Security Awareness The Good the Bad The Ugly

Recently a very smart person wrote an opinion on Security Awareness being useless.

Which then started an entire flurry of twitter and eventually several responses such as @Krypt3ia‘s response here. Then there was @iiamit‘s response here. That resulted in @jadedsecurity responses which is here.

Everyone in this discussion has made salient points. First compliance training (that training you get Once a year) does not work. No one bothers to explain why it doesn’t work they just launch into what you should do instead.


So let me try to explain why this doesn’t actually work. The human brain is wired in such a way that we are gigantic assumption engines. We have an entire neural framework designed to assist with this known as the Mirror Neuron Network. Refereed to as the mind reading neuron its primary function is to allow you to empathize with someone elses actions to help determine their intent and ultimately their relationship to you and your desires. We use this system constantly. Every time someone decides to reach for the salt our brains mimic that action internally with mirror neurons and we think, “They are going for the salt”.


Why do I bring this up? To illustrate the point of how often we assume without realizing it. Imagine if you failed to assume that gravity will always work. Every step you took would have to think about, “Is there gravity. Can I trust gravity? Will my next step have gravity?”
Secondly these assumptions allow us to filter out common events from abnormal events in case of the need for survival. We don’t notice the fence day after day but we do notice when the fence has a hole in it suddenly. You may or may not notice when someone gets a haircut or gets a new shirt but you always notice if they suddenly say have crutches or are in a wheelchair.

Now we put those two concepts together and you end up with something in psychology known as “Repetitive Task Fatigue” which basically means the more times you do something the less amount of attention you pay to that task. This is actually a very critical problem for production lines where a simple inattention to detail can cost a life or limb literally. Additionally the military suffers from this while members are on guard duty. A guard spends 99% of their time watching “nothing” and gets lulled into “A false sense of security” there are several language metaphors that support this concept.

This is why when you train users once a year it is ineffective. It is also the reason that users click on the link no matter how many times you tell them not to. YOU told them not to do it once they have clicked on links THOUSANDS of times with no negative effect so the brain has essentially said, “This is fine nothing bad ever happens please focus on something else.”
This brings us to the concept people like to throw around called, “Reinforcement”. Whereby the more often you are exposed to the differencing effects of actions that will in turn cause the brain to not make assumptions about the effect those actions might have.

Now there are right and wrong ways to use reinforcement and I will say I rarely see it being done correctly or at least correctly for the right reasons.

There is more to reinforcement than simply occasionally tricking the user with a new phishing email every couple of months. You have to give them differentiators to key into so that they can then use those to assess the action they are about to perform.

If every action they perform becomes a 50/50 good vs bad you are simply producing decision anxiety. Which is detrimental and in the case of specific psychological profiles may cause panic attacks or other aberrations.

Secondly you have to assign a social construct of forgiveness and reward for self reporting. It isn’t enough to have clicked on the link and been told that could have been bad. You have to instill the desire to report that they clicked on something. In the end we are humans and we will make mistakes the idea is to recover from those mistakes as soon as possible.

This is meant to be an addition to the discussion so does not replace all the valid points of how to implement a SA program or the elements that are required. It is simply a more in depth look at why those techniques are needed.

So in conclusion,

1) Users click constantly and occasional pointing out it could be bad is insufficient

2) Reward people for reporting mistakes and encourage them to have open discourse

3) Brand your communications so that uses have something to look for that differentiates external vs internal communications.

This gives you the best cognitive training to users using their natural tools for assessing risk.






Posted in Uncategorized | Tagged , , | Leave a comment

Priming the psychological path of least resistance

@turbogrrl and I were discussing priming when it came to generic information and the perusing of things like foxnews or other polarizing information sites. Her statement was along the lines of you can’t protect yourself from priming so you should be careful of what you digest.

What is priming? It’s fairly simple the brain like anything else only works as hard as it has to. Priming is putting a memory into their brains that later when asked to recall something will pop more likely than not.

For example if you read a list of words and one is slightly off center so it looks like:







And then later (within a specific period of time typically within a few hours) I ask for a color? If no other context presents itself you will more than likely say yellow. You are even more likely to say yellow if I say, “Please give me a word that begins with y or ye.”

The reason? You have to think really hard to find words that begin with y even harder for words that begin with ye and the recent experience with the word yellow makes answering that much easier.

So if someone asks you a question and you choose to think about it critically these priming tricks don’t work. They rely completely on you taking the path of least resistance because typically the question doesn’t have a heavy context to you.

I am for example not asking you to name your child (Heavy Context) wherein you would think heavily and conclude based on subjective experience and logical deduction and emotional resonance what choice to make.

I couldn’t convey this on twitter but decide the logic was interesting enough to spell out here.

