Daily Archives: January 4, 2019

Massive data leak affects hundreds of German politicians

A number of German politicians have been the target of a massive data leak, one that contains extensive amounts of information. The data in question includes email addresses, private correspondence, passwords, phone numbers, work emails and photos, among other information, and those affected reportedly include journalists and celebrities as well as politicians. According to multiple reports, the data was leaked from the Twitter account @_0rbit -- which has since been suspended -- and the account began sharing the stolen information in December.

Via: TechCrunch

Marriott breach included 5 million unencrypted passport numbers

Marriott has good news and bad news for travelers who have passed through its hotels. The good news is the data breach disclosed back in November, which was originally believed to have exposed the data of more than 500 million people, affected fewer travelers than originally reported (though it didn't specify how many). The bad news is the data lifted from the company included millions of peoples' passport numbers.

Via: Wall Street Journal

Source: Marriott

CERT/CC Reports Critical Vulnerabilities in Microsoft Windows, Server

Original release date: January 04, 2019

The CERT Coordination Center (CERT/CC) has released information on vulnerabilities affecting versions of Microsoft Windows and Windows Server. A remote attacker could exploit these vulnerabilities to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review CERT/CC’s Vulnerability Notes VU#289907 and VU#531281 and Microsoft’s security advisories for CVE-2018-8611 and CVE-2018-8626 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

CVE-2018-20673 (binutils)

The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for "Create an array for saving the template argument values") that can trigger a heap-based buffer overflow, as demonstrated by nm.

Vidar and GandCrab: stealer and ransomware combo observed in the wild

We have been tracking a prolific malvertising campaign for several weeks and captured a variety of payloads, including several stealers. One that we initially identified as Arkei turned out to be Vidar, a new piece of malware recently analyzed in detail by Fumik0_ in his post: Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis).

In Norse Mythology, Víðarr is a god and son of Odin, whose death it is foretold he will avenge. Being referred to as “The Silent One” seems to be fitting for this stealer that can loot from browser histories (including Tor Browser) and cryptocurrency wallets, capture instant messages, and much more.

We witnessed a threat actor using the Fallout exploit kit to distribute Vidar. But victims won’t notice that as much, as the secondary and noisier payload being pushed is GandCrab ransomware.


A malvertising chain leads us to the Fallout exploit kit followed by what we thought was an Arkei stealer. Upon closer look, while the sample did share a lot of similarities with Arkei (including network events), it was actually a newer and, at the time, not yet publicly described piece of malware now identified as Vidar.

Beyond Vidar’s stealer capabilities, we also noticed a secondary payload that was retrieved from Vidar’s own command and control (C2) server. The infection timeline showed that victims were first infected with Vidar, which tried to extract confidential information, before eventually being compromised with the GandCrab ransomware.

Malvertising and Fallout exploit kit

Torrent and streaming video sites drive a lot of traffic, and their advertising is often aggressive and poorly-regulated. A malicious actor using a rogue advertising domain is redirecting these site visitors according to their geolocation and provenance to at least two different exploit kits (Fallout EK and GrandSoft EK), although the former is the most active.

Stealers such as AZORult seem to be the a favorite payload here, but we also noticed that Arkei/Vidar was quite common. In this particular instance, we saw Vidar being pushed via the Fallout exploit kit.


It should be noted that Vidar is sold as a product, and as such can be distributed by several different threat groups through different campaigns.

Vidar customers can customize the stealer via profiles, which gives them a way to adjust which kind of data they are interested in. Beyond the usual credit card numbers and other passwords stored in applications, Vidar can also scrape an impressive selection of digital wallets.

Upon execution on the system, Vidar will search for any data specified in its profile configuration and immediately send it back to the C2 server via an unencrypted HTTP POST request.

This includes high level system details (specs, running processes, and installed applications) and stats about the victim (IP address, country, city, and ISP) stored in a file called information.txt. This file is packaged along with other stolen data and zipped before being sent back to the C2 server.

