Dress Like A Gnome: 6 Security Training Essentials

Offer home security clinics, make security messages fit for Twitter, and dont be afraid to dress up, say Infosecurity Europe presenters.

LONDON -- Infosecurity Europe 2014 -- System security is getting better, so attackers are going after a softer target -- people.
Security awareness was a key theme at the Infosecurity conference last week, as speakers and other experts offered their views on how to improve training and education programs.
Whats happened over the last 10 years is the operating system that the adversary is going after has really changed,
Eric Cole
, chief scientist at Secure Anchor Consulting and a SANS Institute instructor, said Thursday during his induction ceremony into the
Infosecurity Europe Hall Of Fame
. If you put enough energy and effort in, you can secure those operating systems -- lock them down, turn off services, patch them -- and weve done a good job of that.
Now, what operating system is the adversary targeting? he said. Its very hard to secure... and hard to patch.
That predicament has led some information security experts, such as Bruce Schneier, to propose more drastic measures, arguing that
security training simply isnt salient
for nonsecurity experts, because they wont ever really learn. From a big-picture standpoint, furthermore, Schneier has argued that, if engineers designed their software better, people wouldnt have to learn.
Until that happens, information security professionals are left with a triage situation, as many speakers at last weeks conference readily acknowledged. To help, they offered the following six strategies:
1. Seek Twitter-like brevity.
Participants from both sides of the pond agreed that attempting to educate users, and to keep them extra vigilant about the types of social engineering attacks that continue to
compromise so many organizations
, remains challenging. For starters, Andy Jones, CISO of the global container company Maersk Line, said during a panel discussion that effective security messages must find ways to be both direct and brief. I want my message [to be relayed] in 140 characters. I want a Twitter-type awareness.
2. Unleash the gnomes.
One creative -- and reportedly successful -- user-education approach practiced by Lee Barney, head of information security for Home Retail Group, a leading UK home and merchandising retailer, has been to dress up his information security staffers as gnomes.
Barney said these security gnomes are then placed at strategic locations around the office and used to deliver this line: Hi, were from security, talk to us. Cue a training opportunity -- for example, how to spot and avoid phishing attacks. After trying this approach, Barney said, his company launched a fake phishing attack spot test, and no one fell for it. We had a 100% success rate, he said. Not right away, but a few weeks later.
3. Offer drop-in home security clinics.
On the user-education front, Michael Colao, head of security for the investment firm AXA UK, recommended during a panel discussion that information security departments hold regular sessions for employees to pose personal information security questions, such as those pertaining to home security or parental controls that your 12-year-old cant get past in four minutes.
The bigger benefit, he said, is that this type of computer security transfers to peoples day jobs. If you are talking about the steps you have to take to protect your home computer, its weird, but its actually quite similar to the steps you have to take to protect your work computer.
4. Play big brother to developers.
Security training can also be supplied to in-house IT staff, of course. For example, it can help developers
write more secure code
. According to research recently conducted by White Hat, however, inside organizations that emphasized secure coding practices, training alone didnt result in web application developers writing more secure code. Developers needed to know that their managers would also be reviewing the code they wrote, White Hat founder and interim CEO Jeremiah Grossman said in an interview at the conference.
It came down to accountability. If the developers were accountable for the code they wrote, then theyd get something out of training, he said.
5. Rethink business questions.
Per Schneiers comment, the best approach to security awareness and training is to design security systems that dont require users to think about security. To help make that happen, AXA UKs Colao said, information security teams must take security-related requests from the business side of the house and then extrapolate the question that would have asked if theyd been security experts.
For example, at an investment bank for which he used to provide security, and which had a small number of customers, the business team asked the security group what password policies it should use to allow partners to log into the investment banks systems. Taking a step back, Colao said, his group proposed and then implemented a system based on digital certificates.
What was the benefit? I went once to one of our partners, and there on the wall were all of the main investment banks, and the companys passwords [for logging on to each one], except for ours, because they had a certificate instead, he said. But if wed answered the question that the business had originally asked... we would never have gotten there.
6. Lock down Office.
The reality today is that the security of so many systems still succeeds or fails based on user decisions, and users wont always make the right decision. As a result, businesses must look beyond training as a be-all and end-all, said Infosecurity Europe inductee Cole. We have to do a better job of not allowing the adversary attack effort to make it directly to the person, for example by blocking todays four most prevalent phishing attack strategies: executable attacks sent to emails, macros in Office documents, active scripting, and HTML content in emails.
Thankfully, blocking those types of attacks doesnt mean preventing users from employing email or Microsoft Office altogether. Rather, it involves excising specific types of high-risk functionality. How many of you need that asset from the Internet in order to run your organization? he asked, referring to the four types of functionality noted above. Its typically 1%. So if 1% of us need that, and thats the main vector that adversaries are targeting, then why arent we shutting it down?

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Dress Like A Gnome: 6 Security Training Essentials