers never just dictate, they put knowledge in an engaging context that creates mental hooks to help retrieve and use that information. My response to the latter…fair cop:

  • 2fa (2 factor authentication): Not just relying on a password (or any other single thing) to prove you are entitled to access something. Often talked about as combinations of things you know (e.g. passwords), things you have (e.g. tokens or phones), and things you are (e.g. finger or voice prints). The commonest version is using a password and a code generated by or sent to a phone
  • Clean Install: Wiping your computer and starting again with a completely fresh installation of your operating system and programmes.
  • VPN (Virtual Private Network): Creating a tunnel around information you exchange with the internet that scrambles traffic en-route. It makes it harder to snoop on if it’s grabbed by a bad guy.

To unpick a couple of the woolier terms.
This time of year, when we are all considering whether or not to torture ourselves with resolutions, mine involve that kind of teaching. Not just for my kids, but for parents at my local school, and staff at a couple of firms who have signed up to know more about basic security.

ESET Cyber IQ Test Results via SC Magazine

 ESET Cyber IQ Test Results via SC Magazine

It’s a growing professional focus since I refuse to subscribe to the idea that training and increasing security awareness is pointless. Not to mention the great weight of evidence that there’s still a dire need.
Not just that, if you delve into the ‘how’ of exploits behind breaches, so many succeed (at least in part), due to lack of basic security knowledge and fundamental good practice.
Screen Shot 2015-12-28 at 23.16.49

Destructive nihilism

“But it’s never worked before” or “Better to point all funds at tech solutions that take imperfect people out of the decision making process” some will always cry.
My challenge back? Was it expertly designed, delivered, tailored, monitored and measurable education that failed? Was it training sponsored and financially supported from the top down? Was it about all aspects of trainees’ day jobs that incrementally improve or chip away at security, or was it just about passwords, clear desks and links in emails? Was it a yearly dose of tick-box dictates, or woven engagingly around real motivations, group norms and business realities?
Did you see this Fortune Magazine article? “Does Employee Cybersecurity Training Do Any Good?” Paraphrasing: We found that education was almost universally one-size-fits-all and many didn’t invest in it at all… ergo, it’s pointless
A ridiculously reductionist and destructive point.
[tweet https://twitter.com/S_Clarke22/status/670242153084399617 align=’left’ hide_thread=true width=300]An immunisation effect is achievable. By that I mean persuading a critical mass of people to treat one or more secure behaviours as the norm, and recognise then refuse requests to behave insecurely. That’s when it embeds as a fact of local cultural life. Thereafter, if reinforced, it’s passed on through peer influence as a natural part of acclimatising to work, or more general interactions with technology.
It’s not a pipe dream. It’s a result of investment, expert effort, and (almost more than anything else), time. Twinned with, but not replaced by, ethical and targeted use of defensive, detective, and behavioural analytics tools. That’s what we haven’t even started to do well. That’s what might start to tackle all but the most persistent residual people risks.

If behaviour couldn’t be changed, then every educator and ad person on the planet would be out of work. Not to mention every nation state and social media giant working overtime to adjust how people interpret, retain and act upon what they’re fed online. 

In other words: Does education it fix all our security problems? Hell no! Does it constitute an essential part of the security puzzle? There’s not a single doubt in my mind.

Start them young

Back to the list at the top, shall we create hooks now, or wait until our exploding ‘easy, quick, cheap’ tech economy normalises a profit-driven img_20151229_101040.jpgdisregard for online safety and data security? Shall we let our kids play with clunky kit and encourage them delve inside, fix and tweak, or should we allow an ‘upgrade-to-fix’ culture for bandwidth, processing, memory and storage (all the more space and speed for whatever bloats, infects and misuses our machines). Shall we equip them to deal with the online jungle, or strip them of power to interact in the social mediaverse until that power is out of our control?
Can we nudge schools towards this kind of wide focus? A real-life risk-based set of skills for the future. Skills beyond being able to basically code…despite that also being rare. I think we can. I think we can re-attach the ‘why’.
And there you have the point. That ‘why’ is the risk, and the risk is the ‘why’. From the financial hit, to the kids who suffer due to personal data abuse and vicious bullying. The parents who lose their savings to fraud, and with them chunks of the dreams they had for their family’s future. Companies who lose their credibility, reflected briefly in the market, and far longer in the minds of existing and potential customers.

Reinjecting the professional ‘why’

In a trade context, it’s as much about justifying what you chose to do, as justifying what users shouldn’t do. Recently there was a plea from Mayur Agnihoti (InfoSec Officer and Trainer at Ninja InfoSec Services) for Indian hacking teachers and students to scrupulously keep practices in an explicitly ethical context. Acknowledging the extra-delicate tightrope pros in that country often have to tread. In it the focus on ‘why’ was equally strong:

“Teach them clearly that Ethical Hacking is not a game & not for fun. Tell them how important it is and tell them real life scenarios of how it could save a lot of people”

“Real life…” Yes. Please. Always. The only bit I disagree with for hackers (and pros in all other disciplines), is the ‘fun’ part. There is always space for joy in creativity, the buzz of competition, and pride at being the best. It just shouldn’t outweigh the implications of sharing and using knowledge gained.
From a security purchasing point of view, it’s about nailing requirements and assessing the benefits of the next big shiny beepy thing. Avoiding the questions; “Why did we buy this?”, ” Why are we paying you?” and “Why did this happen again?” (OPM, TalkTalk, etc, etc, etc).
From a development and change point of view it’s again about requirements, risk assessment, knowledge and embedded top-down accountability: “Why should security be built in to the process?”, “Why is the testing budget that big?”, “Why are we going live when critical vulnerabilities (or legally doubtful functions) still exist in this program/website/app?”, (Cyber Barbie, Sony PS, Ashley Madison, various car systems, VW emission monitoring etc, etc, etc), and “Why don’t you want to sign this risk acceptance to explain why, and formally accept accountability for that decision?”.
Circling all the way back to the title, perhaps it can be boiled down to simple mantra. A mantra that I thought was obvious, but bore emphasis from the person who challenged me:

NEVER without the ‘WHY’

Say, think, do, repeat

A mantra that translates more formally into risk management and more general awareness of personal, business, industry, and global security context:
Why care? Why spend? Why are we accepting this risk? Why is this tool the right solution? Why would criminals expend effort to attack? Why expend effort to defend? Why is this more or less serious than the other hundred things vying for business and personal attention? Why is this more or less likely to affect a target audience?
Things we are bad at adding to our pen test reports, threat intel offerings, sales pitches, budget applications, research papers, exploit showcases, and metrics. Drums (in both my InfoSec and parental worlds) I will never stop banging. Drums we have to teach pros in all cyber/info/data security disciplines to play clearly, while introducing the same to our kids as a foundation for their relationship with technology.
“Why don’t you share personal details with your Minecraft friends?”
“Why are we updating the computer?”
“Why do you use a password safe?
“Why do you have a VPN”
“Why do you have to check with me before downloading new apps?”
If you don’t ask and can’t answer does it matter?
Yes, if you don’t want them to become the next generation of cybersecurity threats, or tunnel visioned security pros, it very much does.

Related Articles:
Diary Of An InfoSec Kid – Mindfulness, Moshi Monsters & Minecraft (with links to straightforward advice)
Missing Context Is The Greatest Cybersecurity Threat
Security Awareness Is For Life Not Just For Compliance
There Is No Such Thing As Cybersecurity Risk

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...