As always I enjoy comments (the constructive kind) or abuse (the witty kind) or love (the abstract kind)


Posted in Uncategorized | Leave a comment

The first platform independent virus coming to a browser near you

I’ve been thinking a great deal about cloud security recently. The more I delve into it the more complicated the security risks seem to become. There is a great deal of information out there on various aspects of cloud security but one I have recently become interested in is the first platform independent virus.

Traditional viruses/worms/malicious software typically attempts to use some vector to violate the integrity of the operating system. Thus most controls go into protecting the operating system from the programs it runs. I.E. Microsofts AUC or Linuxes su/sudo paradigm.

However as I was thinking about the cloud and after a discusssion with Rafal Los (@Wh1t3Rabbit) on a talk that he is going to give as a Keynote something became clear.

If the cloud uses the browser to access then it is eventually going to normalize the code between browsers and platforms. As anyone in software development can tell you a single code base is ideal so this is inevitable. While we have had cross platform languages before (java, etc) the underlying processing was still done at an OS level.

Soon it is going to be done within the browser and the OS itself is going to be a secondary component used for other tasks. This means that someone could conceivably write a malicious program that could execute on both OSX, Linux, Windows by the virtue that they are all running a flawed common code base relating to the cloud.

Secondarily it is no longer necessary to attack the operating system because the data and information you want resides in the browser and its interaction with the upstream cloud functions.

So this entire malicious code structure would exist in the application never extending itself out to those traditional malicious detection controls.

I look forward to being thoroughly frightened in the near future.



Posted in Uncategorized | Tagged , , | Leave a comment

The death of the Waterfall Trust Model

Information security is going through a transformation as the result of commodity computing.

While I could digress into why these things are coming about I would rather explain to people what the water fall trust model really is.

In simple terms the Waterfall Trust model is a series of controls that are based off of one single control. All downstream controls then inherit their security from the source (hence waterfall).

Here is a pictorial example for those of us that are visual:

Simple Water Fall Trust Model

For those that don’t think about these things in these terms I’m going to apply the concept to a very well known technology.


IP as in Internet Protocol of which UDP,TCP etc are based and was built using a waterfall trust model. IP was created by DARPA which is a part of the department of defense. Due to this fact the designers could then make specific assumptions about aspects of how the military would use IP. The largest of these assumptions that applies to this topic was that people with guns would be guarding the computers.

This basic concept lead to the fact that machines don’t authenticate to each other using the protocol. There was no need to authenticate machines that were on the same network because being on that network was authentication enough.

In fact the first time they take into account access or authorization its to implement passwords on the access of the machines. So clearly they didn’t trust their people but they trusted their physical security.

This is why operating systems have had to bolt on authentication structures into and above the IP layer. All forms of machine to machine authentication are complicated post data stream processes. A truly secure approach would be to authenticate before any data was ever processed.

Had the inventors of IP been thinking that this might one day be part of a public service. They likely would have constructed authentication into the protocol as is evident from the IPv6 proposals.

Here is a pictorial example of the IP waterfall trust model.

IP Water Fall Trust Model

All network based security technology (which means everything because everything has an IP address now) are reliant on that one architectural flaw. The fact that simply having an IP imbues a certain “right” to communicate. The closer you get to the same network (broadcast domain) the more rights are inferred.

Some people will point out that we have firewalls and access control lists that can mitigate some of these risks. However the point remains that had people assumed that authentication of machine to machine would inherently be required a great deal of risk would have been mitigated.

This brings me to cloud computing. In cloud computing the barriers of physicality are non existent. The entirety of the risk inside of a cloud architecture comes from the architecture and that architectures ability to perform consistently. Segregation at a logical level is so closely tied to architecture that you can’t make the basic mistake of creating a waterfall trust model. As this is the only trust model that has ever really been used we are all scrambling to understand the new models being proposed.

I personally like the Zero Trust Model which is a data security model that simply applies zero trust between the data and the systems or people accessing the data.

Has a zero trust model been deployed to a large enterprise? Not that I am aware of so it too remains untested but if organizations want to move to the cloud this new reality needs to be addressed.


Posted in Uncategorized | Tagged , , , | Leave a comment

Hello world!

Welcome to After you read this, you should delete and write your own post, with a new title above. Or hit Add New on the left (of the admin dashboard) to start a fresh post.

Here are some suggestions for your first post.

  1. You can find new ideas for what to blog about by reading the Daily Post.
  2. Add PressThis to your browser. It creates a new blog post for you about any interesting  page you read on the web.
  3. Make some changes to this page, and then hit preview on the right. You can always preview any post or edit it before you share it to the world.
Posted in Uncategorized | 1 Comment