Anyone in an organisation that allows physical or logical access to company assets or data that are not already publicly available has a responsibility to protect those assets. If you have access to email, intranet sites, printed material, verbally-communicated information or physical access to a site using an ID card, pin code, physical key or simply authorisation to use a door marked in a way to restrict access, then you need to know what security controls are in place and why. Only through an understanding of the risks that the organisation is trying to mitigate with the controls in place can staff really understand what their security responsibilities are.
Security is a dry subject at the best of times. I fact, well done for making it this far in this post. Staff need to be aware of where they can access and read security policies, how they should respond to requests for information from different parties and how to identify and report security incidents. Putting all this in a PowerPoint presentation with a load of links and technical information probably isn't going to help it sink in.
A good mechanism is to put the staff in the mindset that they have in their everyday lives outside of work and help them to apply these controls in work. Everyone considers information security on a daily basis, whether they know it or not. Everyone has their own assets they need to protect such as their home and contents, perhaps a motor vehicle, the contents of their pockets or bag, including wallet/purse, mobile phone, etc. Everyone has their own controls in place to protect this assets, from simply being careful not to flash money or expensive phones around in public to locking their home or car, or any further security measures such as an alarm. People automatically understand why they have these controls, they do a little risk assessment in their mind to work out the probability and impact of unauthorised access to or loss ofthese assets and apply appropriate controls. Security awareness training that encourages staff to bring this attitude into the workplace is a good first step.
Using case studies is another good mechanism to put information security into context and there are certainly plenty of horror stories out in the public domain of where poor information security has led to a data loss. Talking about a company that lost thousands of credit card details or a government department exposing millions of taxpayers' personal details are good examples of "these are things we don't want to happen in this company" but very quickly you might lose your audience, as they don't necessarily see the detail of the chain of mistakes made to lead to the exposure, and cannot subsequently apply it to their own role. You are probably guaranteed however, that all your staff watch movies and will be familiar with thie plots of the more well-known ones. This is where I call on my "Hollywood baddies" Infosec awareness training.
Basic movie plot: bad guys want to do something bad, good guys need to stop them, bad guys initially seem unstoppable, good guys find a way to break the bad guys plans, bad guys lose/die, good guys save the day/town/country/planet/universe, roll credits. It might seem formulaic, but it's only plot detail and dialogue that will subsequently set one movie apart from another (or just special effects in some cases). In many cases, the way that the good guys find to break the bad guys is by exploiting weaknesses in their information security, not always at the technological level, quite often in the area of security policy not meeting best practice or failures in process controls. It seems that any bad guys implementing best practice information security would be able to have completed their dastardly plans and successfully defeated any attempts by the good guys to stop them.
I find that the best examples are to use films that are well known in the public conscious, which almost all will have seen or at least know the outline of the plot. Box office blockbusters from a few years ago that have been out on DVD for a while and probably been on TV a few times are a good bet. Here are some examples:
[SPOILER ALERT... Just in case]
Jurassic Park: Rogue sys admin turns off multiple security and monitoring systems to steal dinosaur embryos and inadvertently releases live dinosaurs, causing havoc on the island. Malicious activity by insiders with access to critical assets is a typical risk, although more common issues arise from errors or ignorance rather than malice. In the case of people susceptible to coercion for financial benefit, a comprehensive pre-employment screening process helps to identify those who may be more agreeable to such an approach (and something which the owner of the park would surely want to do, given the nature of his business), but this is just the first step and in this case the character in question is well paid and is just greedy. The baddie in Jurassic Park was a single person in control of all IT systems and consequently there is no segregation of duties that might have prevented the extent of damage that was caused and a single person responsible for all administration represents too high level privileges for one person to hold and does not allow for job rotation or avoidance of single points of failure. Talking of single points of failure, the resilience and recovery solutions in place were not sufficient for the risks in place. Even if the bad guy got away with it, the impact of the incident could have been reduced significantly.
The Matrix: Computers enslave the human race, keeping them in an unconscious state to generate power from their biological energy whilst keeping their minds occupied with a virtual world (the matrix) that makes them believe they are really free and living in the real world. Our heroes manage to unplug themselves from the power system and plug themselves into the matrix in an attempt to free the human race. Quite often, characters in the film state that certain IT devices or mechanisms were "built for just one purpose", so clearly the machines don't think much of cloud solutions or Infrastructure-as-a-service? The main security controls missing are a thoroughly implemented access control, authentication and authorisation systems. The good guys manage to plug into the matrix from anywhere. Intrusion detection/prevention seems to have taken a dive too, as it takes the agents, the enforcement mechanisms of the matrix, a good while to locate and then attempt to remove the intruders. The good guys also have telephones dotted around the matrix that allow them to communicate back to their control point, or as I like to call them, Trojans. Clearly, malware protection isn't considered important in the future. A bit more thought to security and those machines could be happily recharging themselves from the human race indefinitely.
