Light my fire – user awareness in cyber and IRL
This article was going to be about one of the pillars of IT security. One, as it turns out that is eroded and crumbling. Unfortunately it turns out the same issues apply in real life outside of cyber.
That pillar is `awareness education`.
The unspoken reason for this is that users are the weak link we don’t control. A weak link that can be fixed with proper education. Give the user a PDF to read, 2 hours in a classroom or a youtube video to watch and everything will solve itself.
This has been a “must do” for at least for the last 20 years, possibly longer. You can’t go past any infosec department without finding tasks related to awareness on the board.
Does it work? Dogbert summarizes it well: http://dilbert.com/strip/1992-06-23
The IRL aspect is that Sweden the last months has be affected by higher than normal temperatures without any rain to speak of. This has resulted in a unusual large number of forest fires resulting a large scale damage. https://www.krisinformation.se/handelser-och-storningar/2018/brandrisk2018/in-english-about-the-forest-fires
Even if no one in Sweden could possibly miss this fact, the police is getting frustrated with people barbecuing in nature and arguing for why they should be allowed.
In a sense, media has been doing large scale awareness campaign for weeks at the time of writing. Did it work? No, people still use one-time barbecues and cause fires. Supermarkets are still advertising barbecue related stuff totally unsuited since you in most places aren’t allowed to light any fire.
How is awareness regarding IT security supposed to work if dire warnings about fires don’t work?
Case in point – passwords
Passwords have been a well known issue since more or less as long as people have had access to computers. The book “out of the inner circle” or the movie “wargames” are good 80’s examples of the problem.
30 years later passwords such as Summer2018 and Companyname34 are still in use. The only reason why “Pencil” from wargames is not used today, is not due to lack of users trying. It is due to any self respecting password policy at least requiring 8 character passwords.
The reason it doesn’t work for a large number of users, is because it’s not a part of their view of the world. Passwords are viewed as an annoyance purely invented by infosec so that users can do as little proper work as possible. Some people can’t remember faces, others can’t remember passwords. Many have problems remembering a 4 digit PIN for their credit card. And keep card and post-IT with PIN together….
In a sense, a large subset of users are like elders. Too trusting and too easily fooled, not adapted to the modern world. Just as with elders there are people out there taking advantage of this.
Heresy in the church of awareness
The problem we’ve seen is that IT people tend to think non-IT people see things the same way as IT people do. We see ourselves within them and think they attach importance to the same things, see the same problems and possibilities. In a sense, that everyone has the same view about what common sense is.
But they don’t, at least not all of them.
Or to use another analogy, its trying to explain the merits of a certain religion to an atheist. And trying to convince that person that good passwords stop you from getting torched in hell. There are many infosec atheists in the world…
People with common sense
There is a large number of users who are not part of the problem, it is those users that will report suspicious emails or USB devices dropped on the parking lot. Such users are worth their weight in gold, their unselfish actions protect all others. Cultivating a culture, yes awareness in action, were people report suspicious emails will increase security for all users, not just the ones doing the reporting.
In the end, who does the reporting and who is not is, just as with passwords, highly dependent on the individuals.
People without self preservation
Many don’t report, and a respectable number, between 10-30%, actually fall hard for phishing emails. And lets face it, those are not APT grade attacks, some of them are so bad you would assume it wouldn’t ever work.
This at times when there has been both company internal information campaigns and articles in “popular media” warning for a number of easily identified phishing/malware campaigns. The 10-30% falling for those campaigns seem to be oblivious to such alerts.
We’ve asked a significant amount of users who we’ve detected having submitted their passwords to phishing sites about their password change habits. A significant number, as in more or less 100%, use the “+1 method” of changing password. They go from Summer18 to Summer19, and so on. This is a lot more than slightly worrying – it means that their passwords, including future passwords, will be forever compromised.
The way forward
Of course awareness will have its place as it should have. We just need to know whom to target and with which information. Don’t go the Dogert way, instead target those with common sense.
Lets help those who have the `awareness mindset` and give them the information they need to be able to protect themselves. How does phishing look today? What are the latest threats you must be aware of?
For the others, technology must instead make it `easy to do right, hard to do wrong`. Preferably without making it impossible to do their daily work. Don’t assume awareness will solve the problem.
Don’t assume people will not light a one-time barbecue when they have a nice warm vacation just because the is an obvious danger it could cause a massive forest fire. Don’t assume supermarkets won’t sell them if there is a demand.
The way forward is, to put it in other words, not to assume information will solve anything. It is technology that will help, information will only be useful for those who are able to use it.
Or perhaps, ban one-time barbecues this summer, because too many won’t not listen.
Written by @rndHashValue