GandCrab as a loader

Vidar also offers to download additional malware via its command and control server. This is known as the loader feature, and again, it can be configured within Vidar’s administration panel by adding a direct URL to the payload. However, not all instances of Vidar (tied to a profile ID) will download an additional payload. In that case, the server will send back a response of “ok” instead of a URL.

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Server: Pro-Managed
Content-Length: 51


Within about a minute after the initial Vidar infection, the victim’s files will be encrypted and their wallpaper hijacked to display the note for GandCrab version 5.04.

Ransomware as a last payload

While ransomware experienced a slowdown in 2018, it is still one of the more dangerous threats. In contrast to many other types of malware, ransomware is instantly visible and requires a call to action, whether victims decide to pay the ransom or not.

However, threat actors can use ransomware for a variety of reasons within their playbook. It could be, for instance, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost data. But as we see here, it can be coupled with other threats and used as a last payload when other resources have already been exhausted.

As a result, victims get a double whammy. Not only are they robbed of their financial and personal information, but they are also being extorted to recover the now encrypted data.

Malwarebytes users are protected against this threat at multiple levels. Our signatureless anti-exploit engine mitigates the Internet Explorer and Flash Player exploits delivered by the Fallout exploit kit. We detect the dropped stealer as Spyware.Vidar and also thwart GandCrab via our anti-ransomware module.


Many thanks to Fumik0_ and @siri_urz for their inputs and Vidar payload identification.

Indicators of Compromise (IOCs)

Vidar binary


Vidar C2


Loader URL (GandCrab)


GandCrab binary


The post Vidar and GandCrab: stealer and ransomware combo observed in the wild appeared first on Malwarebytes Labs.

Town of Salem hack exposes details of 7.6 million gamers

Just before Christmas, hackers managed to break into a database belonging to a popular online game and steal the details of over seven million players.

BlankMediaGames, makers of the browser-based game “Town of Salem”, has sent an email to players warning that personal information stolen by the hackers may include email addresses, full names, postal addresses, usernames, encrypted passwords, forum activity, IP address, and game activity.

Fortunately, BlankMediaGames uses a third-party to handle payments and so does not have access to payment information, ridding the hackers of their ability to directly monetise the hack.

Nonetheless, there’s plenty of opportunity for the hackers to still exploit the stolen data. For instance, phishing campaigns could be sent out to players pretending to come from the game, using gamers’ names and email address to make the message look more convincing.

And you shouldn’t think that just because your “Town of Salem” was “encrypted” that it hasn’t been compromised. In a forum post, BlankMediaGames reveals that the passwords “were stored as a salted MD5 hash”.

MD5 is considered to be a relatively weak algorithm for hashing passwords, and the lack of stronger protection may open easy opportunities for hackers to crack some of the passwords.

In short, you would be wise to reset your Town of Salem password *and* also ensure that you are not reusing the same password anywhere else on the internet.

BlankMediaGames says it has removed three suspicious PHP files from its server that allowed the hackers to gain access, and has asked its hosting provider to run a malware check across all of its servers.

Furthermore, it says it has put in place additional security measures to protect players better in future, and is liaising with law enforcement.

Whether that will be enough to ally the fears of gamers remains to be seen.

One clear lesson that all companies could learn from this incident is the need to recognise that a security breach can happen at any time.

It appears that despite emails and calls to BlankMediaGames between Christmas and New Year from individuals who knew about the breach, nothing has been said publicly until now.

BlankMediaGames is, of course, a small company. But online firms cannot afford to rest when it comes to security issues. There’s a reason why hackers often like to strike during the holidays or at the weekend.

CVE-2018-1888 (i_access)

An untrusted search path vulnerability in IBM i Access for Windows versions 7.1 and earlier on Windows can allow arbitrary code execution via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function. IBM X-Force ID: 152079.

Skype flaw grants access to the photos on your Android phone without a passcode

A design flaw in Microsoft’s Skype app can be exploited to grant access to the data on your Android phone without passcode authentication, a researcher has shown.

Kosovo-based bug-hunter Florian Kunushevci demonstrates in the YouTube video below how Skype can be manipulated into accessing private data, including photos on the phone, without unlocking the handset. All one has to do is gain physical access to the phone and answer a Skype call on it. From there, the user can access contact information, as well as the photo gallery through the app’s file sharing function.

