While often viewed as the best defense against social engineering, security awareness training is ineffective and expensive. This topic has been hotly debated by security conference panels (like the one I am participating in at Interop 2015), and in various articles, but the focus has usually been on conducting or improving awareness training.
What if the debate's focus was instead on resource allocation? Every organization, after all, has a finite budget allocated for information security resources. The question should not be `To conduct awareness training or to not conduct awareness training?` or `How do we improve awareness training so that it actually works?` Instead, let's ask, `How will you invest your organization's security resources?`
Strategic Defense: How Training Falls Flat
Open Source Security Testing Methodology Manual (OSSTMM 3) states that security provides `a form of protection where a separation is created between the assets and the threat.` Realistically, we also need to detect and respond to active attacks, which leaves us with these 4 options:
•Remove or reduce users' access to sensitive assets, while still enabling users to conduct business (least privilege)
•Create as many layers of separation between the attacker and the user as possible (defense in depth)
•Train … and pray (security awareness)
•Detect and respond to both successful attacks, and attacks in progress (incident response)
Essentially, we need to apply basic risk management techniques to an organization's acceptable level of risk for defending against social engineering attacks.
Tactical Defense: Where Users Fit In
When it comes to social engineering attacks, users tend to assume the unfortunate role of scapegoat for an organization's insecurity. Anything that requires users to `think` about security actively and constantly is making it their problem, instead of ours as security professionals.
The idea that users need to be `fixed` by security awareness training makes unfair assumptions about users' desire and time to learn about security in the first place.
For example, my mother works for a multinational household-name corporation, and their security awareness training is required for all employees on an ongoing basis. Their training initiative works so well that she calls it `pishing.` (Note: Permission to use Momma as an example was granted at a Sunday evening dinner.)
That leaves the question: Well, what should we tell users? Should we inform them that it's not safe to check email, browse the Internet, open PDFs, Microsoft Office documents, search Google for information, or use Facebook? Should we recommend that they stop using computers in general? We might as well prepare them for a quaint lifestyle.
Read original article
No comments:
Post a Comment