It was pretty obvious that after an Information Security persona such as Dave Aitel has posted his “Why you shouldn’t train employees for security awareness” article, there would be a lot of flak from the industry. A lot has been said about training employees to be somewhat more savvy users when dealing with corporate equipment and data (i.e. “stop clicking shit”). And even one of my favorite and outspoken Information Security personal had a great rebuttal on the matter – Krypt3ia’s “Throwing out the baby with the bathwater: Dave Aitel’s approach to INFOSEC“.
While I really appreciate both opinions, and while Dave’s might have been a little self-serving (aren’t all of our statements online?), I find myself in a very “Zen” place – saying, yes – you are both right, and wrong at the same time.
Krypt3ia points out that dismissing the human factor is going to lead to failures beyond what we can imagine as an industry. The reason here lies back in the fact that when we approach “Information Security” we focus too much on the “Information” part, and less on the more holistic meaning of the “Security” part. Trying to solve infosec issues through technological means is a guaranteed recipe for failure. No one, no technology, or software can account for every threat scenario possible, and this is exactly why we layer our defenses. And layering shouldn’t just be done from a network or software perspective – security layers also include access control, monitoring, tracking, analysis, and yes – human awareness. Without the human factor you are doomed. And that’s a personal promise from someone who’s been abusing the lack of layering and dismissal of such human factor for quite some time now running red-team engagements with high-profile, high-security clients (see – I can be self-serving too!).
On the other hand, Dave is also right – you can’t just throw everything on the employee and expect them to magically turn into “APT detectors” just because they clicked through some CBT program for a few minutes (or hours for that matter). You have to get the basics first, and Dave’s list is just as good as anyone else’s:
- Audit periphery
- Perimeter defense and monitoring
- Isolate & protect critical data
- Network segmentation
- Access creep
- Incident response
- Strong security leadership
In no particular order, one should establish a consistent and solid implementation of all of these aspects for their organization.
Having said that, saying that employee awareness should be out of this list is where Dave went a little too far. Strong security leadership, access creep, and data protection are not technical feats by themselves. These are exactly the areas where employee awareness turns what could be useless (but very expensive) pieces of software or appliances to something that would actually work under an attack on your information assets. The point is not to _divert_ the spending on awareness, but to _combine_ them into your security strategy.
Which brings me back to my first (and only) point – stop thinking of information security as an industry of blinkenlights and snazzy software solutions. It’s about hacking, and hacking as we all know never stops at gadgets and code. Think of information security like an ATTACKER. Think about _their_ scope, and realize how your organization looks from that perspective. Now, take your budget and spend it on the areas where attackers could have compromised your informational integrity (HEY! Don’t touch that Nessus scan result! I told you to THINK goddamnit!).
And with that, I’ll leave you to your wonderful weekend before Vegas (one last self-serving statement – go check out “Sexy Defense” if you are really interestedÂ in an effective defensive strategy that goes beyond blogging and writing articles 🙂 ).
6 responses to “Security Awareness and Security Context – Aitel and Krypt3ia are both wrong?”
[…] Stories Source: http://www.h-online.com/security/news/item/Urgent-security-update-for-TeamViewer-1648586.html The TeamViewer developers have released updates for a potential security vulnerability discovered in the remote access tool. The company recommends that users install the security updates immediately. Versions 5 to 7 of the Windows, Mac OS X and Linux editions of TeamViewer Full and TeamViewer QuickSupport are affected. The flaw does not appear to have been discovered in TeamViewer Host. The company has not offered any details of the vulnerability, but updated editions of the software can be obtained from the TeamViewer Download page. The new version can simply be installed over the previous installation. … Source: http://www.cso.com.au/article/431196/medical-device_security_isn_t_tracked_well_research_shows/ Medical devices often use commercial PCs and have wireless connections that make them vulnerable to malware, or require software updates for security, but the U.S. may not be doing an adequate job tracking these risks, researchers indicated in a study published today. The study represents a multi-year look at how medical equipment manufacturers and their customers, such as hospitals, have made public information about device recalls or other equipment issues in the three major databases established or used by the U.S. Food and Drug Administration (FDA). The study, co-published by six researchers associated with Harvard Medical School's Beth Israel Deaconess Medical Center and the Department of Computer Science at the University of Massachusetts at Amherst, casts grave doubt on how well the U.S. is tracking security and privacy issues in software used to operate medical devices. Meanwhile, the study notes, medical devices are known to be increasingly compromised by malware, even turning them into botnets. Medical devices used in hospitals are "doing good things for people," says Kevin Fu, associate professor of computer science at the University of Massachusetts at Amherst, one of the study's co-authors. Patients shouldn't panic or become afraid. But he said the researchers undertook the study, which in part is sponsored by the National Science Foundation, because incidents in hospitals related to malware are known to be occurring. The three major medical-device recall and safety-alert databases used in the U.S. are where medical and IT professionals would expect to find publicly searchable information on security they want, "but what bothered us the most is the databases don't appear to capture security and privacy issues." He adds, "It's probably fair to say they weren't designed to do that." … Source: http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness http://krypt3ia.wordpress.com/2012/07/20/throwing-out-the-baby-with-the-bath-water-dave-aitels-approach-to-infosec/ http://www.iamit.org/blog/2012/07/security-awareness-and-security-context-aitel-and-krypt3ia-are-bot… […]
[…] both posted their rebuttalsÂ “Throwing out the Baby with the Bathwater”Â Â andÂ Security Awareness and Security Context â€“ Aitel and Krypt3ia are both wrong?Â respectivelyÂ Â calling each other wrong of course, but where’s the excitement without […]
[…] @iiamit have both posted their rebuttals "Throwing out the Baby with the Bathwater" and Security Awareness and Security Context – Aitel and Krypt3ia are both wrong? respectively calling each other wrong of course, but where's the excitement without […]
[…] in luck. Here’s three, by Boris Sverdlik (@jadedsecurity) , Scot Terban(@krypt3ia) and Iftach Ian Amit (@iiamit). They’re also all rather nice people and you should follow them on […]
[…] several responses such as @Krypt3ia‘s response here. Then there was @iiamit‘s response here. That resulted in @jadedsecurity responses which is […]
[…] both, Iftach Ian Amit, from Security Art says they are both right and wrong at the same time. He states, â€˜Trying to solve infosec issues through technological means is a guaranteed recipe for failure. […]