“One day I got a feeling while using the app that there should be a need to check a part which seems to give me other options than it should,” he explained to The Register. “Then I had to change the way of thinking as a regular user into something that I can use for exploitation.”

While the flaw could tempt a suspicious spouse to look through their partner’s phone, it is more of a design oversight than anything. Kunushevci himself tells the publication, “For the specific bug that I have found on Skype, it is more of a bad design and also a bug in coding. I think to put it all together, humans make mistakes.”

A responsible bug-hunter, Kunushevci alerted Microsoft to the bug and waited for the company to patch the bug before he disclosed it. That doesn’t mean it can’t still be exploited. Anyone who hasn’t updated their Android Skype app in over a month is at risk. Only the latest versions of Skype, issued December 23, are safe to use. And because Skype versioning differs between Android versions, everyone must be sure to be on a version number above over

Apple wants to stop you from using dangerous USB-C devices

Apple wants to make it harder for its customers to use cheap USB-C cables — and it’s for your own good.

The risks of USB-C cables

Cables are complicated, and that’s why friends don’t let friends connect cut-price or otherwise unverified USB-C cables to their systems — and soon, you won’t be able to.

Apple has warned its users to avoid using low-quality equipment for years. It was only in 2016 that it was revealed that hundreds of chargers at that time sold on Amazon and advertised as being made by Apple were in fact dangerous fakes.

To read this article in full, please click here

This Week in Security News: Spyware and Data Breaches

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a spyware that disguised itself as an Android application to gather information from users. Also, find out the biggest global data breaches of 2018 and how millions of personal records were compromised last year.

Read on:

Server Security for the Modern IT Ecosystem

The combination of new application technology with existing legacy architectures and deployment models leads to greater IT complexity and difficulties.

Cyberattack Targets Newspapers in US, Prevents Some From Publishing

Several U.S. newspapers came under attack from apparent hackers, preventing some from printing and distributing their daily editions. 

Spyware Disguises as Android Applications on Google Play

Trend Micro discovered a spyware (detected as ANDROIDOS_MOBSTSPY) which disguised itself as legitimate Android applications to gather information from users. 

PewDiePie Propaganda Hackers: We Exposed 72,000 Chromecasts And Smart TVs

A pair of hackers have found a way to broadcast propaganda for YouTube celebrity PewDiePie because thousands of people left their Google Chromecasts and smart televisions wide open.

The Biggest Global Data Breaches of 2018

Data breaches continued to be a major issue in 2018 with a series of serious cases ranging from retailers to social networks, resulting in millions of personal records being compromised.

In High-Tech Cities, No More Potholes, but What About Privacy?

Hundreds of cities have adopted or begun planning smart cities projects, but they frequently lack the expertise to understand privacy, security and financial implications of such arrangements.

What are your thoughts on smart cities and privacy? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Spyware and Data Breaches appeared first on .

What does Cybersecurity have in store for 2019?

A guest article authored by Tom Kellermann, Chief Cybersecurity Officer, Carbon Black

In every intelligence industry there’s often a central aim: predicting the future. We collect and analyse, dissect and interpret, looking for that essential nugget that will give us the edge over our adversaries by indicating what they’ll do next. While this activity goes on 24/7/365, the end of the year encourages us to go public with forecasts to help navigate the choppy waters on the horizon. This year, because all good intelligence involves collaboration, I’ve combined my thoughts with those of our threat analysts and security strategists to give some insight into the TTPs and sectors likely to be top of the list for cyberattackers in 2019.

1. Destructive attacks and nation-state activity continue to ramp up
    Geo-political tension remained high throughout 2018, bringing with it an associated uplift in cyber insurgency. The US trade war with China is undoubtedly a factor behind the recent resurgence in Chinese cyber espionage and this is set to continue. As well as espionage targeted at infiltration and data theft, our intelligence detected an escalation of attacks where the primary objective was destruction. Our most recent Quarterly Incident Response Threat Report (QIRTR) depicted a wide-spread adoption of C2 on sleep cycles and a high prevalence of attack victims experiencing island hopping and counter incident response.

