Living In The Security Echo Chamber

I’ve previously touched upon the importance of security awareness as, possibly, the most important part of the job for security people but I wanted to come back to this subject due to a recent experience.

I’ve been working on a specific awareness project to tackle the big security bogey man — the Ransomware. There are a few reasons infosec people are worried about this one, but the gist of it is:

  • It’s difficult to detect and, typically, when you detect it it’s already too late.
  • It’s very difficult to prevent.
  • Once your files get encrypted, if you don’t catch it in time, you’ll have a company full of people scratching their heads in front of a screen saying “all your files are belong to us”.
  • If you don’t have a really good backup regimen, you’re basically fracked.
  • (and even then you’ll be losing time, data and whatever is left of your hair).

As with most attacks on IT systems, the human link is the easiest to break. 
Got an email from Winnie Mandela? I’ve actually expected that! 
Someone sends you a request to help him save the fortune of a late prince? Seems legit. 
You have a new shipment-you-never-ordered-tracking-number? Click it. Click it like you mean it.

Score.

95% of the human factor when you ask them if they know Winnie Mandela.

So there I was again, creating a brand new awareness program to once more beg the human factor to be smart (or at least curtail their clicking) to prevent future headaches. This time I thought I would do something different and present what actually happens in the back alley of your computer when you click that ominous link. I’ve got a creative company on board and we got cracking on the initial brief.

And then I had the following interesting conversation:

Me:*over enthusiastic* AND THEN WE SHOW THEM WHAT HAPPENS WHEN A RANSOMWARE INFECTS YOUR MACHINE

Creative bunch: err…what’s a Ransomware?

Me:*HEAVY PANTING* — What do you mean what’s a Ransomware? You know, that virus that encrypts all of your stuff?

Creative Bunch: ….never heard of it?

Me: *STROKING* — WHAT ARE YOU SAYING?! THIS HAS BEEN ALL OVER THE NEWS?!

Creative Bunch:…sorry?

Chuck being over enthusiastic. I don’t look anywhere that good when I am.

Now, at this point I’ve been reading about Ransomware, every single damn day. Every security and technology paper or magazine was spinning up tragic articles about people losing their pictures, paperwork, memories and sanity to the evil cyber-hijackers. Even the mainstream media started giving more attention to the new kid on the IT block. Security professionals were sweating, security vendors were frothing at the mouth. And the public?

The public was mostly indifferent.

Fast forward a few weeks, I was giving training to a group of IT first line support staff. And one of the subjects I was rambling about was Ransomware. 
“There”, I thought to myself. “Finally serious people that will know stuff. I will say the magic word, and their pupils will widen in sheer terror, as it should be”.

Confident, I’ve said — “how many of you heard about Ransomware?”

About 40% of the audience raised their hands.

I was shocked — “BUT THE NEWSPAPERS, THE MAGAZINES, THE TERRIFIED MASSES? THE FROTHING VENDORS?”

Shrugs all around. Yes, some of them have heard of it, most of them didn’t think it’s all that interesting.

We’ve heard about that stuff. We’re not impressed.

Fast forward even more weeks. I’ve spent a day with a security professional services company, during which we had a session with one of the best threat intelligence professionals in the industry. I’ve mentioned the two above occurrences. And the guy was amazed. The audience (all security people) were amazed. Murmurs of disbelief were heard around the table:”….but the massive infections, the terrified people, the frothing vendors?”. No one could believe it.

The public didn’t know.

Worse, the public didn’t care.

You and I, my imaginary friends, live in a security “Echo Chamber”. We talk between ourselves, we thrive on our perceived intelligence and on the fact we are part of the CYBER INDUSTRY, we keep going to expensive and, in many cases, repetitive conferences — most of them doing the same: make security people talk with other security people, ever feeding our growing paranoia.

Which brings me to the main point I’m trying to convey to the good people of the cybergeekdom:

Supposition: you think all the threats you’re dealing are known, at least on high level, by most people.

Fact: there is a reason most people still relate to most security threats as “viruses”. They haven’t got past “Friday the 13th”.

Supposition: you are certain that IT personnel know most current security threats — at least in their areas (e.g. — infra people will know how to config firewalls properly, developers know the basics of secure coding).

Fact: most IT people think it’s not their problem, it’s yours. That is why most firewall related issues are solved with an any-any rule and the OWASP Top 10 didn’t change much for so many years.

Supposition: you are certain that most people care about security threats and relate to them.

Fact: most of them don’t give a damn. They believe that an anti virus software solves 90% of the problem.

What can we do (I hear all my imaginary friends whimper in my head):

Stop assuming knowledge, stop talking in technobabble. Invest in awareness and training. Tell your staff what is security and why they should personally care about it. Take it to their level and show them how it can derail their personal life if they’re not too careful (I’ve written about this in more detail here).

Don’t assume that because your Twitter feed is full with panicking professionals talking this malware and that injection — 95% of the world population heard about it.

Don’t assume that just because a hysterical salesperson told you that he has a solution that gives you 100% PROTECTION FROM RANSOMWARE GUARANTEED AND IT’S CYBER CLOUD PROOF WITH SOC AS A SERVICE AND BLINKING BLUE LIGHTS you can skip teaching staff members about the basics of security.

And most importantly, don’t assume that just because other people don’t deal with security or understand technology they are dumb.

They are much smarter than you, they didn’t chose security as a career path.

And here is a thought before we part — isn’t it about time we have a few conferences that target end users? Home users? Non security IT people? Maybe if we step away from over complicated lectures and make it a bit more interesting for everyone, we’ll get somewhere.

Don’t be this guy. Be Chuck.

(The word Cyber has been used 5 times in this article, including this line. I’m sorry).