Only the most techno-centric in the InfoSec profession could believe users of technology can be programmed like firewalls. However, getting system users to respond like one can form a useful basis for security awareness training.
What’s a firewall?
By firewall, I mean those technological security measures that prevent unauthorized access to a network. I first heard of the principle at a security show in the mid-1990s. Then, corporate desktop networking was just breaking out. However, there were real fears that malware (or viruses – as they seemed to be exclusively called them) could make future networking impossible. Therefore, we gave thanks to this new defense in our armory, one that promised to incinerate any badness trying to enter networks while magically letting in all things good and necessary. The concept was presented as a new age of virus-free network computing.
Not long afterwards we had to consider new technology which strained this idea (I recall it was the need to enable XML). Soon it became clear that firewalls were being challenged by the evolving sophistication of malware. I certainly took this lesson to heart and even now, l can’t get excited by new technology for tackling cyber threats. While some companies extend assurances about their own technical security measures as a sales feature, the fact is that any barrier will eventually be overcome by the evolution of hacking techniques. In addition, the interludes between the effectiveness of new defenses and their compromise will only get shorter.
The vulnerability problem
Since those simpler, mid-nineties years of small and rigidly defined networks and a less sophisticated internet, the biggest hacks have been made possible through exploitation of vulnerabilities. No firewall ever could block such procedural gaps as failure to update hardware and software, the proliferation of unnecessary services and lax control upon access privileges. Applying a firewall to those cases would be like putting a strong lock upon the door to a room with big holes in its walls. These ‘holes’ get ever bigger, as system owners snap up new technologies – with their associated vulnerabilities – giving network managers the impossible task of trying to close off all associated vulnerabilities (That said, some of the biggest current vulnerabilities relate to older services, so it’s not always the fault of new ones).
Hackers are not of course confined to technology to get at their targets. While some might enjoy the challenge of complex system security barriers, others might be more adept at getting hold of the keys to a system without the need to break through its technology locks. Hackers of all motivations can use social engineering techniques as a short cut to getting what they want. Sometimes social, not technical skills are behind major hacking incidents.
The firewall legacy
Firewalls became just another counter in the eternal arms race between system users (and their allies) and hackers (and theirs). Perhaps a more durable legacy of the firewall is its very name, a now widely understood concept of impurities being burnt up in the eternal flames of logic. Since technology cannot be the only solution to security vulnerabilities, it is increasingly necessary to rely on the vigilance of IT managers and users themselves to prevent security incidents. Let’s consider how to apply the concept to the next line of cyber defenses: the user.
Programming the human firewall
Obviously, I don’t think of the human firewall as a stage of human evolution, but I believe it can describe a simple framework to adopt an intelligent defense against hacking, in particular against social engineering. Like a technological firewall, the programming this of users must be simple, with the default being that any untrusted activity is not be allowed.
• Keep security awareness messages simple and avoid the tendency to use complex terminology. Analogies work best, though even these will be ineffective if they use allusions not easily grasped by everyone.
• Create a safe space that encourages users to report incidents and issues in confidence, without fuss and, as far as legally and contractually possible, with no adverse consequences to them. Associates who grasp the initiative in noting a possible flaw in security procedures, or who show courage to reporting their own mistakes deserve respect. Be ready to accept that a minor infraction is less important in the bigger picture of preventing damage. For instance, the prompt reporting of a loss of an encryption component might result in a lot of recovery work, but it will also limit the chances of any unauthorized access to compromised data.
• Build security into normal work processes while making sure the reasons for having rules in place are broadly understood and are explained with brevity and clarity. Managers cannot expect users to understand the workings and theories of cyber defense. However, we can help instill in them an always-on approach to suspicious behaviors and interactions, in particular those that demonstrate signatures of a possible social engineering attack.
• Ensure that regular security messages are fact-based, relevant, kept up to date and presented in ways that are easy to access. For instance, by short pop-up messages that must be acknowledged by users. Introduce more important messages at regular team meetings.
• Ensure there are realistic ways of measuring the impact and effectiveness of security awareness messages using methods that are straightforward. Avoiding getting bogged down in metrics: there is a risk that colorful dashboards will be appreciated only as works of art, not as critical measurements of security effectiveness. In addition, too much time preparing a perfect message can undermine the overriding need for quick feedback.
By adopting these measures, a human firewall could do what a technical one could not, by standing guard against vulnerabilities, in particular those that can be exploited by social engineering attacks. A good and responsive reporting system will then give technical staff an edge in tackling technical attacks associated with these. For example, an associate who quickly reports an attempt to gain privileged information via a bogus phone call or email could enable system managers to block, track and report future phishing attempts.
If associates can be convinced that they offer this important line of defense to hackers, it will increase their feeling of value to the organization’s security defenses and help them to understand that technology needs human help.