Security Awareness Training

Though distasteful, security professionals will be forced to undertake a structured and comprehensive education program to stop employees from doing stupid things. Given the sophistication of attacks and the difficulty in stopping them at the perimeter, educated personnel may be the only defense.

Grade: B-

Original Days of Incite post: here
Incite Redux post: here

You ready for the good news or the bad news? The good news is that I’m getting far less pushback during conversations about security awareness training. Lots of CSOs remain skeptical because their results with training in the past have been let’s say “underwhelming.” But the message to keep fighting the good fight is starting to resonate.

Tools to test client side social engineering attacks (like Core’s IMPACT pen testing product) are showing just how acute the problem is, and the fact is the only way to solve this problem is to teach your users to not do stupid things.

The bad news turns out to be a significant impediment to security awareness training, and that is the sheer amount of crap already on the typical CSO’s plate. It seems training initiatives ALWAYS end up at the bottom of the list. Why? CSOs are not trainers and they don’t have time to build a curriculum to teach their users the right thing.

So they need help and unfortunately there has been a scant few options to drive an awareness program for users.

But help should be on the way. One of the most interesting announcements I saw all year was Symantec’s awareness training service (here). I haven’t tooled around in the interface yet (hint, hint), so I don’t know whether it will get the job done or not, or if anyone will buy awareness training from Symantec. But this is a sorely needed service and personally I hope Symantec has great success with it. Not because I want the Big Yellow to continue stuffing their pockets, but because their success will drive other Big Security lemmings to follow with their own offerings.

So I’m still fixated on security awareness training and I’m not ready to give up the ghost yet. It feels a bit like the tide turned late in 2006, but we’ll see.

It's not a secret that I'm a fan of security awareness training. And I'm usually not one to highlight a vendor doing anything right, but when I took a look at a recent Cisco marketing piece on security awareness (and how to do it yourself), it resonated with me. So I wrote about it and listed the 10 tips in this week's NetworkWorld column.

Check it out: http://www.networkworld.com/columnists/2006/092506rothman.html

 

Returning for Day 3 of my series picking apart Dark Reading's Top 10 Security myths, let's do #5 and #6. The link to the main article is here.

Myth #5 - Employees Always Trustworthy (link here)

Our experts agree that any security strategy which doesn’t include the end user is doomed to failure.

I've been harping on the need for end user awareness training for as long as I've been doing Incite, so I'm totally on board with this one. Actually I think the title of the myth is a bit misleading, they do mention the insider threat as kind of an after-thought, but most of the piece focuses on training and ensuring the policies and defenses factor in the human element. That means people will do stupid things, even if they are not stupid people.

Thus far, this is the best myth-buster of them all. Correct perspective and written clearly. This one gets an A.

Myth #6 - Bad Guys are Winning (link here)

Behind every successful exploit is usually an improperly configured, maintained, or patched computer, or a clueless user (think lame passwords or clicking on suspicious links or emails). There's plenty of security technology out there, but if you don't deploy it properly, you're asking for it.

Because we are making it easy for them doesn't mean the bad guys aren't winning. Got that? So yes, I totally agree that the most secure firewall in the world isn't worth crap if you don't have the rules configured properly, and that's where many of the incidents originiate. They are correct in saying there is plenty of technology to solve the problems, but that doesn't mean we are using it correctly.

That being said, the bad guys are certainly not losing because there seem to be more of them everyday. I'm a firm believer in market economies and hacking is a booming market. Why? Because these folks are making money. Pure and simple. Whether it's consumer stupidity, configuration ignorance, or bad guy innovation - attacks are working enough of the time to generate a return. So in that matter, the bad guys certainly are winning.

But to me, macro generalizations like that aren't worth much. All that matters is whether they are beating YOU. If your environment is secure and you can prove it to management and the auditors, then YOU are winning. The rest of the world be damned. Too bad for them if they aren't in the same spot.

This one gets a C. Interesting thoughts, but to say that configuring everything correctly will make the problem go away is wrong.