Every other month the Honeynet Project releases a new forensic challenge.  These are captures of real attacks in the wild that the community can analyze, document and then submit for review.  This is an amazing chance to learn.  The Honeynet Project just released Forensic Challenge 5 – Log Mysteries. This challenge takes you into the world of virtual systems and confusing log data. Figure out what happened to a virtual server using all the logs from a possibly compromised server. Challenge 5 has been created by Raffael Marty from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter, and Sebastien Tricaud from the French Chapter. Submission deadline is September 30th and they will be announcing winners around October 21st.  The top three submissions are often awarded an autographed security book published by a member of the Project.

I just finished presenting Securing The Human at SANS VA Beach.  This is a brand new version of the presentation with a great deal of new content.  One of the things I  focused on was how organizations invest so much in protecting computers, and yet so little in protecting humans.  However if you think about it, this just does not make sense.  Humans are just like any other operating system; we store, process and transfer information.  Just like any other operating system we have our own unique set of vulnerabilities.  For example we are very bad at judging risk.  In addition the Internet makes it very difficult for humans to authenticate who is communicating with us.  Unfortunately,  so little has been done to mitigate the vulnerabilities that we, and not technology, are now the weakest link.   The state of human security is currently at the same level Windows 95 and Windows NT was were when they first came out.

However, there is good news.  Humans, just like other operating systems, can be patched.  We can reduce human vulnerabilities with effective security awareness training.  The challenge is developing and implementing an effective program.  To be effective we discussed the three key pillars of an awareness program, WHO, WHAT, and HOW.  By answering these three questions you will have the foundation for an effective program.  Want a copy of the presentation, grab a copy here.  Missed the presentation?  Come to SANS Network Securing in Las Vegas 19-27 September.  Would you like me to come out to your organization and present?  Just let me know.

I’ll be presenting Securing The Human at SANS VA Beach this Sunday.  If you are in the area, let me know and lets meet up.  I’m always looking for suggestions, lessons learned or any other ideas related to security awareness and the human factor.

One of the challenges in any effective awareness program is how to communicate to your audience.    There are some major challenges here to consider here.  Two of the most common I run into is creating something that employees want to watch, and at the same time creating something that works regardless of nationality or culture.

1.  Entertaining: We need a message that keeps people’s attention.  If they are bored or turned off from the medium, then they will not pay attention.  Kind of hard for people to learn when they are not even listening to what you are saying.  This is especially challenging with the new Web 2.0 or YouTube generation.  They are used to fast and furious information in small sound bytes.

2. Nationality/Culture: We need a message that works for diverse nationalities and cultures. This is especially challenging for large organizations that span the globe. People listen and learn better when they feel the training is designed for their cultural norms.  Employees in Europe don’t want to see American centric training showing American people in American offices. People in the middle-east have a different definition of what is acceptable and a cultural norm then what people do in Nordic countries. And don’t even get me started on trying to use humor. One solution is to create awareness content that is specific to different cultures, but this does not scale. Not only do you have to create many different awareness solutions, but it becomes a nightmare to update.

My inspiration and solution?  Tron.  Yes, the Disney film from 1982 (yes dear reader, some of us are truly that old to remember seeing this in the theatre).  This movie is perfect in so many ways.  First, the film is based on taking place in cyber space, within a computer.  What better environment then that for security awareness.  Second, the fact that everything takes place in cyber space create sa national or cultural neutrality. You can’t tell what country, religion, or nationality someone is in a computer generated envionrnment.  By using such cyber imagery, you create a single set of resources that work for almost anyone, greatly reducing cost while increasing effectiveness.

Every time I watch this movie I’m amazed at how creative the film makers were, especially considering how limited computer processing was in 1982.  Even more astonishing, the academy awards in 1982 refused to consider Tron for best movie in special effects because they ‘cheated’ in using computers.  That is what you get for being cutting edge.

On a side note, almost 30 years later  Tron 2 comes out the end of this year.  More inspiration!

In my last post I covered some of the great work the team at social-engineer.org did with their Human Capture The Flag at Defcon this year.  What better way to generate awareness about the human factor then to actually show real social engineering attacks live.  What is amazing is not that all the attacks was successful, but that everyone was successful even though they had numerous legal and ethical rules and limitations applied, something no real attacker even considers.  I asked Chris Hadnagy, the brains behind the event, some questions about the CTF and what he learned.  This is what he had to share with the community.  The one thing that surprised me the most, the success attackers had against male victims versus female.  Sounds like us guys are much easier to sucker.

5. - What was the coolest social engineering hack / kung-fu you saw at your CTF?

We saw a couple things that really stood out.  First, one contestant didn’t ask any direct questions.  He approached the competition by asking indirect questions.  Things like, “Are you still using IE 6 or did they get you on 7 yet?”.   Another one was after a contestant was turned down twice to answer any questions the contestant said “If you could help me out, it would make me FEEL better…” the target gave in and gave up A TON of information. Final interesting fact, we had one contestant boldly say, “I hope I get a female because they are easier to social engineer.”  Yet out of the 140 phone calls we made that weekend we had only 5 people reject us or not answer questions.  All 5 where women.  Bravo to the women for being more security conscious.

