Name: K. Rudolph, CISSP
Position: CIO (Chief Inspiration Officer)
Company: Native Intelligence Inc.
Name: K. Rudolph, CISSP
Dancho: Hi Kaie, nice to have you in our first SecurityTalk discussing the importance of Security Awareness programmes and the problems related to the education of end users.
I would appreciate if you provide us with more info on your professional background and your experience as a Security Awareness Programmes' director?
Kaie: Hi Dancho, I'm the Chief Inspiration Officer of Native Intelligence, Inc., where we are focused on security awareness. I'm a Certified Information Systems Security Professional (CISSP) with a degree from Johns Hopkins University. I've also been a Certified Information Systems Auditor (CISA). I'm the primary author of the chapter on security awareness (Chapter 29) from the Computer Security Handbook, Vol. 4, published in 2002, and I'm the author of the chapter on security awareness in the soon-to-be published Handbook of Information Security.
One of my favorite quotes is from the Wizard of Oz, where the Scarecrow has asked the Great Oz for a brain. The Wizard answers something along the lines of, "Well, I can't give you a brain, but I can give you a diploma." It's possible to have certifications and credentials and still not have the experience needed to do a job well. Fortunately, I also have more than 15 years experience in information technology security. I've been focused on awareness since 1995.
The web-based awareness courses designed by Native Intelligence, Inc. have been completed by individuals around the world, and more than 500,000 people have completed one of our courses. Each course is specific to the client, and for one client we've provided the course in 3 languages, with a new language to be added this year. Our posters have been shipped throughout the world.
Awareness of security concerns is on the rise. The culture in corporations and government offices is changing when it comes to awareness - a recent article in the New York Times noted that people who open attachments that cause their systems to become infected with a virus are starting to experiences reactions of surprise, shock,and "shame on you," rather than sympathy.
Dancho: That's a pretty significant experience in the Information Security field, congratulations on your achievements and the popularity of the Native Intelligence, Inc. courses as well. During the last couple of years, the basic fact that the end users' lack of knowledge on the information security issue can completely render all other security implementations useless, set the foundations of the Security Awareness Programmes, and turned them into a valuble and unseperable part of the security cycle. But let's face it, the majority of companies and organizations are still far behind the level of security they should have built in, and management still thinks security is rather a product than a process, thereby ignoring the importance of the "security through education" approach.
When approaching executives, what's your strategy while trying to convince them of the urgent necessity of the Awareness Programme - how would you justify the results, and how would you address a situation where the company believes that using perimeter defense and limiting the end user's control over the machine will completely solve the problem possed by the uneducated staff member?
From my personal experience I can tell that as far as the programme is concerned, managers are looking for clear ROI results in the short-run, yet another barrier for the programme's director in terms of the short mandate given to prove the efficiency of the knowledge the staff members acquire. What do you think on that, Kaie?
Kaie: Awareness is not always the most urgent need when it comes to information security. If there's a need that is more urgent, let's say the organization has no security policies (and don't laugh, I'm working with one now where this is the case), or doesn't know what their vulnerabilities are, the IT security awareness program is either developed simultaneously with the policies and risk evaluation, or more often, it waits and is used to help introduce the changes.
Both management and technical staff often view computer security as a technology problem. They use sophisticated hardware and software solutions to control access, detect potential intrusions, and prevent fraud. The reality is that computer security is a people problem:
people do not perform work consistently;
they get tired and may perform tasks erratically;
they may get angry (at the organization, their spouse, their boss, or just at work in general) and intentionally try to disrupt or compromise operations;
they may cause system failures by independently "improving" business processes; or they just don't follow established policy and procedures.
Connecting computers into networks significantly increases risk because network security depends on the cooperation of every user. A single individual who allows his or her desktop computer to be compromised places every interconnected system and their associated assets at risk.
The good news is that while people are the IT security problem, they are also its solution. People are more perceptive and adaptive than hardware/software components. Thus, if properly trained and motivated, they can be the strongest and most effective security countermeasure.
Starting an awareness program is not as easy as one might expect. Although when asked, people seem to recognize the benefits of an awareness program, they are still reluctant to devote financial resources and staff time. It is relatively easy to identify the cost of an awareness program, but more difficult to quantify its benefits. This is a primary reason that the U.S. Government made maintenance of a computer security awareness program mandatory (under FISMA - the Federal Information Security Management Act of 2002).
One of the challenges is to get management to recognize the importance of its contribution in terms of visible support, leading by example, and providing the financial resources to back it's commitment. You're absolutely on target that management wants to see the Return on Investment (ROI), and that usually means that you need metrics.
