- Email: [email protected]
Driving the security message
DRIVING FEATURE SECURITY physically installed on to the authentication device. By pushing OTPs on demand to a mobile phone or BlackBerry device, users can authenticate to the network any time, anywhere, without the need for setup, purchase of software licences or ongoing management.
Business disruptions 2FA solutions are also available to help reduce network risk during a disruption to the business. Disaster recovery and ICE (in case of emergency) planning often allows employees to work from home or other remote locations at very short notice. Yet in increasing the number of users accessing the corporate network this way, it is vital that network access remains secure. The latest cloud-based and serverbased solutions tackle this by allowing businesses to secure the login process for
staff on occasions when they cannot get into the office and have to work remotely. This is done by having a pool of ‘frozen’ software or SMS 2FA tokens that can be issued to users within minutes. This means that in the event of a disruption, all that is required is to ‘defrost’ the tokens and access to the corporate network will be immediately secured, wherever staff are located. Critically, it is not essential for a business to have an existing 2FA solution in place, as such strong authentication can stand alongside traditional user names and passwords, to ensure full protection in the event of any threat to business continuity.
A federated future Looking ahead, the growing demand for flexible, easy-to-use authentication capable of being applied in a wide vari-
ety of remote environments will fuel the development of new types of software and on-demand SMS tokens. The ability of cloud-based authentication to reach across multiple portals and applications will also provide the essential platform for developments such as federated ID, where an individual user will use the same token to access their own home-shopping account as in their professional business dealings. As a recent study on the evolution of strong authentication by research analyst Quocirca states: “Open, flexible cloudbased authentication platforms and industry standards such as SAML will lead to the promise of federated identity finally being realised.” Meanwhile, with the advent of hosted PaaS-based options, SMEs can now access highly scalable, available and secure 2FA solutions that were previously the exclusive domain of much larger corporates.
Driving the security message Wendy Goucher, Security Empowerment Consultant for Idrach Ltd It all started because of this small pink booklet, 70mmx 90mm that I have next to me on my desk. On the cover it says “County of Derby, Driver’s licence” and it is dated 15th March 1930. It is my grandad’s licence, and it is important for two reasons. Firstly, it was one of the last to be issued from the local county, rather than nationally. Secondly, it was a licence to drive, rather than an acknowledgement of the ability to drive safely. My grandad always said that the first, and only, driving test he took was to drive a bus. The compulsory test for private drivers was introduced in 1935 to try and combat the deaths and serious injuries on the road. Indeed it worked and they went down by 17% in the first three years following introduction of the compulsory test. So how did I get to this point? I was at a conference recently, and was November 2009
on a panel discussing security awareness training. We were asked to say a bit about our view of the way security awareness training is changing, and that little pink licence jumped to the front of my mind and I wondered whether we are not approaching a similar watershed in using the information superhighway.
Declarative driving? The first lesson we can learn from operating on a road is how we learn to drive in the first place. Firstly, from being very young, we learn about the signs
Wendy Goucher
and signals around the road, what they mean and how we should react to them. This uses a type of memory called declarative memory, and is concerned with learning facts. In security training this might include such things as the fact that if you take the USB key away from the machine without shutting it down first, you risk corrupting the data. That is a straightforward piece of information that can be taken at face value. Outside of computer misuse issues, some of which are also enforced by law of course, we have little information that is that straightforward. However, in too many instances, information is presented to staff as rules that are set in stone. This
Computer Fraud & Security
17
DRIVING SECURITY might seem like a sound tactic -- just tell the user what they can and can’t do, and leave it at that. They are not confused by ambiguity and there is clear direction to identify and discipline the miscreant. What happens, in effect though, rather like the road junction with four or five sets of signs on it, it that the user become overwhelmed with the need to obey all the directives, and looks for ways to sidestep or evade them. Once we get behind the wheel of a car and start to learn to drive, we use another type of memory, which is known as ‘procedural’. This is when behaviours are learned. Driving requires a combination of skills, learned behaviour and understanding of risk and possible remedies. These lay the foundation for the dynamic learning of skill as our experience grows and the conditions we drive in change. In the same way, when we are raising security awareness in an organisation, we should be looking at giving staff an understanding and appreciation of risk and remedies that will allow them to operate safely when unsupervised.
