Laura Bell is the founder and lead consultant at SafeStack. With a background in software development, penetration testing and information security, Bell has made a career from challenging traditional fear based formal governance approaches. In her plenary session presentation at AusCERT 2015, Bell put the challenge out to change the way we approach human security risk. Her call is “Let's protect our people”.
Invoking the old “People, Processes and Mantra” that formed part of almost everyone’s IT education, Bell said we focus so much of our attention on “magic boxes… because we don’t have to sympathise or empathise with a computer. We can do bad things to it all day long and it will never cry, never complain to our managers”.
“But we all know technology is only part of the problem,” Bell says. “The rest of it is people and processes”.
The people issues are complex, says Bell. We live in a very complex world but we also think we know what’s in front of us. That’s why phishing emails with misspelled words work – we simply don’t see the mistakes a lot of the time.
One of the most common approaches applied to dealing with the human element of security is to use “security awareness training”. But this approach is flawed in Bell’s view.
“Compliance has us racing to the bottom”.
Citing PCI, ISO, federal regulations and other obligations, Bell says that focus has us missing the point.
“This is not how humans learn. We have forgotten about the entire world of education but found clipart”, Bell says while reminding the audience about some the horrible security awareness posters many of the audience had in their offices, advising them to burn them.
She had much the same advice for security awareness videos.
One of the issues is that the effectiveness and return on investment on security awareness is rarely measured. In contrast, the adversaries are measuring the effectiveness of their efforts and are refining their efforts based on those metrics.
With email such an effective attack vector, Bell told the AusCERT delegates many of her clients globally were moving away from email as a core communications platform, preferring chat-based systems. This was an example of moving away from vulnerable platforms rather than investing in expensive tools that are decreasingly effective against fast-moving and well-resourced adversaries.
In advocating for a people-based approach, Bell and her team have developed AVA, (Assessment, Visualization and Analysis). This tool maps what is often missed by organizational charts – or organograms as Bell quaintly called them, in hope of resurrecting that term.
By mapping the actual relationships between people, departments and data, it becomes possible to assess a company and find the real, often unknown, points of risk.
“If we applied the same mindset as we do for testing technology to humans; want if we can have that same cold-hearted, killer instinct where we don’t care if things get hurt or upset and applied it to people?” she asks.
This level of deep analysis is likely to reveal new information says Bell. In her view, we really don’t know what our organisations look like.
This approach means you can learn about new points of attack. For example, rather than directly attack a specific target, it might be possible to reach a target through one of their other relationships. A simplistic example might be compromising a CEO’s email by spear-phishing their assistant.
Dealing with user behaviour in a positive way is key according to Bell. For example, many of us are exposed to potential threats without even thinking about them.
“We need to make it OK for us to point these things out and say this looks exactly the thing we should for as malware,” Bell says, pointing out this will encourage positive behaviour.
Using this data-driven approach, Bell says it’s possible to accurately map the relationships between people and dynamically react when a new threat enters, as it’s possible to better understand who is being targeted and what data is actually at risk.
“Its time to get closer to our people”.
This article is brought to you by Enex TestLab, content directors for CSO Australia.