Thursday, August 16, 2012

Random musings from a discussion with MAD Security's Mike Murray

I had a fascinating discussion with Mike Murray, principal at MAD Security, yesterday at a local ISSA chapter meeting.  In his presentation, and in a one-on-one discussion afterward, he covered a lot of ground, but the two central points that kept coming up are 1: there is a somewhat predictable cycle to the ebb and flow of vulnerability and exploit; and 2: awareness training as most companies approach it is only marginally ineffective.

Mike walked through a brief history of the information security industry, from the perspective of threat analysis and exploitation.  In the early ‘80s, the most exploited vulnerability was the human – for instance, Kevin Mitnick calling up Sun Microsystems customer service and getting them to put source code on their ftp server.  In the late ‘80s to early ‘90s, it was the network.  There was not a lot of valuable content online yet, so DoS and DDoS were the favored attacks.  In the mid-‘90s to early 2000s as the dot-com boom occurred, the attack point was servers and services.  Code Red, Nimda, Blaster ring a bell?  WinXP SP2 sealed up many of the server/service vulnerabilities, so the next attack point was the application.  SQL Injection, XSS.  In the last 2 years or so, the cycle moved to the client – document formats such as PDF and Flash.  Now that those have reached a degree of security maturity (relatively speaking), the current favorite attack is back to the human – the Nigerian scams, the “I was robbed, please send money” scams.

His point in all of this was, there is a predictable pattern in vulnerability distribution that overlays the adoption curve.  On the bleeding edge of a new technology or capability, there is extreme vulnerability, but no critical mass of users to catch the interest of attackers.  There is a “sweet spot” during the early majority stage though where the bugs have not yet been worked out, but there are enough users to form a valuable target for the attacker.  That window may last about 18 months before most of the vulnerabilities have been closed, and the cycle moves on.

Today, most attacks are again against the human, but we are entering the early majority stage for cloud computing and for ubiquitous connectedness in the form of smart phones and tablets, and IPv6 is just beginning to gain momentum – an entirely new generation of network technologies.  Where do you think the vulnerabilities over the next 18-24 months will predominantly lie?

His second point related to infosec awareness.  Most security awareness training today focuses on just that – awareness.  But simple awareness does not bring about behavioral changes.  In Mike’s view, there are three things that must all be present at the same time in order to change behavior: motivation (aware of a problem and that not taking action could hurt), ability (knowledge of how to take appropriate action, in a way that does not interfere with other priorities), and a trigger (a reminder to take action).  The examples he used were strong passwords (see the XKCD comic on the topic) and USB storage devices. 

On the latter, he had a former consulting client that had not been able to keep its employees from plugging usb devices into their PCs.  Awareness training had not helped – the employees knew of the risk, and had the ability to simply not plug in the device, but there was no trigger, nothing to remind them not to do so.  MAD Security put together a video just memorable enough (and politically incorrect enough) to create a reminder that stuck.

Most companies get each employee’s attention for about an hour a year during information security awareness training – why not use that hour to not only educate, but create memorable triggers for the behaviors we most want to encourage?

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.