Possible metrics include:
Answers to survey questions, such as, "In the past three months, have you seen a password on a sticky note in your work area?"
Number of reported incidents - this number should rise as more people become aware of the reporting requirement, then stabilize or fall as preventive measures are improved;
Attendance at previous awareness activities - actions can be taken to encourage organizations whose staff have not participated in awareness activities;
Percent of staff who have completed an on-line course;
Estimated dollar value of losses experienced due to security incidents;
Number of reported instances of lack of compliance with policy (e.g., failure to activate a secure screen saver when leaving their desktop unattended);
The quantity and quality of interactions between security personnel and staff (e.g., requests for help, specific questions).
Note that the survey questions, number of people completing an on-line course, and many of the interactions between staff and security personnel can be tracked with an on-line course that is designed to collect feedback. We worked with one organization where management was adamant that no one in the organization would ever leave a password written down in plain view in their workspace, so we included the question above asking if the end users had seen passwords on sticky notes in the last 3 months. The survey results showed that 67% said, "yes." This was an eye-opener for management.
Management resistance is often based on expending funds on something perceived as a low priority or on concerns about balancing security with operational needs. Although the time and effort to build a strong security program is not trivial, it is far less by comparison with the time and effort required to deal with just one serious incident. Some security professionals recommend pointing out that insurance policies require continuous funding but are not often used; however, few organizations choose to forgo those costs. Another incentive for organizations is that many contracts require information security programs - especially when the contract is for the government or if it deals with intellectual property belonging to customers, e.g., contracts for hardware or software design services.
One of the most convincing things to present management with is real world stories, especially ones about organizations that are similar in size or business purpose. You can show them the choice of being a good example or a horrible warning. Also, it's important to ensure that they know that "overnight successes" take time. Changing the security culture within an organization can take 4-5 years, so the awareness efforts need to be viewed (like security) as a process.
Dancho: I agree with you, real world stories happen to be very useful when trying to convince management in the benefits of a Security Awareness Programme, especially the ones related to espionage. Managers always seek for efficiency, but a cost-effective one; however, a large number of them are in a situation where they're literally flooded with information on various security measures that must be implemented, tests to be done, etc. and the Security Awareness education is often left behind as the final stage of security. As a result, the staff members have already learned to behave insecurely from the beginning, making it twice as hard for the programme's director to change their insecure behaviour.
Something else to consider is the fact that the majority of corporations are outsourcing their security risks and duties to managed security solutions providers, which I believe should establish partnerships with experienced and respected Security Awareness companies, so that the education process starts when the first IDS is put online, what do you think about that?
Kaie: Yes, almost always companies have computers long before they have Intrusion Detection Systems (IDS), so the natural behavior patterns (for example choosing convenience over security) and attitudes are well-established.
Fortunately, events such as an audit finding, current news (e.g., that a new and destructive virus is spreading quickly), policy changes, or installation of a new security countermeasure, such as an IDS, offer good opportunities to launch a security awareness program or campaign.
Many companies with respected names in security are established or entering the awareness market, and even companies in the learning management system (LMS) market are offering security awareness courses as part of their curricula, so the opportunities to outsource security awareness are plentiful.
While many organizations do outsource their security needs, including security awareness, outsourcing is not without risk. It's important to use an awareness provider that has solid experience and a good track record of providing programs and courses. One would not want to use an awareness provider who has security knowledge, but is not skilled in virtual learning or who doesn't have talent and enthusiasm for teaching or explaining technical concepts in terms understandable to one's grandmother. Outsourcing to an awareness provider with a lot of experience can help organizations avoid working with a firm that may disappear (for example, Salinas Network Services was one of the largest firewall management companies, but it recently disappeared because the business of managing firewalls for other companies wasn't profitable). Also, a new awareness vendor may discover that while they're a great company for providing intrusion detection systems, they're not really prepared to address awareness.
The paradox is that while awareness ought to be simple - it takes an effort to do it well. A writer has been quoted often as saying, "If I had more time, I would have written a shorter letter." This makes sense, because it takes time and experience to create a simple, attention-holding, clear, and concise awareness program. Also, awareness programs and materials that are poorly done may be worse than having no awareness program at all because they are likely to promote resistance and resentment in the audience while offering a false sense of accomplishment to management.
Outsourcing awareness can work well because awareness requires several types of expertise to do well (educational, marketing, and security expertise and possibly course design and usability expertise). Using an awareness provider that has done a lot of awareness programs offers the advantage of having experts who have seen most of the problems that can be experienced with a program and can guide the organization safely through the hazards to a successful result. A company with a lot of experience will be able to tailor the program to the organization's environment and platforms, as well as tailor the content to fit the organizational culture, provide a strategy for dealing with unions, and present the material in a way that reaches the broadest audience and meets the organization's requirements, e.g., being accessible to disabled course takers or producing the desired metrics.
