Home > Information Security, Rants > No Infosec Sacred Cows

No Infosec Sacred Cows

July 20th, 2012

We have sacred cows in infosec, apparently. I read a blog post by Dave Aitel about security awareness yesterday that I really enjoyed – he took a very bold stance on a topic that everyone seems to have an opinion about. His argument? Security awareness is useless. Ditch it, and spend your time and money on technologies and techniques that actually control what users can do and what can happen to them.

Is he exactly right? No, probably not. But he took a stance, and got some thought-provoking dialogue going. What was incredibly disconcerting to me, however, was the vitriol people started spewing in the comments – how DARE he propose such a thing?! I tried commenting on the post but I think CSO flagged it and didn’t let me, and I was probably being a bit acidic in my comment, as well, but for different reasons. So a few things shook out, in essence here’s what I was trying to say:

  1. People, don’t be LEMMINGS. I saw a lot of people who were puffing out their chests as “leaders” in the infosec space spewing garbage about “people, process, technology” like they were attached to Shon Harris’ rear-end after having a love fest with her CISSP study guide. C’mon, just because it’s one of the “10 domains” doesn’t mean you have to evangelize.
  2. Most security awareness programs SUCK. I would be willing to bet the majority of the awareness proselytizers on the thread are doing the same old crap with some stupid Web-based Flash thingie that people click through as fast as they can, and a little printout goes in their HR folder of whatever. UGH. That doesn’t work, never has, and never will.
  3. Given that most programs suck, what is wrong with a contrarian view? Start a conversation on new methods of security awareness and protection, but don’t demonize Dave (who has likely seen more overall than most posters) for having the balls to suggest that something BLATANTLY NOT WORKING for most should be canned.

I generally think security awareness is ridiculous. Sure, sure, you need that compliance checkbox that asks for it. And OK, you have to TRY, I get that, too. But sometimes, we seem to cling desperately to ancient ideals and practices in this field that just might have run their course. I’m not ready to say security awareness is one of them….yet. But we can and should try to improve it, across the board, or find something else to do instead.

Categories: Information Security, Rants Tags:
  1. Infosec Professional
    July 20th, 2012 at 08:23 | #1

    I believe the main issue is that that article came off as a rant with a very shallow analysis.

    @Jack_Daniel said what I am pointing out above much better:

    RT @jack_daniel: Glad all of our problems, and their solutions, are binary. Otherwise we might need to deal with nuance and context

    That’s right, a RT in a blog comment. I also use # in Facebook postings…

  2. CG
    July 20th, 2012 at 08:27 | #2

    nailed it.

  3. @rudehimself
    July 20th, 2012 at 09:04 | #3

    I would never shoot down someone for taking a stance. I don’t completly agree with Dave nor do I completely disagree with him. My stance is that there is still some value in Security Awareness. Security Awareness in and of itself doesn’t suck, the current popular implementation of it does. The entire burden of security isn’t on the users, but if you can leverage them to be a little more vigilant, or at least less cavalier about email links and attachments, you’ve done some good. They should have some interest (however slight) in company security, it does after all help preserve profit which helps enhance and preserve their paycheck. Just like you clean up the mess left at the coffee station in the morning, help your neighbors from slippin’. -Todd

  4. Adam
    July 20th, 2012 at 09:25 | #4

    I also think a little conflict is good and like it when people make a real stand on an issue. However, the effect is diminished when that statement is so oversimplified and one-sided that it doesn’t foster good discussion but rather the type of backlash he received.

    It’s clear that he was trying to push the type of security he sells (malware defense/vulnerability management) by dissing another type (security awareness training). I would have found it much more interesting if he worked at a security training company and the article wasn’t slanted in a way that benefits his company.

    I also think that for years, security has always been about layers for a reason. To say lets remove this “training and awareness layer” and rely solely on this anti-malware layer is something a first year security student would say before they learned that security is about managing risk not only investing in controls that always work.

    I think it’s also important to realize that for a site like csoonline.com, there is a wider audience than security professionals and while you may just know he is “wrong”, others might come along and think that his is the best thinking of the security community or it wouldn’t have been posted on csoonline.com. At a minimum, they should have made it a two-sided discussion with someone else acting as the proponent of security training. Shoddy journalism and no real substance to this article so I have to politely disagree with your assessment that it added anything to the discussion.

  5. xrt89
    July 20th, 2012 at 10:15 | #5

    “Most security awareness programs SUCK”.

    That may well be true but most people doing security are better at technical controls and offensive social engineering. They have no idea how to develop programs that achieve sustained changes in behavior involving large groups of people. Look at the information security awareness training and there is practically no reference to the vast literature on behavior change because that’s a realm that is almost completely foreign to infosec professionals.

    Dave’s rant is a bit like someone discovering that abstinence-only education has no impact on teen pregnancies and STD-rates and then declaring that spending money on education is a waste of money and we should just lock everyone into chastity belts.