    In 2019, I’m predicting we’ll see more instances of island hopping, particularly via public cloud infrastructure. We’ll also continue to see a wave of destructive attacks as geopolitical tension continues to manifest itself in cyberspace.

    2. Counter-detection gets more sophisticated
    In 2019, we’ll continue to see attackers attempt to counter detection in the form of Vapor worms – fileless attacks that display worm characteristics and propagate through networks - and IoT worms. As attackers become more sophisticated in their methods, defenders will need to get more adept at spotting evidence of incursions through proactive threat hunting and analysis.

    3. Breach to extortion will become common
      Paul Drapeau, Enterprise Architect in our Threat Analysis Unit, believes our habit of putting our private lives online in the hands of third parties will come back to haunt us in 2019. He told me:

      “Attackers have been actively using ransomware to make a quick buck by locking systems and encrypting files, but this activity could move from compromise of systems to compromise of personal lives. Breaches of social media platforms present a wealth of data to be mined by bad actors. This data could be used to correlate activities between people to find illegal, scandalous or compromising behaviour and then leveraged for traditional blackmail at scale. “Pay up or your spouse/employer gets copies of these direct messages,” an example note might read. We can fight ransomware on our own networks with anti-malware tools or backups, but we depend on giant companies to protect our more personal details.”

      The breach doesn’t even have to be real to result in extortion attempts, as was seen in 2018 with the mass email scam purporting to have compromising video and passwords of the victims. Imagine an attacker building on data from a breach and fabricating message contents and then demanding “ransom” be paid. This type of attack definitely takes more work to pull off, it’s more targeted and difficult, but the payoff could be there. Victims may be willing to pay more money and pay up more readily when it is their real lives and reputations at stake vs. their digital files.

      4. Supply-chain attacks in healthcare
      When it comes to the sectors facing the highest risk, our Security Strategist Stacia Tympanick expects to see a lot more supply chain attacks occur within the Healthcare industry. Healthcare is a tough attack surface to protect and could be a tempting target for nation-state actors bent on disrupting critical national infrastructure (CNI).

      There is so much focus on just making sure that devices are discovered and protected on networks, that managing medical devices on top of this opens up a large attack surface. The trend toward remotely managing patient conditions via IoT devices increases that surface still further – this vector could be weaponised by bad actors.

      Healthcare is also starting to move to the cloud as part of UK government’s ‘Cloud-first’ policy, so cloud providers should be evaluated under a stern eye to ensure that proper and secure procedures/processes are in place to protect patient data.

      5. Steganography makes a comeback
        I always like to make at least one semi-bold prediction each year, and this year I’m saying that steganography makes a comeback. Steganographyis the technique of hiding secret information within innocuous images or documents and it’s an ancient practice – think Da Vinci hiding codes in the Mona Lisa. Examples of steganography are just as hard to detect in the cyber world, with code being masked in legitimate files designed to make it past scanners and firewalls. We could see steganography being used in combination with other attack vectors to create persistence and control mechanisms for malware that’s already running on a compromised network.

        Whatever 2019 holds, here at Carbon Black we’ll be working 24/7 to collect, analyse and interpret the intel that will keep us a step ahead of our adversaries. Wishing you all a happy and cybersafe New Year!

        Tom Kellermann, Chief Cybersecurity Officer, Carbon Black

        New Year’s Resolution for 2019: Cybersecurity Must Be the Top Priority for the Board

        In the year ahead, organizations must prepare for the unknown so they have the flexibility to endure unexpected and high impact security events. To take advantage of emerging trends in both technology and cyberspace, businesses need to manage risks in ways beyond those traditionally handled by the information security function, since innovative attacks will most certainly impact both business reputation and shareholder value.

