Cyber Security Awareness Month is a time when many organizations run their internal security awareness programs for employees, and the time that those of us in the security industry are encouraged to help raise awareness of cyber threats with friends and family using tools like SANS’ most excellent OUCH! newsletter. While I think those are great things to do, I propose we consider some new traditions for CSAM. We should apply effort to raising awareness in populations that are more significant points of leverage than rank and file employees, in order to maximize security improvements. These are communities that we typically do not consider the primary targets for CSAM, such as:
- IT staff, including developers, architects, engineers, network, database, and systems admins
- Infosec staff
- Internal audit staff
In my experience, the most common root causes and significant contributing factors of security incidents is poorly designed IT environments that are designed, implemented and operated by people that don’t understand how technology can be, and indeed is being, abused. Let’s consider phishing for a moment. While training employees to recognize phishing emails is beneficial, it should be intuitive that, over time, people WILL fall for phishes occasionally, and blaming an ensuing breach on an employee’s failure to recognize a phish is not helpful. In addition to training employees to recognize phishing emails, we should also provide ongoing training to the IT staff that design and operate the mail, workstation, and network environments to understand these how these attacks work, new techniques, prevention mechanisms and detection strategies. Phishing, of course, is just an example and there is much to learn and stay on top of across the infosec spectrum.
I’m not aware of any such training that is readily available in the format I’m describing, so this is an aspirational idea, not necessarily something we can run out and implement tomorrow. A good, and usually free, source for this are security conference videos. As much as I like them, though, they are not the mot efficient means of getting an overview across a broad set of topics. I do suspect we can tailor the content to roles. For instance, developers and network administrators likely won’t benefit from some of the same types of information on attacks.
Training needs to be ongoing, too. Tactics and threat actors evolve. The continuing education model of certifications seems like a good avenue for keeping people accountable, however the things counted as “continuing education” can be more than a bit dubious. Another trap to watch out for is “training” provided by infosec vendors, such as webinars, that are effectively just marketing vehicles for the vendors’ offerings. Remember that vendors are in the business to sell, and part of doing that is to convince us that a) we have a problem that they can solve and b) they can solve our problem better/faster/cheaper than anyone else.
I am not proposing that we make these groups of people experts in offensive security tactics, but rather that we provide a periodic, up-to-date overview of how adversaries use those tactics so that our employees will be able to make more informed decisions when performing their jobs, in the same way that we expect regular awareness training to help an employee identify a phishing email.