It could happen to you A big hurdle in awareness raising is the attitude that data loss incidents happen to other people, and that they know and understand the risks without an outsider getting involved. This is similar to the attitude of inexperienced drivers who simply don’t believe they will crash, despite the statistical evidence. However, when an incident does take place, even with someone else close to you, it can bring the risks into sharp focus. One of my daughter’s friends had a car crash within a week of passing her driving test. Thankfully she was not badly hurt, but all of her social group had to help her deal with the blow to her confidence, and the logistical problem of no longer having a car. They were all a little more careful, especially on the hazardous country road where the accident happened. They therefore learned from, 18
Computer Fraud & Security
and were protected by, Sarah’s mistake. Sometimes, what you need in security awareness terms is a ‘near miss’ for someone known to your audience to bring the message home
“In 1983 the wearing of seat belts in the front of a car or van became compulsory. As there was a financial penalty involved, this increased the uptake somewhat, as you might expect.” My colleagues are often frustrated because they don’t see why it is so hard to get staff to carry out basic operations in a secure way when they have all the means to do so. For example, people still insist on sharing access passwords when is a straightforward system in place to deal with access to critical information in unexpected circumstances, such as illness. We can gain some insight into that from the history of seatbelt use in the UK.
Belt up, will you? The law required seat belts to be fitted in all new cars registered in Britain from 1st April 1967. Most drivers and passengers did not get the point. These were static belts, and they were uncomfortable and inconvenient. Not surprisingly, the up-take of seat belt wearing was low in the first few years. As inertia belts, which allowed more movement and removed the readjustment issue, became more common, use did rise slightly but was still low. So clearly these were not the only issues. All through this time learner drivers were taught to drive wearing a belt and it was thought that this would mean that the behaviour was habitual by the time the driver was allowed to drive unsupervised. However, neither that, nor the public information advertisements promoting the phrase “clunk, click, every trip” were enough to persuade the hardcore non-wearers.
In 1983 the wearing of seat belts in the front of a car or van became compulsory. As there was a financial penalty involved, this increased the uptake somewhat, as you might expect. However it was not the winning strategy. The key moment was actually when cars were fitted with the deliberately irritating alert signal, which sounds until the seatbelt is fastened, or at least for a significant length of time after the car is started. In other words, until the lack of the seatbelt became more irritating and annoying than just taking the safe decision, people didn’t commit. So from this we can see that it wasn’t the availability of the secure solution, or even the legal sanction that made usage widespread. It was the constant, irritating reminder that made it difficult to drive insecurely, and impossible to say that you are not aware that it is required. My final point comes from the difference in approach that people have to taking care of rental cars, and their own car. I have long been concerned about the extent to which organisations, especially large ones, encourage their staff to loose their laptops, especially if they are senior managers. They do this by ‘rewarding’ the loss with the issues of a new laptop. Not only does this lead to increased cost of replacement, but also it means that staff are less likely to feel responsible for the loss. They suffer little inconvenience and no financial penalty. This can be equated with the use of hire, or rental cars. Rental companies generally expect a higher than average level of damage whether due to the unfamiliarity of the driver, possibly exacerbated in the UK with ‘right hand drive cars’, or just the carelessness of the driver in a car for which they have no ongoing responsibility.
The case of the wandering laptop At the conference I attended, the overwhelming opinion of the people in the room was that if staff suffer no ill effects November 2009
DRIVING FEATURE SECURITY following the loss, of data, in whatever media, then it is harder to encourage them to take care. I flew home via Schiphol airport in the Netherlands, and saw a great example of this. Unlike other airports I have travelled through, the security gates are at the entrance to each departure gate. At one point there was an announcement for someone who had left their laptop at the security point to go back and collect it. There was, it seems, no reply to this call, or its repeat a few minutes later.
“People in general are not interested in paying extra for increased safety. In the beginning, seat belts cost $200 and nobody bought them.” As there were only the people for the single flight in the room, one of the guards felt that it was worthwhile to walk around the passenger area to try to find Continued from page 3... fare, and the Cold War in the 50s, particularly in the area of deterrence. Unlike the US and Russia, which were equally vulnerable to destruction in a nuclear war, developed countries may be more vulnerable to a cyberwarfare than developing nations because they have a critical national infrastructure that is more dependent on computerized networks.