        It is recommended that businesses focus on the following security topics in 2019:

        • The Increased Sophistication of Cybercrime and Ransomware
        • The Impact of Legislation
        • Smart Devices Challenge Data Integrity
        • The Myth of Supply Chain Assurance 

        The Increased Sophistication of Cybercrime and Ransomware

        Criminal organizations will continue their ongoing development and become increasingly more sophisticated. Some organizations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime. Organizations will also struggle to keep pace with this increased sophistication and the impact will extend worldwide, with malware in general and ransomware in particular becoming the leading means of attack. While overall damages arising from ransomware attacks are difficult to calculate, some estimates suggest that there was a global loss in excess of $5 billion in 2017. On the whole, the volume of new mobile malware families grew significantly throughout 2017, in particular mobile ransomware. This should be expected to continue in 2019. Email-based attacks such as spam and phishing (including targeted spear phishing) are most commonly used to obtain an initial foothold on a victim’s device. Cyber criminals behind ransomware will shift their attention to smart and personal devices as a means of spreading targeted malware attacks.

        The Impact of Legislation

        National and regional legislators and regulators that are already trying to keep pace with existing developments will fall even further behind the needs of a world eagerly grasping revolutionary technologies.  At present, organizations have insufficient knowledge and resources to keep abreast of current and pending legislation. Additionally, legislation by its nature is government and regulator driven, resulting in a move towards national regulation at a time when cross border collaboration is needed. Organizations will struggle to keep abreast of such developments which may also impact business models which many have taken for granted.  This will be of particular challenge to cloud implementations where understanding the location of cloud data has been an oversight.

        Smart Devices Challenge Data Integrity

        Organizations will adopt smart devices with enthusiasm, not realizing that these devices are often insecure by design and therefore offer many opportunities for attackers. In addition, there will be an increasing lack of transparency in the rapidly-evolving IoT ecosystem, with vague terms and conditions that allow organizations to use personal data in ways customers did not intend. It will be problematic for organizations to know what information is leaving their networks or what is being secretly captured and transmitted by devices such as smartphones, smart TVs or conference phones. When breaches occur, or transparency violations are revealed, organizations will be held liable by regulators and customers for inadequate data protection.

        The Myth of Supply Chain Assurance 

        Supply chains are a vital component of every organization’s global business operations and the backbone of today’s global economy. However, a range of valuable and sensitive information is often shared with suppliers and, when that information is shared, direct control is lost. In 2019, organizations will discover that assuring the security of their supply chain is a lost cause. Instead, it is time to refocus on managing their key data and understanding where and how it has been shared across multiple channels and boundaries, irrespective of supply chain provider.  This will cause many organizations to refocus on the traditional confidentiality and integrity components of the information security mix, placing an additional burden on already overstretched security departments.  Businesses that continue to focus on assuring supply chain security with traditional approaches, such as self certified audit and assurance, may preserve the illusion of security in the short term but will discover to their peril that the security foundations they believed to be in place were lacking.

        A Continued Need to Involve the Board

        The executive team sitting at the top of an organization has the clearest, broadest view. A serious, shared commitment to common values and strategies is at the heart of a good working relationship between the C-suite and the board. Without sincere, ongoing collaboration, complex challenges like cyber security will be unmanageable. Covering all the bases—defense, risk management, prevention, detection, remediation, and incident response—is better achieved when leaders contribute from their expertise and use their unique vantage point to help set priorities and keep security efforts aligned with business objectives.

        Given the rapid pace of business and technology, and the countless elements beyond the C-suite’s control, traditional risk management simply isn’t nimble enough to deal with the perils of cyberspace activity. Enterprise risk management must build on a foundation of preparedness to create risk resilience by evaluating threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience and responsiveness is the surest way to secure assets and protect people.

        About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

        Copyright 2010 Respective Author at Infosec Island

        Unlocking the Power of Biometric Authentication with Behavior Analytics

        There are three common types of authentication: something you know (like a password), something you have (like a smart card), and something you are (like a fingerprint or another biometric method). Modern best practices recommend that you use at least two of these in parallel to be able to truly secure your identity as you logon to digital resources -- a practice otherwise known as two-factor authentication (2FA).

