The most neglected part of security is the human factor – and yet it’s also the most vulnerable. Several of the speakers at the recently held IRISSCON cyber crime conference riffed on this recurring theme throughout the day–long event. “Social engineering a human is more effective than getting malware onto a computer,” said Bob McArdle, manager of Trend Micro’s forward looking threat team.
Now in its seventh year, the conference gathered close to 300 delegates in Dublin – testament to the growing interest in security among Irish technology decision makers. They heard Lance Spitzner, training director at the SANS Securing the Human initiative, make a compelling case that although Microsoft has made improvements to its operating system with the aim of improving security, businesses haven’t made similar progress with the human operating system.
Training people to take more precautions with their organisation’s data is a very effective way of strengthening security, but many businesses don’t raise user awareness in the right way. Spitzner poked fun at a classic infosec attitude – “People say ‘Lance, you can’t patch stupid’,” he joked – but he contended most people are in fact motivated to do the right thing where security is concerned. “Motivation in general is not the issue, it’s ability. Passwords is the classic example,” he said.
Instead, Spitzner said security professionals are “doing it all wrong” in how they’re delivering the message. Many security pros suffer from what he called “the curse of knowledge”, where their expertise works against their ability to articulate security messages clearly to non–technical colleagues. “Most awareness programmes fail not because of what we communicate but how we communicate it,” he said.
He said once–a–year awareness efforts might satisfy compliance requirements but they aren’t sufficient to embed a security mindset in an organisation’s culture. “It needs to be ongoing. A lot of times, awareness programmes seem random. A mascot, logo, tagline or an emblem can help create a sense of a whole campaign – that it’s part of something larger,” he said.
One step Spitzner suggested was to hand over the communication role to non-technical individuals like marketing executives or salespeople, who he said are best placed to talk about the importance of good online behaviour and safeguarding vital data in a way that people can understand.
The human factor featured strongly in the presentation by Jenny Radcliffe, a social engineering expert. In a thought–provoking talk about how “people hacks” are increasingly getting personal, Radcliffe urged the audience to take their organisation’s temperature and to watch for unhappy employees who could be tempted to steal secrets, divulge data or facilitate hacks. “Measure disenchantment in your organisation. There are clues in your organisation,” she said. “Everyone from Snowden down was disenchanted.”
Rik Ferguson, VP of security research at Trend Micro, introduced the idea of how technology is disrupting business models from manufacturing and mobile to the Internet of Things and Augmented Reality. “We tend to think of this as a security thing, but it’s an industry thing and a life thing. Attackers are going to look for the joins between services and the weak points of leverage,” he said. “Mobile offers multiple entry points into an organisation, yet it’s probably the least secured endpoint device – it’s still widely ignored.”
Ferguson said he also expects to see an increase in the threat of identity theft as Virtual and Augmented Reality take hold. The Internet of Things is another evolving area of attack. Ferguson’s company Trend Micro has forecast that an IoT-related compromise will result in a death by 2016.
The problem is that these technologies make their way into the mainstream without having been developed with security in mind. “It’s a huge can of worms – how do we retrofit security into that world?” Ferguson asked.
Expanding on this idea, Claus Cramon Houmann, the security blogger and backer of the I Am The Cavalry movement, said: “Our dependence on technology is growing faster than our ability to secure it. When you hear the word ‘connected’, you can replace it with ‘vulnerable’ and ‘soon to be hacked’.” I Am The Cavalry is a volunteer movement that aims to promote better security practice not just within IT circles but to encourage greater sharing of ideas between researchers, thinkers, lawyers, policy makers and makers of connected devices. “We want to achieve built-in security, not bolt-on security,” Houmann said.
There was a similar call for collaboration by Inspector Michael Gubbins, who leads the computer crime investigation unit at An Garda Siochana, the Irish police force. He also called for closer networking between interested groups in order to gather better intelligence about the nature of threats that businesses face. One such threat his office has seen is CEO fraud. “It’s not news,” he pointed out. “It used to be by fax and phone. Now it’s by email.”
Technical solutions are still absolutely necessary to combat cybercrime, but in an entertaining talk about measuring risk, Publicis Groupe CISO and award-winning security blogger Thom Langford asked who in the audience would be the first organisation in the room to switch off their antivirus. That provocative question stemmed from combating an organisational culture that’s based on the attitude “that’s how we’ve always done it.” Added Langford: “You won’t change behaviour because you’re looking at risk wrongly. Why are we securing laptops when it’s the data that is what’s valuable? We should of course be concentrating on encryption. We should focus on the real risks.”
The solution, he suggested, is to take a flexible and evolving approach to understanding risk. “It means that your risk team and your technical team need to work far more closely together. That way, Black Swan events – which is what DDoS used to be 15 years ago – become commodities.”
DDoS attacks fell firmly into the ‘commodity’ category in the latest annual results from Irisscert, Ireland’s voluntary computer emergency response team. Announcing the findings at the conference, Irisscert founder Brian Honan revealed there was a massive spike in reported incidents during 2015: 26,137 compared to 6,534 in 2014. More than a quarter of these incidents (26%) involved criminals compromising systems belonging to Irish organisations in order to attack servers in other countries. Ransomware was also very prevalent, and Honan urged organisations not to pay the criminals who attempt to extort money.
Whatever the combination of risk management, technology and security awareness training, the increase in threats outlined at IRISSCON 2015 suggests more busy times ahead for security professionals.