    I didn’t notice much if any vitriol in the comments. A number of people pointed to significant holes in his argument. He seems disinclined to engage them on these points. His whole post and subsequent disengagement reeks of pot-stirring publicity.

  6. admin
    July 20th, 2012 at 11:58 | #6

    @Infosec Professional
    Well, Jack has a point, and I don’t disagree. To be clear, I’m not endorsing Dave’s simple polarity of black/white, right/wrong. I just like that he presented an unpopular and controversial position with at least *some* rationale, and watching people vigorously defend something that traditionally hasn’t worked and continues not to work is interesting.

  7. admin
    July 20th, 2012 at 11:59 | #7

    And ghat’s a pretty reasoned position, and closer to my own. There may be SOME merit there, but it’s damn sure no panacea. I would posit that it’s pretty broken, and needs fixing/changing. IF we want to continue with awareness programs, we need to do it better and likely differently.

  8. admin
    July 20th, 2012 at 12:01 | #8

    You have a fair point re: CSO. They do need to consider the wider audience, particularly with the current keen interest in infosec. But we NEED button pushers who get us all worked up. Maybe completely removing all awareness programs is the wrong answer, but the current models are stupid, for the most part. I’d much rather wrap the user in a bubble technically than rely on their “good sense” and “caring about the organization” to get us through.

  9. admin
    July 20th, 2012 at 12:03 | #9

    Oh, I completely agree re: Dave and publicity – no doubt at all. But I like that he just shot it out there at all, and I was amazed that many just took the “following the herd” comment rationale. We need people to dissent and disagree, and ultimately push new changes and programs as a result of the dialogue. If everyone nods in unison and says “BS – people, process, technology” like automatons, we’re just another great example of groupthink.

  10. July 20th, 2012 at 17:33 | #10

    Clearly, MOST of what is being done in IT security today isn’t working – from AV to IDS to NAC to WAF to Policies to “security awareness”. It’s almost trivial for hackers to get around ALL of it on a daily basis.

    Security awareness IS a critical component of any IT security plan. But we must distinguish between that as a GOAL and that as a TACTIC to be implemented by half-ass corporate training – which as everyone knows always sucks.

    A better way to build security awareness in employees is to embed it in the processes they have to do to complete their staff function. By requiring employees to take specific steps as part of their function procedures to verify security, we can make them think about security at every point.

    People need to realize – not just in IT operations but in life in general – that THERE IS NO SECURITY EXCEPT security awareness. That’s not too hard to express to people in general but it’s hard to get employees to develop that same awareness in a corporate setting, especially when most people really don’t care about the companies that employ them (mostly because they rightly know that most companies don’t care about them except as replaceable “carbon-based units”.)

  11. Rob Lewis
    July 21st, 2012 at 08:25 | #11

    Any cow still being milked is going to be sacred to someone! Shouldn’t security awareness training focus on gaps in internal controls, not attempt to act as a substitute for them?

    I remember Ranum saying that with distributed computing came distributed risk, and users were neither interested or inclined to manage endpoint security. When and how much security awareness and skills training is going to fix that?

  12. Vern Williams
    July 31st, 2012 at 06:12 | #12

    All this comment about sacred cows and fowl actions makes me hungry for “Steak and Eggs”. Seriously, the fact that we suck at User Awareness Training does not make it irrelevant or unnecessary, although it could be if it served no function. What I object to is the “one size fits all” and the “check the block attitude” when it comes to UAT. It also takes a lot of work to make it interesting, relevant to the job and LIFE of the employee and to establish metrics to determine if it works. Too be honest there are few UAT programs that achieve this. I joke that the most dangerous threat to IT Security is the “rodent on your desk”, the mouse, but this implicates the driver of the mouse who chooses to click, not on known bad sites, but rather sites that bring an unknown risk to the organization. We can provide indicators of risk to the user when that is known and we can flag sites that are of unknown risk. So, maybe the right answer is in a broad approach to changing behavior: controls and risk indicators to prevent undesired behavior, comprehensive and job specific UAT, incorporate security into the job description and evaluation process for all employees and have innovative use of all of the dumb things people do to put the organization or themselves at risk.

  13. August 21st, 2012 at 09:27 | #13

    But ‘security awareness’ of what, exactly? If it’s regarding generic risks and threats of employees using their own devices, fair enough. If it’s generic security training for an organisation facing very specific threats, it’s rather pointless, because any reasonably advanced threat will socially engineer employees into doing what they’re told not to anyway, if that’s the easiest way to compromise the network. Email malware to an organisation with 2,000 employees, and someone is guaranteed to run the attachment.

    The second problem is maintaining a decent level of awareness isn’t viable, if the workforce isn’t interested in IT and not spending hours each day reading the journals, magazines, blogs, etc. etc. to keep up with developments. They just wouldn’t be clued up on the latest tactics and methods of attack.

    Yes, some training is important, but security shouldn’t be reliant on it.

Comments are closed.