        Biomerics exploded onto the scene in 2013 with the introduction of Apple’s iPhone 5S Touch ID fingerprint scanning technology. In 2017, Apple pushed facial recognition into the mainstream with its Face ID technology, introduced as the latest authentication feature in its iPhone X model. While common in many circles for years, Biometric technologies have now become widely recognized as more secure forms of authentication over the traditional password or token for a wider range of technology needs. But while we do all have a unique face, fingerprint, and irises, even basic biometric authentication has its limits.

        Take, for example, the famous researcher from Yokohama National University, who created a graphite mold from a picture of a latent fingerprint on a wine glass that fooled scanners eight times out of ten. Or researchers at UNC, who built digital models of faces from Facebook photos that with 3D and VR technologies were convincing enough to bypass four out of the five authentication systems tested. These instances both highlight that basic biometric technology should not be considered a fool-proof security method.

        Taking Biometrics to the Next Level

        Fortunately, there is another form of biometrics that can be leveraged for authentication and is dynamic, changing continuously, but predictable over a long period of time. This is behavior biometrics, or the way users interact with their environment. Examples include the style and speed that users type a keyboard or the way they move and click their mouse.

        Unlike basic biometrics such as a fingerprint or facial scanning that simply ask for authentication at the beginning of a task but have no on-going oversight into what is being done, behavioral biometrics can be analyzed throughout a given activity from start to finish. Through constant analysis of these dynamic behaviors, IT security teams can identify anomalies within the behaviors, alerting them to a potential intrusion or misuse of identities and enabling them to act quickly to remediate any issues.

        In many cases, criminals can spend days, weeks or even months in the IT system before being detected. Continuous analysis of behavioral biometrics cripples a hackers’ ability to stay silent within the network.

        Beyond Real-Time Detection

        Behavior biometrics enables security analysts to produce false alerts and respond to the most important security risks. These teams are often already overwhelmed by thousands of false alerts generated by their existing security solutions, making it difficult to sort through the noise. Behavior biometrics equips security analysis with one of the most accurate ways to track potential threats -- anomalies -- and provides alerts without false or unnecessary flags.

        As biometrics continues to gain popularity in the authentication world, it’s important to keep in mind that multi-factor authentication is critical and behavior biometrics alone are not enough to fully protect your business. The key is to always pair traditional authentication with either a password, token, SMS verification, smart card, or biometric authentication. Verifying users’ identities is critical to safeguarding today’s digital business, and two-factor authentication is vital to ensuring those identities are verified with the utmost accuracy.

        About the author: Jackson Shaw is senior director of product management at One Identity, an identity and access management company formerly under Dell. Jackson has been leading security, directory and identity initiatives for 25 years.

        Copyright 2010 Respective Author at Infosec Island

        Weekly Update 120

        Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

        Weekly Update 120

        And then it was 2019. Funny how quickly it gets away from you, someone just posted on my 2018 retrospective blog post this week and asked why I didn't include my congressional testimony and if I'm honest, it took me a bit to think about why as well (it was in 2017). But we're here now so it's back to business as usual blog wise.

        This week is dominated by the personal finance lessons blog post. This has gotten massive traction this week and has been read by tens of thousands of people. But perhaps what surprises me most is that out of all the feedback I've had, there's only been one negative comment. O-n-e. Frankly, I'm not even sure he actually absorbed the content as the comment was very specifically addressed in the post, but that forms one little part of everything I cover in this week's update. I also touch on the aforementioned 2018 retrospective which I've been doing these last few years as a little reminder of what I've been up to.

        This is (probably?) the longest weekly update I've done so far and I do hope it helps add a bit more personality and context to that finance blog post. Do please continue to share feedback and ask questions, I've really enjoyed seeing people get motivated by it.

        Weekly Update 120
        Weekly Update 120
        Weekly Update 120


        1. If you're working in tech, you're in a better position than just about anyone to have a fantastic financial position (and even you're not in tech, I hope there's a lot of valuable content here)
        2. My 2018 was surprisingly similar to my 2017 in many ways (but hidden within the travel stats was a lot more time spent with my family)
        3. DigiCert is sponsoring my blog this week, and they're talking about the impact of quantum computing on crypto (this is a genuinely fascinating aspect of infosec)

        Culture club: embedding better security behaviour beyond awareness

        Listening to Ira Winkler’s presentation at this year’s Irisscon conference, one of his comments struck a chord. “The right culture is that you don’t need a good security awareness programme because a new employee sees how everyone behaves, and they behave exactly like them,” he said.

