Is Cybersecurity the Next Compliance?

What do we learn and what can we teach from the cyberattacks happening all around us? Or do we just sit back and say, “there’sanother one”? If among us we include the trainers and training designers,evangelists, and business leaders of this world, is it not our role to try to educateour staff (and potentially our future staff) in how to be more web savvy?

Every single day we see something in the papers or on thenews about yet another attack. “The head of security at xxx has been hacked,” “GCHQbackdoor found,” “After Snowden, how vulnerable is…” We also see 300 thousand,40 million, or 60 million credit cards or personal accounts or bank detailshacked, stolen, accessed.

In the next breath the media publishes the top 20 most-usedpasswords in the world today. Top of the list is “123456”—seriously? Or howabout “starwars”? Someone told me they could not remember their passwords, sothey changed all their passwords to “incorrect.” When they typed any random setof letters or number into a password box, a pop up told them that theirpassword was incorrect—ah, now they remembered it! Do you wonder we have someproblems?

Thinking like a thief

To understand what we can learn and what to educate, we haveto get inside the head of the cyber thief and understand a little of what theyare doing. Sounds easy, but trying to explain what is really going on is anuphill struggle. Each time we get a handle on what is happening, the thieves dosomething different. I put together the following analogy to try to show thewhole picture in the simplest terms. Once we have that picture we can moveforwards.

Cast your mind back to the old Wild West where gun-slinging robbers,wearing leather chaps and a mask over their eyes, got off their horses and shotup the small town bank to steal the money. In those days there was a small roomin the bank that held the cash. The thieves would walk in with guns blazing,fill a saddle bag with money, and ride off into the sunset with a posse ontheir tail. Come forward to today and the thief walks in and steals your datain broad daylight and has all the IT techies trying to work out where he went.Has anything changed?

So back to our story. To stop the gun-blazing attack, thebanks realized they needed to build a vault for the money. These got more andmore complicated as the decades went by with bigger locks, time locks, then barsat the windows, security devices, closed-circuit TV (CCTV), and now armedsecurity personnel standing guard outside and inside when the bank is open.

The thieves got clever and stopped trying during the daywith all this security. They started to work at night or weekends when the bankwas closed, so they could not be seen. This is not too dissimilar to the cyberthief who comes in quietly and hides—not wanting to be found. To stop bankrobbers attacking at night, bank owners put even stronger locks on the doors,followed by walls around the building (firewalls in the IT world). When thievesclimbed over the walls or cut holes in them, owners made the walls taller andstronger. They added guards behind the walls 24/7 in the bank.

The walls however still don’t stop the occasional thieves. Overthe Easter 2015 holiday, the biggest heist ever in UK history was attempted by a group of eightmiddle-aged and elderly men who cut through concrete walls and raided the mostsecure vault in London, only to be foiled by modern-day technology they did notunderstand: CCTV caught the leader parking his own white Mercedes convertible justaround the corner, and the group called a cab for the getaway. They made a haulof jewels, cash, and other valuables worth millions of English pounds.

How does theft happen in the virtual world?

While a thief would be pretty obvious wearing a stripy blackand white shirt carrying a bag labeled “Swag,” the thief embedded in software can’tbreach the firewall or get past the antivirus without being recognized. Theparallel in the online world to the guards in the bank is the antivirus toolslooking for what they can recognize.

Now if the thief had worn the right color shirt or arrivedin a delivery truck, with what appeared to be the right credentials, I bet thesecurity guard would think he was a good guy and just let him in—once. Afterthat, the guard would recognize the thief, so the thief would have to put on adifferent disguise each time he tried. This is what the modern day technologythief does: each time he arrives he looks different, has a different story, andhas learned from the last time he got stopped. Each time the phishing emailarrives, it is a little different, Nigerian princes have become free iPads and allsorts of tricks to get you to click—and there is a sucker born every minute ofevery day.

Our physical thief, having run out of different disguises looksfor a different method and now, like the thieves in the story above, tries totunnel in. Going under the defenses worked for a while too. However, by now thebank looked like Fort Knox and was pretty hard to penetrate. The cost of allthis security had become so high that companies could really no longer affordit. So they buried their heads in the sand and just hoped it would not happento them. In the IT world this is all too familiar.

Enter the scammers

Where are we now in our story? Are you getting a picture?

In the cyber world, we now have (figuratively speaking) prettysecure banks, deep strong vaults, and many security features. Guards all dayand night, cameras, and everything else we possibly can have to keep them out.But the cyber criminal still manages to get in? How?

The latest techniques use the oldest, simplest methods. Foolthe guard into opening the door for you. Hijack the delivery van. Break intothe office of the company or contractor that maintains the air conditioning andsee if you can find the access cards the workmen use.

There are other ways. If you saw a wooden horse approachingyour local bank, a horse on wheels moving slowly and it looked like it hadpeople inside it, you would know there is something not right. But we allowTrojan horses into our computers by accepting documents and PDF’s and USBsticks from people we do not know, and we open them without question.