There are many more examples. Don't get me started on the bit in I Robot where they can get into the bad guy's HQ through the maintenance ducts which have unprotected entrances on the street, no monitoring or surveillance and lead directly to the critical areas of the building. What is this? The 1960s Mission Impossible TV Series principle of gaining access to any secure installation by turning up in a set of overalls and claiming to be coming to fix the air conditioning?
My personal favourite for a Hollywood Baddies infosec case study for security awareness is Independence Day. The aliens had a great plan to take over the Earth, had the element of surprise over us unsuspecting humans and certainly had more advanced technology to help them than we had. But once again, it's poor infosec that is their downfall. The reason I like this one so much is that it covers a multitude of infosec areas. I frame the plot as a company (the humans) who perform a piece of business (living on the Earth). The contract comes up for renewal and a competitor (the aliens) want to oust the incumbent supplier (kill the humans) and take over the business.
1. Firstly, the aliens make it all the way from their previous world to our moon and set off a powerful signal, clearly announcing their presence and taking the element of surprise away from their business plan. This data leakage gives the competition time to react and takes the edge off their competitive advantage.
2. The positioning of their ships above key global locations does not necessarily signal an intention to attack, they may simply want to say hello to all the world leaders at once? The combination of this with the signal being identified as a countdown to attack is enough for the good guys to take action. Using encryption in their transmissions would have masked this and not given the humans the heads-up. A serious breach of confidentiality there.
3. The authorities still aren't convinced though. However, the helicopter they send up to perform a close-encounters style light show gets blown out of the sky. This removes all doubt of the aliens' plans with still nearly half an hour to spare, giving our heroes plenty of time to escape. Whether this is a gunner with an itchy trigger-tentacle (escalation of privileges) or a ship commander who does not appreciate the need to keep their plans confidential (security integration into job roles), the intent of the aliens is now truly confirmed.
4. When the heroes get to Area 51, they discover that the Roswell UFO legend is actually a craft belonging to one of these aliens, clearly on some sort of data-gathering mission in the 1950s. Since the aliens came back, the ship has fired up and is fully functional. This raises a lot of questions around how the aliens perform asset management, client authentication, leavers process and a number of other security principles which should have rendered the craft inoperable once it had been lost. Clearly, there hadn't been any sort of process or asset audit in the last few decades that might have raised the issue of this lost craft.
5. When a live alien rears it's ugly head, it starts shooting it's mouth off (or brain, to be more accurate) about who they are, what they are doing and what their plans are for Earth. They say that loose talk costs lives and in this case the information imparted is enough for the president to make the decision to increase the force used against the invading force. Clearly the aliens don't operate their own security awareness training to cover the importance of not disclosing confidential information in public. What ever happened to "name, rank and serial number"?
6. Physical security clearly isn't a big concern of the aliens. Our heroes are able to fly the now operational craft straight in through the front door of the mothership unchallenged, with a large nuclear explosive device attached, and successfully dock right in front of the control room. That's like someone walking into your building without any ID, carrying a machine gun in plain view and sitting down next to the IT admins without anyone blinking an eye.
7. What are the chances of the aliens' IT systems and communication interfaces being completely compatible with those used on Earth? Fortunately, this was the case and our heroes are able to successfully infect the systems that run the ships' forcefields with a virus. No Anti-malware and most likely a poor vulnerability management process and patching regime are clearly to blame here, not to mention a clear lack of protection of critical systems from the user domain. Defence in depth clearly another thing that didn't catch on with these baddies.
8. Finally, flying a plane into the main weapon of the spaceship not only destroys the weapon but the rest of the ship. Surely this would have come up as an issue during development and testing? A risk assessment should have pointed out that the shields alone are perhaps not a sufficient mitigating control as this ultimately leads to the defeat and destruction of the invading fleet.
There are I'm sure many more examples, but these are the key ones that I focus on as they cover a significant number of areas at a high level. As nice as it would be to spend an awareness session talking just about Independence Day, this is used just to frame the thoughts of the audience and put it into context with a familiar situation. These principles then need to be applied to the organisation and the required controls applied across the business - with references back to how not applying or breaching these controls turned out bad for the aliens.
Hollywood films are just one familiar scenario that can be used to get the point across but I've found it a useful tool for justifying security controls to non-security people, I have been told that it was a very memorable session and I even find people recommending my security awareness presentation to others, which surely can't be a bad thing.
Photo: Porbital
