In August 2008, the DEFCON security conference held its 16th session in the Riviera hotel in Las Vegas, Nevada. Among the litany of brilliant talks on computer security was a 30-minute presentation by Renderman on the topic of attacking client computers rather than servers. It was dubbed “How shall I pwn thee, let me count the ways” and it covered attacking an employee through his network connection, software, and Bluetooth. It was very well received.
I was in the audience for that talk. It was eye-opening; at the time, in my experience, the industry was emphasizing hardening infrastructure against attacks coming from outside companies’ walls. The point Renderman made clear, at least to me, was the ease with which one could compromise employee devices while they are in transit and the ease with which, once back in the office, these compromised devices could be used to access resources that are difficult (if not impossible) to attack from the outside. That same year, I began providing security awareness coaching to my clients, both individuals, and groups. These mostly-informal, 15-minute sessions with employees attempted to convey the fact that one needs to be mindful of the risks inherent to using technology while not being paralyzed by the fear of compromise. When we started offering security awareness training sessions at Kudelski Security, I was delighted to be given the opportunity to contribute to what I think is a cornerstone of corporate security. If our people don’t know how they can be attacked, how can we expect them to defend themselves?
Security awareness coaching is an art rather than a science: you are trying to convey the notion of good security hygiene to people that may not be intimately acquainted with technology, let alone security. As well, more often than not, the people who you are trying to coach are busy and stressed, on top of being confused by the topic of information security. One approach that I think helps in these sessions is to share my experiences as a pentester, to provide concrete examples of what constitutes risky behavior before discussing best security practices for employees to follow.
For example: if during a security engagement, we find an insecure guest Wi-Fi access point, we may try to capture employee password hashes by injecting malicious HTML tags in web traffic. Though one could make a point that the infrastructure, in this case, would greatly benefit from some hardening, what could an employee do to avoid risk? There are several good practices here: the employee could, for instance, choose to use the encrypted corporate access point rather than the guest access point. Using the guest access point with the corporate VPN could also be a viable alternative. If the employee knows how to differentiate between an encrypted and an unencrypted WiFi network, then this could make the difference between an attacker gaining access to the employee’s sensitive e-mails or not.
One challenge that security awareness trainers face is that of producing updated, relevant content. For example: in 2017, ransomware was a dangerous – and rather endemic – family of malware that affected hospitals, police stations, home users and companies alike. Then, in 2018, ransomware infections took a sudden dive. Is this due to the invention of a miraculous counter-measure that drastically improved computer’s defenses against ransomware? Sadly, no. Attackers realized that it was much simpler and more lucrative to run cryptominers and moved away from ransomware. Trainings should, therefore, focus on how to help users identify cryptominers. If your employees fail to see the relevance of their training, they are unlikely to pay heed to it.
A venerable figure in the infosec community once said that security is a process, not a product. We cannot buy a turn-key solution that magically transforms our infrastructure into an impenetrable fortress. We must make do with a judicious mix of hiring the right people to secure our networked services, acquiring (and tuning!) products that help us eliminate threats, and educating our staff to be sensitive to computer-related threats. This is by no means an easy task; however, it is a vitally important one and success depends on following best practices in all three areas instead of devoting energy to only one.