“Not me,” I hear you thinking, but do you remember that lastconference you attended? All those freebies? How many of them plugged into theUSB port on your computer? We visit sites we know we probably should not, andclick on links sent from our friends on social sites that supposedly contain ajoke or sexy picture or some other lure. No different from that wooden horseoutside the bank! And you are the accepting gatekeeper, duped to opening thedoor. Computing pioneer Rich Pasco has done a great job of compiling a list ofscams: https://www.richpasco.org/virus/everytrick.html

Do you want to know how I would do it? Simple, really; youwould win the competition at a conference and get a free iPad. I’ll even takeyour smiling picture as you are presented with it. Go back to your hotel andplug it into your laptop for me, will you? Some call me a little paranoid, butif you worked where I work, you would be too.

The big time thief uses more sophisticated techniques. Theywill find out, using social engineering, all about you, your company, where youhave been, where you are planning to go. And then they will impersonate someoneyou know, mentioning things that you know that person knows, and they easily trickyou into opening the door for them. They know you probably use the samepassword on Facebook, Twitter, and your bank, not to mention your officelaptop.

The sad part is you probably won’t know you were duped, infact you won’t even give it a second thought. (Have you done a stupid quizrecently on Facebook? Did you log in to get your results using your Facebookpassword? Oh, oh!) But what they have done is use you to gain access to yourcustomers or clients. For example, recently a CFO was duped to transferringhundreds of thousands of dollars to a Chinese bank. This by an email seemingly fromthe CEO that said, “This is secret, don’t tell anyone, it’s highly sensitiveinformation, but send a few hundred grand to an unknown account for me inChina.” Without question the CFO did what he was told (I know it soundsfarcical when you read it here, but this really happened). It was not until hegot the next email that said, “great job, now can you do it again for a fewmillion?” that he even thought to pick up the phone and ask the CEO, “Are youserious?” Reading this now in hindsight you would never have been duped likethat, would you?

Don’t be the low-hanging fruit

Of course in the physical world the criminal looks for theeasy win. That money or the gold bars or those high-value jewels are hard toattack in the vault. But when you move them, they are an easier target. Armoredtrucks delivering to Fort Knox are easier to attack than Fort Knox itself.

Here is where the fight back begins in our analogy. This iswhere the cyber companies are fighting what we call World War C (cyber). Thisis where you play a part in re-educating your staff as to what is good and whatis bad.

There are many types of cybersecurity (actually there arevery many, but few that are effective). Either you increase the defense and tryto stop them getting in, or you accept they will probably get in, recognize themas they do so, and stop them taking anything out.

The first option is increasing defenses to stop them gettingin; this is proving harder to achieve. Some cyber-security systems work byanalyzing files to look at the signature of the file and comparing that againsta database of known signatures. If you alter a file by just one byte you changethe signature. But if your database of signatures is just a few minutes out ofdate, they are easy to beat.

Our armored truck delivering to Fort Knox handles money incases that the operatives carry. They made the cases small on purpose so theycarry less value, lowering the individual case loss in the event they areattacked. But now the operative has to make more journeys from truck to vaultwhich increases the risk again.

The second option comes into play if you attack one of thosecases. Try to open it without the right key and something explodes insidesending fluorescent ink (called SmartWater) all over the money and the thief,making the money zero value and marking the thief so he can be seen 100 yardsaway. He got in, he got the bag, but there is nothing he can use in it, and heis now easy to spot. This is accepting they will get in, but once they’re in weshut the door and make it impossible for them to take the data out. We foolthem into a sense of security, so we can catch them literally red-handed. Thistype of security is a big enough deterrent to have lowered the attemptssignificantly. Why would they? They can steal it from you easily online.

A new alternative, and really a third option to this, is touse analytics. Here the cybersecurity companies watch everything in the worldand understand from the data what the most likely next attack will be. We areready for it when it happens. Big data analytics is not new, but is becomingone of the very powerful tools in the cybersecurity toolbox.

Our role is to start to build good training material toeducate the end user not to use “starwars” as their password. Ensure they donot use it on Facebook, Twitter, bank and credit card accounts, and in yourcorporate network. They may store all their passwords in a file on theirdesktop called, you guessed it, “Passwords”! I know it sounds ridiculous, butit’s true.

Train your staff not to bring outside equipment into your network.“I never joined the network,” I heard one employee say. “I just plugged myphone into the USB port of my work laptop to charge it up while I was on thetrain.” So you have a BYOD policy at work? Are those mobile devices within yourmanaged defense? Don’t have a managed defense? Time for a rethink.

We need to create a fun compliancy course called “Let’s betech savvy”—something we all claim we are, but breach almost daily in one wayor another as we have become blasé.

Use new catchphrases in your organization: “Think before youclick” may be a good one.

We have to constantly drip feed new information to our staffto be vigilant, not to open documents, to check when the CEO sends you a PDFfile with a new share certificate as a present. Not to plug in the USB stickwith the Apple logo we found in the local coffee shop this morning, howevertempting it may be. Not to click on the million-dollar giveaway, especially ifyour brother sent it to you. Don’t do the mindless quizzes on Facebook thatrequire you to login. Understand that the picture in your email of the hunkwith a six pack or girl almost naked is a red flag waving frantically to saySTOP.

I suppose I have to ask, how did you read this article? Ifit was on a link in LinkedIn and was posted in my account, you’re probably OK.If you saw it in a magazine that you trust, such as Learning Solutions, don’t panic—it’s safe. But if someone sent youa link, or attached it as an email—“great article by…”—you may want to checkwho the sender really was.