Private sector companies stand to get caught in the crossfire in the event of cyberwarfare Private sector companies stand to get caught in the crossfire in the event of cyberwarfare, the report said. Financial
November 2009
the owner. It seems he then found a name on the back of the machine because he ultimately called her name and eventually the lady came forward. It appears she was not even aware that the machine was lost. What struck me, as they were united next to where I was sat, was the fact that she seemed neither surprised, nor even relieved, to have her laptop back. I can’t help thinking that the penalties for loss for her were not enough. I believe that we have reached a critical point in the operation of data security. Not so very long ago, information security was very much the remit of the IT department, but over the last few years it has emerged into the main office and become, like it or not, everybody’s problem. With that comes the real challenge that many people, who have some responsibility for sensitive documents, don’t see the secure management of them to be their problem. Indeed one survey found that around 98% of office workers didn’t see the protection of corporate data as their responsibility.
Now is the time for calm, intelligent planning and learning of as many lessons as possible from other people and other situations. That is, after all, cheaper and potentially less embarrassing than making the mistakes ourselves. There are many more parallels that can be drawn, and lessons learnt by looking at the development of safe motoring, I have used only a few, and there are others now languishing in my waste bin for lack of space. However I will leave you with a famous, but still pertinent, quote from Gene Spafford. He addresses the point that however passionate or articulate you are in communicating the security message, if the audience don’t feel that the effort of adopting the new behaviour is worthwhile for them, then you are wasting your time and theirs. He said: “People in general are not interested in paying extra for increased safety. In the beginning, seat belts cost $200 and nobody bought them.”
situations could be compromized in an attempt to undermine public confidence in the banking system, for example, while critical infrastructure such as electronics and water grids could also be subject to attack. The report therefore echoed recommendations made by the CSIS Cybersecurity Commission a year ago, which advocated increased partnership between the private and public sectors on cyber security matters. Information such as threat intelligence should be shared more effectively, it said. “If such measures are adopted proactively, before a major cyberattack happens, it might even obviate the need for governments to ever contemplate a Big Brother approach to cyber security”, the report added.
Phishers ready Christmas treats Phishers are gearing up for the Christmas holiday season, according to the latest report from Symantec. Phishing attacks were up 17% in October compared to the previous month, and phishers continue to automate their attacks by increasingly resorting to phishing toolkits. 30% of phishing URLs were generated using phishing toolkits, according to Symantec, representing a 24% increase over the previous month. The proportion of unique phishing URLs decreased from 75% to 70% in October, further Continued on page 19...
Computer Fraud & Security
19
Business disruptions 2FA solutions are also available to help reduce network risk during a disruption to the business. Disaster recovery and ICE (in case of emergency) planning often allows employees to work from home or other remote locations at very short notice. Yet in increasing the number of users accessing the corporate network this way, it is vital that network access remains secure. The latest cloud-based and serverbased solutions tackle this by allowing businesses to secure the login process for
staff on occasions when they cannot get into the office and have to work remotely. This is done by having a pool of ‘frozen’ software or SMS 2FA tokens that can be issued to users within minutes. This means that in the event of a disruption, all that is required is to ‘defrost’ the tokens and access to the corporate network will be immediately secured, wherever staff are located. Critically, it is not essential for a business to have an existing 2FA solution in place, as such strong authentication can stand alongside traditional user names and passwords, to ensure full protection in the event of any threat to business continuity.
A federated future Looking ahead, the growing demand for flexible, easy-to-use authentication capable of being applied in a wide vari-
ety of remote environments will fuel the development of new types of software and on-demand SMS tokens. The ability of cloud-based authentication to reach across multiple portals and applications will also provide the essential platform for developments such as federated ID, where an individual user will use the same token to access their own home-shopping account as in their professional business dealings. As a recent study on the evolution of strong authentication by research analyst Quocirca states: “Open, flexible cloudbased authentication platforms and industry standards such as SAML will lead to the promise of federated identity finally being realised.” Meanwhile, with the advent of hosted PaaS-based options, SMEs can now access highly scalable, available and secure 2FA solutions that were previously the exclusive domain of much larger corporates.