Another thing that many organizations look for an awareness provider is one who offers the option of responding to individual user feedback rather than merely establishing a program or web course and then leaving the organization on their own to deal with the results. Most organizations have security officers and network administrators who are far too busy with day-to-day events to take the time to sort through the feedback that an awareness program should generate and to research user questions and provide clear and useful answers. It's not cost-effective for them to hire someone just to deal with awareness issues. An awareness provider that sees the same issues across a wide range of organizations is in a better position to efficiently and carefully provide this service, which is another reason why outsourcing awareness is an excellent idea.
Dancho: It's true that the U.S. government is taking serious measures to increase the overall importance of Security Awareness Programmes. How fast is the awareness programme's market growing in the rest of world by your observations? You've mentioned that more than 500,000 people have completed one of your courses, I believe a large number of which are a non-U.S.residents.
Kaie: Based on what I've seen, it's growing pretty fast globally. The recent terrorist attacks in Spain, and elsewhere, including the events in the United States on September 11, 2001 raised awareness of security concerns worldwide. Business, government organizations, and individuals have reexamined and improved their security measures to address the escalation in world tensions.
Dancho: By the way, Kaie, are there still companies without a security policy? And how surprised were they when they've found out the huge number of unknown entry points for an intruder, after someone started evaluating their assets?
Kaie: Yes, there are still companies without security policies. Some are small and medium size businesses, others are larger and their management has simply had other priorities. If the burglar alarm at a grocery store stops working, management usually doesn't close the doors and turn customers away; management is more concerned with the loss of daily sales than with the threat of loss from burglary (which hasn't yet occurred). Security practitioners often face an uphill battle because not everyone views security as an essential function that supports the primary mission of the organization.
Companies that are not required by law to address security often develop security policies in reaction to an event or circumstance. For example, after the 1993 bombing of the World Trade Center in New York, many companies developed disaster recovery plans.
The trends in malicious software (shorter time from vulnerability discovery to virus release, faster and wider spreading, etc.) and the increasing number of news stories about security and privacy have helped to raise awareness of the need to plan for security, rather than try to react to an event after the fact. Realistically, companies that do not plan for security events may not survive them. So, while there are companies without security policies, I expect that this will change as the perceptions of the value of security change.
Regarding your second question, let's just say that risk assessments can be eye-opening experiences for management, especially the ones that attach a dollar value to the occurrence of a successful threat. For example, in late 2003, Wells Fargo experienced a security breach when computers containing customer's personal information were stolen. Wells Fargo set up new accounts for all the affected customers, paid for the customers to access their credit reports, and paid for each customer to have a year's membership in Privacy Guard. A Japanese company recently responded to the theft of 4.5 million customer's personal data by announcing that the company president and six of the top executives would go without pay for the next six months. These are numbers that managers can understand and appreciate.
Dancho: Government regulations play a critical role as far as the future of Infosec is concerned, what is your opinion on the Californian SB 1386 law, namely that companies should notify their customers in case of an intrusion that exposed sensitive information to a hacker? Moreover, do you think the media reporting and making a story of companies reporting an accident with their security, won't do anything else besides damage their reputation even more?
Kaie: According to the Federal Trade Commission, identity theft is the fastest growing white-collar crime in the U.S. Privacy protection is important to me personally, so I'm in favor of SB 1386.
SB 1386 became effective on July 1, 2003. It requires any business or agency that uses a computer to store confidential personal information about a California resident to immediately notify that individual upon discovering any breach to the computer system on which this information is stored. Failure to notify the individual could subject the business/agency to civil damages and lawsuits.
I'm in favor of SB 1386 for several reasons:
If you tell me that my data might have been compromised, that gives me the option to change the information, if possible (e.g., a credit card number or checking account number) or at least be more alert to potential fraudulent transactions being made in my name.
Making firms tell people when a breech of their security caused their consumers and employees potential problems begins to hold firms accountable for their actions. This also helps me to decide which firms to conduct business with.
Disclosures would help provide metrics on the frequency and methods of online attacks.
The regulation may help IT managers and security managers justify security improvements.
