Security awareness is a bit of a bitch. We know we need it, and we know that people don’t really want the typical kind of “security awareness” training under the best of times. And you can pretty-well, damn-near guarantee the last thing people want to hear about right now is a bunch of COVID-driven, mandatory security awareness messages.
However…as we know, the bad guys looooooovvvvveeeee themselves a little crisis to give them just a little easier time than they’d normally have…
…when people weren’t scared enough to panic-buy the store out of toilet paper.
So, now’s the time we need to be thinking extra hard about our approach to preparing for an uptick in attempts to hook our people into doing something they don’t really intend to do.
And, I’m sure you’ve heard all the above more than a few times before you read it in this email. That’s good.
What’s bad isn’t the fact that I’ve repeated it. What’s bad is the fact that most of our thinking around dealing with phishing attacks tries to turn our people into human firewalls. And, if we think about it, we’ll remember the fundamental problem with those—or any kind of identity-based classification mechanism.
It reminds me of maybe my second trip to Croatia a long time ago to speak at a small, friendly little security conference there. One of the other speakers was Marcus Ranum, and he tells this great story that you might’ve heard about the fundamental issues with firewalls. Issues that, however many years on, we still haven’t really figured out how to solve.
The story goes that classification-based systems, be they firewalls, endpoint protection or even fathers attempting to be gatekeepers of the company their daughters keep, all have a fundamental problem. We build a wall. We put a guy on that wall to man the gate, and we give him a picture of Rudd, the Viking.
We sit them down, make them stare intently at the picture, and tell them: “This guy is bad news. Whatever you do, DON’T LET HIM IN.”
The guard nods solemnly, repeats back our instructions, and takes his post.
Now, when people want to go though the gate, he looks carefully at each one and asks them, “Are you Rudd, the Viking?”
And if they say no, and they don’t match the picture, then they get let inside the wall.
One day, after this has gone on for quite a few months, our gate guard is met with a very large, very hairy, and very smelly man. This man is nearly twice his size, he’s wielding a large, double-bladed axe, and he seems to have a necklace made out of human heads…
…along with a curious, red-splotched shirt he’s wearing.
So, doing his duty, our guard looks at the man and says, “Are you Rudd the Viking?”
The man nearly knocks the guard over with the stench of his breath and shouts, “Do I look like Rudd the Viking?”
“Well, no,” says the guard. “Not really like him at all.”
“So, what’s the problem?” the man says. “Let me in the damn gate!”
And, after checking the picture one last time, he lets the man pass.
Unfortunately, it’s the last thing he ever does, because as the man steps past him, the man takes a hearty swing with his axe, catching the guard under the helmet, and separating his head from his body.
As the head bounces to the ground, and the man waves his hand to the angry horde behind him, he looks at the lifeless eyes of the guard and says, “My name is Rolf, the Tyrant. Rudd the Viking is a p*s*y!”
And, of course, they ransack the town, burn it to the ground, and get ready to move on to the next one.
We can’t tell our user community without question what a phishing email will look like, because, frankly, we don’t know—except for the super obvious ones that are really, really bad. So bad, in fact, that you wonder who they’re really targeting.
I think this is one of the biggest issues we have with our security awareness training. We’re trying to give them a bunch of rules about what to do and not do…
…rather than teaching them how to think…how to critically analyze any communication they get – through any channel – to determine whether it’s actually legitimate or not.
And with the sudden surge in remote working, this problem is just going to get worse. Because we’ve given them 100 rules they have to remember, and, it just isn’t going to happen.
Instead, we can use the three roles of the drama triangle to explain the potential types of attacks someone is likely to do. It gives them a much simpler model, and since you’re talking about something pretty fundamental to a school of psychology, it is going to apply every time, no matter what the particular words might actually be that someone uses to try and catch them out.
If you don’t remember from a couple of days ago, the 3 roles of Karpman’s Drama Triangle are:
- The victim – someone who feels or positions themselves as being in need of rescue
- The rescuer – someone who feels compelled or simply acts to help someone playing the victim role, and
- The persecutor – someone who shouts loudly, demands attention and respect, and is trying to run the show, blaming the victim for being in the position they’re in
Now, we can use these to talk about the various kinds of cons involved in phishing attacks. If someone sees an email purportedly to be from their hosting provider (or IT admin) claiming that they have unsent emails which have been quarantined, then this, depending on how it’s stated implies that the following must be true:
It attempts to shift the reader into victim mode (their emails have been stopped), and the helpful IT support person is letting them know about the problem (rescuer).
If the wording says something like “Help me, I’ve been attacked by brigands along the High Road, and I’m stranded in the wilderness. Please send money,” then we’re casting the reader into the role of the rescuer, where the alleged sender of the email casts themselves in the victim role, inspiring the goodwilled employee to play rescuer and save the day.
If the wording is more forceful, like “Look, Bob, if we don’t get $10 million wired into this bank account in 20 minutes, they’ll come after your family,” then again, the sender is in persecutor mode, attempting to cast the reader into a defensive position (the victim) or a rescuer role so they take action without thinking.
Looking at this, it means that the real weaknesses to phishing emails come when the reader is cast into either the role of the victim or the role of the rescuer based on what the email says. If we can hook into this simple, fundamental fact of human behavior, give it names, and once named, use it as the basis for further discussion and analysis…
…it’s powerful. And it’s powerful, because people get it.
It only takes a 1-2s pause for someone’s “Spidey sense” to tingle and question whether they’re being played. And if we prepare them for that feeling – and we give them a standard procedure of identity verification and validation – then the model can get simpler.
Notice I didn’t say “easier.” I said “simpler.”
There’s still quite a lot of work to explain all this so people get it, and there’s also a lot of thinking required for those identity verification and validation procedures—including the crazy, worst case scenarios potential attackers would try to anticipate where we wouldn’t have thought this all through.
And you might also not realize that what I’ve just described is also security architecture. It’s just one more piece of the puzzle in a business-aligned and flexible approach to keeping the organization safe through times of stress, heightened emotions and potential crisis.
The other thing to note about it is that it’s a simple system, and one that can be learned, and practiced enough to become a habit. It’s just the kind of thing we want our security awareness training to do: instill and inspire positive activity and behavior in response to known, and identifiable, events.
There’s a lot more to it than what I’ve shared, but that is the basis. If you’d like to talk about the rest, or you’d like to review your current approach to handling these kinds of issues, you can always give me a call, and we can talk about whether there’s anything I might be able to do to help. Maybe there is, and maybe there isn’t.
If you want to find out, you can use this link to set it up:
Andrew S. Townley
Archistry Chief Executive