Driving the security message Wendy Goucher, Security Empowerment Consultant for Idrach Ltd It all started because of this small pink booklet, 70mmx 90mm that I have next to me on my desk. On the cover it says “County of Derby, Driver’s licence” and it is dated 15th March 1930. It is my grandad’s licence, and it is important for two reasons. Firstly, it was one of the last to be issued from the local county, rather than nationally. Secondly, it was a licence to drive, rather than an acknowledgement of the ability to drive safely. My grandad always said that the first, and only, driving test he took was to drive a bus. The compulsory test for private drivers was introduced in 1935 to try and combat the deaths and serious injuries on the road. Indeed it worked and they went down by 17% in the first three years following introduction of the compulsory test. So how did I get to this point? I was at a conference recently, and was November 2009
on a panel discussing security awareness training. We were asked to say a bit about our view of the way security awareness training is changing, and that little pink licence jumped to the front of my mind and I wondered whether we are not approaching a similar watershed in using the information superhighway.
Declarative driving? The first lesson we can learn from operating on a road is how we learn to drive in the first place. Firstly, from being very young, we learn about the signs
Wendy Goucher
and signals around the road, what they mean and how we should react to them. This uses a type of memory called declarative memory, and is concerned with learning facts. In security training this might include such things as the fact that if you take the USB key away from the machine without shutting it down first, you risk corrupting the data. That is a straightforward piece of information that can be taken at face value. Outside of computer misuse issues, some of which are also enforced by law of course, we have little information that is that straightforward. However, in too many instances, information is presented to staff as rules that are set in stone. This
Computer Fraud & Security
17
DRIVING SECURITY might seem like a sound tactic -- just tell the user what they can and can’t do, and leave it at that. They are not confused by ambiguity and there is clear direction to identify and discipline the miscreant. What happens, in effect though, rather like the road junction with four or five sets of signs on it, it that the user become overwhelmed with the need to obey all the directives, and looks for ways to sidestep or evade them. Once we get behind the wheel of a car and start to learn to drive, we use another type of memory, which is known as ‘procedural’. This is when behaviours are learned. Driving requires a combination of skills, learned behaviour and understanding of risk and possible remedies. These lay the foundation for the dynamic learning of skill as our experience grows and the conditions we drive in change. In the same way, when we are raising security awareness in an organisation, we should be looking at giving staff an understanding and appreciation of risk and remedies that will allow them to operate safely when unsupervised.
It could happen to you A big hurdle in awareness raising is the attitude that data loss incidents happen to other people, and that they know and understand the risks without an outsider getting involved. This is similar to the attitude of inexperienced drivers who simply don’t believe they will crash, despite the statistical evidence. However, when an incident does take place, even with someone else close to you, it can bring the risks into sharp focus. One of my daughter’s friends had a car crash within a week of passing her driving test. Thankfully she was not badly hurt, but all of her social group had to help her deal with the blow to her confidence, and the logistical problem of no longer having a car. They were all a little more careful, especially on the hazardous country road where the accident happened. They therefore learned from, 18
Computer Fraud & Security
and were protected by, Sarah’s mistake. Sometimes, what you need in security awareness terms is a ‘near miss’ for someone known to your audience to bring the message home
“In 1983 the wearing of seat belts in the front of a car or van became compulsory. As there was a financial penalty involved, this increased the uptake somewhat, as you might expect.” My colleagues are often frustrated because they don’t see why it is so hard to get staff to carry out basic operations in a secure way when they have all the means to do so. For example, people still insist on sharing access passwords when is a straightforward system in place to deal with access to critical information in unexpected circumstances, such as illness. We can gain some insight into that from the history of seatbelt use in the UK.
Belt up, will you? The law required seat belts to be fitted in all new cars registered in Britain from 1st April 1967. Most drivers and passengers did not get the point. These were static belts, and they were uncomfortable and inconvenient. Not surprisingly, the up-take of seat belt wearing was low in the first few years. As inertia belts, which allowed more movement and removed the readjustment issue, became more common, use did rise slightly but was still low. So clearly these were not the only issues. All through this time learner drivers were taught to drive wearing a belt and it was thought that this would mean that the behaviour was habitual by the time the driver was allowed to drive unsupervised. However, neither that, nor the public information advertisements promoting the phrase “clunk, click, every trip” were enough to persuade the hardcore non-wearers.