One of my favorite security events to attend every year is the Blackhat security conference.  This is an annual event held every July/August in sunny Las Vegas, United States.  Not only are there a tremendous number of talks from leading security researchers, but great opportunities to meet and network with your peers.  In addition, with every Blackhat conference comes Defcon, the infamous underground event, which in many ways is a rite of passage for every security professional, you have to experience it at least once.  What is great about Defcon is it provides the perfect venue to try out new idea.  One really stood out for this year,  the Social Engineering Capture the Flag, sponsored by the guys at Social- Engineer.org.   Capture The Flag is a traditional event at Defcon where competing teams attempt to hack into networks (or each other). While this has been going on for years, this year’s CTF event was the first were attackers used social engineering to ‘hack’ their way into real corporations. Contestants competed to see who could use the most persuasive social engineering techniques to extract the most information from organizations. I was very excited about this for several reasons.

• First, the security community is beginning to realize its not all about technical exploits.  Cyber attackers are bypassing most technologies and targeting the human.  Events like this dramatically demonstrate this.  Events like this also demonstrate the need for addressing the human factor.

• Gaining information on human based attacks is difficult.  Events like this help create a baseline of what are the most effective techniques and why.

Chris Hadnagy and the team at Social-Engineer will be releasing a detailed report in the coming weeks.  However, Chris was kind enough to share with me some of this thoughts from the event.  Tomorrow I’ll post some of the key lessons he feels we should take away from this.

Folks, I am thrilled to announce that Honeytech and SANS have partnered to offer the absolute best in security awareness solutions.  Many of you may already know about SANS, the world’s leader in  information security training.  Any SANS student knows they have the most skilled and experienced instructors from around the world.  As you may also know, we at HonyTech pride ourselves in providing the latest in security awareness solutions.   We are now combining the resources of these two organization to become the world leaders in security awareness.

We are already moving at an amazing pace, expect to see some very exciting developments in the coming months.  Meanwhile, if you have any questions feel free to email me at my new email address, lspitzner@sans.org.

One of the most common questions I get working on security awareness programs is “What is an LMS and why do I care“?  Lets take a moment and answer that question. Often most security programs have two shared goals. The first goal is to change behaviors of employees, to create a more secure environment.  If employees are aware they are a target and what they can do to protect themselves, organizations will be less likely to be compromised. The second goal is compliance, to meet certain standards or regulations that require an awareness program, such as PCI DSS or ISO 27001.  Such standards require organizations prove they have an active awareness program and document which employees have been through the training.  This is where a LMS comes in.

A LMS (Learning Management System) is really nothing more then a software application used to manage, distribute and track online training. Organizations take their security training videos and then load them into their LMS (or one hosted by someone else).  Each employee is then given a login and password to the LMS.  They are then required to login to take the training.  As a result, organizations can now track who took what training when, and if there are quizes what the employee’s score was and if they passed. Thats it.  Some LMS’s have far more advanced functionality (such as offering courseware at universities) but for the world of security awareness this is usually what I see it used for. There are many different vendors for  LMS software (including open source versions).  To ensure operatbility they all share a standard called SCORM.  If you are considering using a LMS, make sure your security training is SCORM compliant.

Still confused or want to try out a LMS?  Just shoot me an email and I’ll be happy to give you an LMS account to try.

One of the things I absolutely love about security awareness is how I’m constantly learning about human behavior and the challenges when dealing with different cultures.  One example is languages, many things we may take for granted in our native language can be very different in other languages or cultures.  If you are a large organization, or if your security awareness program encompasses many different groups, these differences become a big issue.  One of my favorite examples is the concept of Safety versus Security. In English these two words address two different concepts. Safety is focused more on environmental or accidental threats, such as storms, earthquakes, car accidents, food poisoning, etc.  Security is more focused on deliberate threats, such as cyber criminals or malicious insiders.  Most awareness programs focus on deliberate threats, i.e. Security.  At this point, if you are a native English speaker you are probably asking asking yourself what is the big deal?  The challenge becomes when you start translating these concepts into other languages. For many languages, especially European ones,  the word Safety and Security is actually the same word. Seriously, go to translate.google.com and try these two different words in other languages such as German, Spanish, Norwegian or Polish.  If you design your awareness materials in English, you may confuse users if your materials are literally translated into other languages.  For example, the term “Securing The Human” may sound like in Dutch how to walk in the Netherlands safely without getting ran over by crazed byciclists (if you have ever been to Netherlands you know what I mean :).  It is challenges like these that require you to have people who really understand the local cultures and languages.

By the way, another lesson learned.  Humor does not translate well into other languages.  If your awareness training will be used in many different cultures, be very careful how you use humor.  I learned this the hard way in Japan at a presentation I did.  What favorite stories do you have about things Lost In Translation?

I’ve just finished updating the content for my upcoming two day class Securing The Human at Blackhat Vegas next month.  If you or anyone you know is interested in learning how to address the human factor, this is the class for you.  I’ve updated about 60% of the course with new content,based on lots of lessons learned in the past twelve month. If you have any questions about the class just email me.  If you are not attending the class, but are still attending the conference let me know and lets meet up.  Blackhat is one of the best places to meet other people in this field and learn from each other.  First round on me!