LisaVaas

Teaching Security to the Ungeeky: Convince them it Matters

by LisaVaas ‎11-04-2012 12:01 AM - edited ‎03-09-2012 07:56 AM

Think security's too technical to teach to everybody? Think again.

That misperception leads to a plague of problems, from USB-introduced viruses, to spending a fortune on fixing products after they’ve shipped. In this, the first in a series on teaching security to the nontechnical, we start with converting the security heathens.

It was a ridiculous, old-school, client/server application. It moved money around internally, completely unencrypted — lots and lots of money: this was a huge financial services firm.

This wasn't in the dark ages, mind you. This wasn't pre-Internet. It was only two or three years ago.

Without encryption, anybody who knew where to put a network sniffer could intercept that traffic and do nasty things, such as spying on other network users, or pocketing passwords and other sensitive information.

What makes it even more baffling is that the fix would have been as simple as pie: turn on SSL, and the problem goes away (or, at least, intercepting data gets a lot harder).

But no, there was no encryption. The thinking went along the lines of, "The network's internal. It's more important that we secure externally facing resources, like our Web site."

Rob Cheyne has heard plenty of misperceptions like that. He's heard that security will add more work to people's days, that it adds too much time to product development, that security is somebody else's job, and that nontechnical people can't learn security because it's too complex or technical.

Cheyne is the CEO of Safelight Security, a security education company. He's worked with hundreds of companies worldwide, and he's taught security to everybody in those organisations, from IT staff to call centre crew, middle management, software architects, upper executives, and product managers.

I talked with Cheyne recently about how to teach security to the non-technical — and also to the technical, for that matter. He has a six-step process, the first step of which is to convince your trainees that security is important. What follows are his suggestions for how to do that.

(I'll be covering the other steps in subsequent articles, such as imparting a dose of hacker mindset, debunking security myths, giving demonstrations of real-world attack scenarios, teaching security fundamentals, offering specific actions to take for different roles in the organisations, and customising training for those different organisational roles. Stay tuned.)

Discuss Real-World, Industry-Relevant Security Incidents

Cheyne suggests describing three or four incidents that have happened to companies in the same industry as the organisation that's receiving the training. 

Say you're conducting security training at a retail company, for example. The TJX breach of 2006-2007 would be a prime example to show how the industry is a valuable target to criminals: by the end of March 2007, the number of customer records downloaded by intruders, including credit card numbers, social security numbers and driver's license numbers, exceeded 45 million. The breach was possible because of an unsecured wireless network in one of the stores.

Most industries have their TJX.

Discuss what Attackers would Go After

When Cheyne visits a client's site, he likes to indulge in a hobby that's common with security professionals: screwing with security. He's typically issued a badge to enter the building, but he likes to try to get in without presenting it. "I pretty much succeed 100% of the time," he said. "Once in, nobody's going to notice me. Then I get to break all the assumptions they had about their security model."

Your trainees will hopefully already have good ideas about what attackers would target in their organisation, but this kind of exercise can help prime the pump. Cheyne also uses interactive computer games where users step through a virtual office and click on security risks: unlocked computer screens, open office doors, bins full of sensitive documents.

Explain What's at Stake

Examples: Their business. Their reputation. Compliance failure. Resulting regulatory fines. Costs to investigate, mitigate, and provide identity theft protection.

You might well get pushback. Cheyne, when bringing up the TJX breach, has had to address the fact that the company's stock didn't suffer. But that's because they did things right, he said. It involved plenty of work and expense: TJX's costs had ballooned to £160 million by August 2007, according to The Boston Globe.

Wash, Rinse, Repeat

I asked Cheyne if, years after he'd conducted security training, the huge financial services company ever fixed the client/server application that was shuttling unencrypted financial data around.

He said he wasn't sure, but he kind of doubted it.

"It's recent enough that they haven't fixed it yet," he said.

But assuming that the security training was effective, and assuming that he had convinced the trainees that security was important, you'd think that they'd have taken care of such a problem, right?

"Well, some people kind of get it, and some kind of don't," he told me. "Some do, but it's typical for large companies to have a changing of the guard, and then they go back to not getting it."

The moral of the story? Convincing people that security matters isn't a one-off challenge. Expect to repeat yourself.

Editor's note: Check out Lisa's entire six-part series: 

  1. Convince them it Matters
  2. Instilling a Hacker’s Mindset
  3. Debunking Security Myths
  4. Demonstrate Real-World Attacks
  5. Security Fundamentals
  6. tba

Labels:
Article Options
Comments
by Guy Eastwood (anon) on ‎11-04-2012 03:48 AM
Options

If you don't know what it is don't open it
If you don't know what it does don't run it
If you don't know where it's from ignore it

by on ‎11-04-2012 03:50 AM
Options

Very valid points made by Lisa Vaas

by Guy Eastwood(anon) on ‎11-04-2012 03:50 AM
Options

Oh, and probably...

If your aunt Edith wouldn't normally send you emails about a Chinese earthquake it's probably not from her..

:o)

by Don McArthur(anon) on ‎11-04-2012 07:15 AM
Options

Hmm, far as I know, there has never been any solid evidence that user education has ever worked. Very few users need a general purpose computer, and an even smaller percentage can use one safely. Give them iPads, instead.

by Angel Wardriver(anon) on ‎11-04-2012 07:31 AM
Options

It's been my experience that too many people don't want to learn when they can depend upon their geeky family members to rescue them. As that geek on 24/7 free tech support, I've been tempted to put parental controls on adults' computers so they can't do anything wrong and need to call on me again. ;-)

by Meg Tufano(anon) on ‎12-04-2012 01:17 AM
Options

I read an article in The Atlantic Monthly that was exactly about what this article wants to make people more aware: what happens if you get hacked? Heavens, I had no idea. So, at least I use different passwords and have two-stage (is that the term?) access to Google. When I read the article, I realized how bad things could get (taking over your companies, your websites, all of that). Why take a chance like that when there's a lot you can do to protect yourself.

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
 


The HP Input Output site is sponsored by HP and features articles and content from HP and third-party contributors. Third-party articles and content, while paid for by HP, do not necessarily represent the views and opinions of HP. HP does not endorse this content and is not responsible for its accuracy, availability and quality.

Follow Us
Spotlight
£50K-£80K for a Dead Computer? Oh, Wait... Twitter Alienates its Flock 400 more fibre engineers being hired, mainly ex-military Will the 'Real' Charles Babbage Please Stand Up?
 


©2012 Hewlett-Packard Development Company, L.P | Privacy Statement | Using this site means you accept its terms | Rules of Participation