From a business owner's perspective, I see this as an opportunity. All mandatory laws result in costs to businesses, but savvy businesses will recognize that the cost of disclosure is small when compared to the cost of potential lawsuits and the possibility of having to go out of business. How a company deals with breaches can increase the level of trust placed in the company from employees and customers. Their perceptions of whether the company followed the letter and spirit of the law in situations where there is a violation can improve the company's reputation and even increase the viability of the business. How companies handle such problems is also a sign of whether the company understands the real problem (they put their customers/employees at risk of identity loss or worse). Anyone can make a mistake. How that mistake is rectified determines if you are dealing with a company that deserves to have your long-term business.
Rather than go by media reports, which are often intended to sell papers ("if it bleeds, it leads"), I'd like to see an organization (possibly the Better Business Bureau or the State Attorney's office) track the number and severity of these breaches and rate the company's responses. If this information was available to the public, it could become a marketing plus for firms that don't have failures or that respond responsibly. Also, the number and severity of security failures could be used to demonstrate whether a particular management team is fulfilling their fiduciary duty to protect customer data and company operations.
The law should motivate businesses and agencies to improve their security infrastructures, and ultimately, that's a good thing.
Dancho: Something else I wanted to ask you about, managers often blame IT security managers or the ones in charge of security, that they've invested quite a lot of money into implementing the requested protective measures, and there're still intrusions happening, how would you go if you were to convince such managers that there's no 100% security and that even the biggest corporations have such problems, while on the other hand the idea is to achieve as much security as possible?
Kaie: It all depends on the type of security failure. If I took the money and spent it on the latest and greatest intrusion detection tool while the failures were resulting from not having changed the default passwords on a server, then I should be held accountable as I'd have spent the money poorly. As with any risk-based decision, a security officer must evaluate the threats and vulnerabilities and allocate available resources to minimize risk. Management understands that business decisions are never 100% assured. Where security managers get themselves into trouble is that practitioners tend to focus on the latest published attack or install the most advertised product as a "silver bullet," rather than take a balanced approach of risk mitigation. For many businesses, the objective is not to have as much security as possible - it's to protect corporate assets without crippling the company's profitability.
Dancho: Kaie, the Security Awareness Market is going very rapidly, what do you think about its future trends, will the "security through education" model shift in the near future, or it will be widely used to enhance the security within any organization, and as far as the future of Infosec is concerned, what are the major threats the world will be facing in the next couple of years, based on your views?
Kaie: If the security model doesn't shift, we will be in big trouble. Right now, the focus seems to be on providing awareness to everyone; providing limited security training to system administrators, etc., (to tell them how to implement a limited set of controls to keep the auditors happy); and creating an IT security profession based on mountains of guidelines and standards. This will lead to an environment where everyone understands that IT security is weak and "shelf-ware" will be created to show that systems can check off every required security box, but there will be little improvement. Worse, in this environment, no one will be held accountable because they followed all the rules, but no one asked whether the rules being followed are correct.
The training/education model needs to focus on placing the knowledge of security vulnerabilities into the hands of those who most need it - system designers and developers. This should not be in the form of rigid checklists or templates that allow people to fill in the blanks, yet still design bad systems. A cardinal rule should be that systems should do what they are supposed to do, and nothing more (i.e., systems should not perform actions that they are not intended to perform).
Regarding awareness and "security through education," many organizations have one of two modes for security: denial or hysteria.
A more balanced approach is needed because, as Becky Worley says in her book, Security Alert, "while the sky isn't falling, it's raining" - it's raining identity theft, malicious software, and online attacks.
There's a lot of truth to the saying that knowledge is power. Putting the right information in the hands of the right people - programmers, administrators, managers, and end users - will do more for security than intrusion detection and firewalls.
I think that the major near-term threats are:
Organization/government-sponsored attacks. Currently, attackers seem to be looking for an immediate payback in terms of operational disruption to the target, publicity, etc. More focused attacks can wait longer periods for a payback (e.g., alter 50 records a week for five years so that the changes are more difficult to identify and correct).
Poor programming practices. In the rush to market, software is released to the pubic today that would not be acceptable for beta testing in prior years. When you are dealing with desktop systems, the impacts are relatively minor compared to when the same customer "test" approach is used for primary business processes (e.g., supply-chain management, production control systems). In those situations, a failure could be catastrophic. Poor programming practices also create vulnerabilities that can be exploited by attackers. For example, buffer overflow attacks have been around for many years yet these attacks are still popular and effective, when they could be prevented.
"Split software" attacks where malicious code is split into separate modules. The modules are then
distributed independently to avoid detection. The software only performs a noticeable action when multiple modules are installed on the same machine - which may happen right away, a week or month from now, or never. Or they might occur when a "trigger" is detected, such as a cookie with specific content.
Dancho: Thanks for this talk, Kaie, nice to have you!
Kaie: You're most welcome. Thank you for the invitation to talk with you.