In 1983 the wearing of seat belts in the front of a car or van became compulsory. As there was a financial penalty involved, this increased the uptake somewhat, as you might expect. However it was not the winning strategy. The key moment was actually when cars were fitted with the deliberately irritating alert signal, which sounds until the seatbelt is fastened, or at least for a significant length of time after the car is started. In other words, until the lack of the seatbelt became more irritating and annoying than just taking the safe decision, people didn’t commit. So from this we can see that it wasn’t the availability of the secure solution, or even the legal sanction that made usage widespread. It was the constant, irritating reminder that made it difficult to drive insecurely, and impossible to say that you are not aware that it is required. My final point comes from the difference in approach that people have to taking care of rental cars, and their own car. I have long been concerned about the extent to which organisations, especially large ones, encourage their staff to loose their laptops, especially if they are senior managers. They do this by ‘rewarding’ the loss with the issues of a new laptop. Not only does this lead to increased cost of replacement, but also it means that staff are less likely to feel responsible for the loss. They suffer little inconvenience and no financial penalty. This can be equated with the use of hire, or rental cars. Rental companies generally expect a higher than average level of damage whether due to the unfamiliarity of the driver, possibly exacerbated in the UK with ‘right hand drive cars’, or just the carelessness of the driver in a car for which they have no ongoing responsibility.
The case of the wandering laptop At the conference I attended, the overwhelming opinion of the people in the room was that if staff suffer no ill effects November 2009
DRIVING FEATURE SECURITY following the loss, of data, in whatever media, then it is harder to encourage them to take care. I flew home via Schiphol airport in the Netherlands, and saw a great example of this. Unlike other airports I have travelled through, the security gates are at the entrance to each departure gate. At one point there was an announcement for someone who had left their laptop at the security point to go back and collect it. There was, it seems, no reply to this call, or its repeat a few minutes later.
“People in general are not interested in paying extra for increased safety. In the beginning, seat belts cost $200 and nobody bought them.” As there were only the people for the single flight in the room, one of the guards felt that it was worthwhile to walk around the passenger area to try to find Continued from page 3... fare, and the Cold War in the 50s, particularly in the area of deterrence. Unlike the US and Russia, which were equally vulnerable to destruction in a nuclear war, developed countries may be more vulnerable to a cyberwarfare than developing nations because they have a critical national infrastructure that is more dependent on computerized networks.
Private sector companies stand to get caught in the crossfire in the event of cyberwarfare Private sector companies stand to get caught in the crossfire in the event of cyberwarfare, the report said. Financial
November 2009
the owner. It seems he then found a name on the back of the machine because he ultimately called her name and eventually the lady came forward. It appears she was not even aware that the machine was lost. What struck me, as they were united next to where I was sat, was the fact that she seemed neither surprised, nor even relieved, to have her laptop back. I can’t help thinking that the penalties for loss for her were not enough. I believe that we have reached a critical point in the operation of data security. Not so very long ago, information security was very much the remit of the IT department, but over the last few years it has emerged into the main office and become, like it or not, everybody’s problem. With that comes the real challenge that many people, who have some responsibility for sensitive documents, don’t see the secure management of them to be their problem. Indeed one survey found that around 98% of office workers didn’t see the protection of corporate data as their responsibility.
Now is the time for calm, intelligent planning and learning of as many lessons as possible from other people and other situations. That is, after all, cheaper and potentially less embarrassing than making the mistakes ourselves. There are many more parallels that can be drawn, and lessons learnt by looking at the development of safe motoring, I have used only a few, and there are others now languishing in my waste bin for lack of space. However I will leave you with a famous, but still pertinent, quote from Gene Spafford. He addresses the point that however passionate or articulate you are in communicating the security message, if the audience don’t feel that the effort of adopting the new behaviour is worthwhile for them, then you are wasting your time and theirs. He said: “People in general are not interested in paying extra for increased safety. In the beginning, seat belts cost $200 and nobody bought them.”
situations could be compromized in an attempt to undermine public confidence in the banking system, for example, while critical infrastructure such as electronics and water grids could also be subject to attack. The report therefore echoed recommendations made by the CSIS Cybersecurity Commission a year ago, which advocated increased partnership between the private and public sectors on cyber security matters. Information such as threat intelligence should be shared more effectively, it said. “If such measures are adopted proactively, before a major cyberattack happens, it might even obviate the need for governments to ever contemplate a Big Brother approach to cyber security”, the report added.
Phishers ready Christmas treats Phishers are gearing up for the Christmas holiday season, according to the latest report from Symantec. Phishing attacks were up 17% in October compared to the previous month, and phishers continue to automate their attacks by increasingly resorting to phishing toolkits. 30% of phishing URLs were generated using phishing toolkits, according to Symantec, representing a 24% increase over the previous month. The proportion of unique phishing URLs decreased from 75% to 70% in October, further Continued on page 19...
Computer Fraud & Security
19