        By way of example, he recalled an incident from his time at the US National Security Agency. He had forgotten to wear his name badge, and a colleague stopped him and told him off for not doing so. Moral of the story: he never left his badge at home again.

        Ira Winkler’s point was that the organisation was so steeped in positive security culture that workers didn’t need periodic reminders through awareness programmes. The same isn’t necessarily true of many other companies or industries. What happens if the new employee copies someone whose security ‘culture’ and habits aren’t ideal? It got me thinking about what security culture is, how you go about starting one, and then maintaining it.

        When it comes to everyone in an organisation ‘doing security’ already, I’d argue that the National Security Agency has a little bit of a head start. (The clue’s in the name.) Expectations on good security behaviour would be high.

        Say what you mean

        As a rule, company policies tell us “do good stuff/don’t do bad stuff”. Quite often, though, we need to define what we mean by good and bad.

        How granular and descriptive do those policies need to be? Forgive me for sounding like every lawyer you’ve ever met, but “it depends” (I wonder if I can copyright that phrase? 😊). If you’re working in a bank, or for an organisation that has security in its title, you have a particular set of expectations. If you’re working in a manufacturing or pharma organisation your priorities may be different, and more closely relates to whatever your product is and whatever you’re trying to protect. For a security company, having its integrity damaged could have serious consequences. For another company, a security breach might be disruptive but not fatal. The policies of either organisation and expectations on behaviour, are likely to differ on that basis.

        Tailoring the message

        That being said, the organisation’s maturity should never be a barrier to carrying out security initiatives. You don’t need a perfect solution (or big budget) before talking to people. For example, we often think IT people know security, but while their jargon may be similar, we shouldn’t assume knowledge on anyone’s part. By that I don’t just mean knowing the subject, but also knowing the right thing to do in a given situation. IT staff don’t necessarily read the same trade stories and visit the same industry websites that security professionals or data privacy experts do, so they don’t always understand the consequences.

        So part of the trick is to tailor the message to suit the audience. If a security practitioner is presenting to the board, the message has got to be brief and punchy. That generally means two slides at most and focusing strongly on cost and measurement to demonstrate a Return On Investment. When talking to IT staff, or to shop-floor workers, you might need a slightly different message in order to connect with their roles. That might call for fresh phrases or images rather than ones you’ve used for other groups.

        From awareness to engagement

        No matter who’s listening, you should keep the message simple. That way, you can start to move away from security awareness towards real security engagement. It’s all about making the messages personal so people ‘get it’ and it’s relevant to them. The more effectively you can do this, the sooner you can progress to the next stage, which is changing behaviour.

        This comes back to knowing your audience. The message for IT professionals might be: ‘here are examples of security controls you need to apply’. If a process is failing, maybe it needs tighter controls in place. But it’s worth doing some extra research to find out who really owns the process. Let’s take the common example of what happens to an employee’s access privileges when they leave the organisation. You might automatically think it’s the IT department’s responsibility to revoke their permissions, but it’s HR’s responsibility to tell IT that Bob or Sue don’t work here anymore. In the case of contractors, it might be the business line manager who’s responsible.

        In an ideal world, you want people to do the right thing because it’s the right thing to do. That’s the kind of culture Ira Winkler talked about. But to get to a stage where the good behaviour you want happens automatically, sometimes you need to enforce consequences for the behaviour you don’t want. Getting to that point will involve a balancing act involving a carrot and a stick. Rewarding good behaviour will promote a positive culture, but if you’re starting from a place of low security awareness or culture, you may need deterrents to discourage the behaviour you don’t want.

        But let’s focus on the positives and encourage and promote “good”.

        The post Culture club: embedding better security behaviour beyond awareness appeared first on BH Consulting.