« September 2011 | Main | November 2011 »

October 2011

Monday, 10 October 2011

What's missing from security awareness programs? Human awareness

The central theme for many security awareness month articles is "Awareness programs are failures", quickly followed by a rally cry, "We need to change them." This is too vague an objective.

Think Differently

Lance Spitzner of Honeynets Project fame thinks we need to think differently if we truly hope to create effective programs. I agree. But there's more than merely  thinking differently to consider. We need to stop thinking in a vacuum.

Lance claims "To have an impact and secure the HumanOS, we have to start thinking differently about awareness and education." What I conclude from this comment and shared with Lance is that we need to admit that as security and technology professionals, we are ill equipped to develop effective security awareness programs without help from others. 

Our orientation to security awareness is shaped by what we know  about threats, risks, and exploits and the techniques and technology we can use to mitigate them. Security success often relies on knowing our enemy. We study their methods, means and motives. We track their behavior.

Know Your Friends

We know more about our enemies than our friends. This is our collective blind spot. Imagining that the people for whom we design security awareness programs have the same vested interest in, fascination with, or time to "be secure" is pure folly, hubris or both.  Our enemies, however, study our friends (our users): studying how users behave, observing how quickly user interactions with devices become rote, and teasig out what makes users act without thinking form the foundation of social engineering. 

Expand the Talent Pool

Success at raising security awareness rests on knowing our friends. We don't study  the HumanOS that the average Internet user boots up when he wakes as much as we study criminals or miscreants. Fortunately, others do. 

Sociologists study social activity. Psychologists study human behavior. Collectively, they study most of the critical functions of the HumanOS. Why are we not engaging experts in these fields to help raise security awareness? 

If we want to experiment with a psycho-social-technological approach to security awareness, perhaps we can start with social engineering. Social engineering is arguably the most widely used tool in the criminal tool kit. Social engineers have a distinct advantage on the ecrime playing field. They draw upon decades of exhibited Internet behavior and millennia of successful acts of fraud or deception. Often, with almost trivially simple technology they are able to steal, defraud, coerce, or impersonate with almost a free hand.

Security professionals know how criminals victimize users.  We offer "day late, dollar short" awareness programs of the form "here's how phishers steal your credentials, so don't fall for this kind of scam". This approach is as successful as telling people "eat fewer calories than you burn and you'll lose weight". Both are well-intentioned but ineffective because they unrealistically assume that the fix is obvious and changing behavior is easy.

Change Behavior not Software

Effective weight loss programs involve education, coaching, counseling or activites that are less oriented to helping individuals to manage anxiety, frustration, urges, or other reasons that cause them to make poor diet choices.

Weight loss programs aren't designed exclusively by physicians or scientists who study nutrition, and neither should security awareness programs be designed by experts who study social engineering or ecriminal activity. The same is true for healthcare awareness programs and month long campaigns. Breast cancer and heart disease awareness are noteworthy and effective examples. These effectively incorporate sociological and psychological considerations into awareness program designs. If we are unwilling to adopt similar orientations and strategies, we may continue to fail to make awareness programs effective. 

 

Posted at 01:27 PM in All matters security, Stop Think Connect | | Comments (0) | TrackBack (0)

Friday, 07 October 2011

DNS RPZ available in BIND 9.8.1

BIND 9.8.1 is available and with it, a release quality version of DNS Response Policy Zones (RPZ). As I explain in an earlier post, RPZ is a way to compose a special purpose zone file, a Response Policy Zone (RPZ). In that zone you list domains that your organization's resolvers are forbidden to resolve. 

Blacklist Provider Support

Several real-time black list service providers support RPZ including SURBL, Internet Identity, and SpamHaus. Your organization can use feed(s) from one of these organizations to compose your RPZ from trusted lists of maliciously registered domains.

DNS Firewall

Internet Systems Consortium (ISC) promotes RPZ as a DNS Firewall, an additional security widget within a network's existing security architecture. It complements features DNS and content filtering proxies certain Internet firewalls support. A benefit from using RPZ is that your organization can prevent *any* connection from being made to potentially all hosts within a blocklisted domain (as opposed to specific URLs or listed hosts).

ISC is hosting multiple webinars on 12 October 2011 to help DNS operators become more famliar with how to implement RPZ.

Are you wondering how RPZ relates to the recent and ongoing discussion about DNS filtering, notably Protect IP? The relationship is actually quite simple. RPZ is a mechanism you use to enforce a policy for a given administrative domain. In practice, when you make use of a mechanism like RPZ, your organization should act according to the principle of "Do no harm" and take every measure to see that the policy you enforce is appropriate for your organization and is does not interfere nor harm users or organizations over which you have no administrative scope (see this post for details).

 

Posted at 12:29 PM in Domain names and DNS | | Comments (0) | TrackBack (0)

« Previous | Next »
Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories