The case for ongoing end-user security awareness training

Expert Michael Cobb makes the case for year-round end-user security awareness training.

October of 2011 may be a turning point in the history of information system security, in the US at least. There, government and companies alike have accepted that computer security awareness must permeate all levels of society or they will never achieve the levels of security they need to function effectively as a digital society, with a digital economy, and within an increasingly digital infrastructure.

In this article, I'll look at what happened in October in the US, and discuss the community-wide, end-user security awareness training that needs to be done in the UK.

Current security challenges

First, let me sum up the information security challenges the security industry faces. Most of the bad guys, be they nation states or crime syndicates, are well-funded and well aware of the currently favourable cybercrime risk/reward ratio. In other words, the rewards from cybercriminals today far outweigh the slim chance they will get caught, and even slimmer chance they will be convicted and do serious time for their crime. Rounding out the pool of adversaries are hactivists who are prepared to break the law - and into systems - to advance their cause, and a smattering of individuals on the fringe of society who hack for fame or kicks.

The bad guys can bypass every piece of security technology by targeting the real endpoint: the end-user.

Against these adversaries, enterprises have deployed over the past decade and a half an impressive array of technology, from hardened operating systems to network firewalls, intrusion detection systems to application firewalls, antimalware to content filtering. There is also the growing use of powerful encryption schemes and the secure development lifecycle (SDL) for more resilient application coding.

The real endpoint

Unfortunately, one consequence of this massive build-up of security technology is an increased focus by our adversaries on the least technological aspect of the secure computing ecosystem: the end user.

Let us consider one end user as an example: Scarlett Johanssen. Due to allegedly compulsive email hacking by a Florida man, Christopher Chaney, Ms. Johanssen lost control of her email account and certain personal information therein, including photographs not intended for public consumption. While embarrassing for Ms. Johanssen and the other victims, this matter might not seem to be relevant to organised cybercrime and national security. However, consider this: Investigators believe Chaney "followed celebrities on social media websites to learn certain personal information, then used that information to hack into their personal files."

If Ms. Johanssen is a typical user of such sites, she will have used the same password, guessable from shared details of her personal life, for multiple sites. Indeed, a survey last year by BitDefender revealed 75% of social networking username and password combinations were identical to those used for email accounts. A survey this year by ESET revealed that, although 69% of social networking account owners said they were concerned about security on social networking sites, 33% had never changed their social networking passwords. Both survey samples were representative of the general population, meaning a large number of people, some of whom have password-based access to sensitive government or corporate data, have not been properly educated about why they need to carefully choose and use passwords.

I'm sure if you questioned a random sample of people, you would find the vast majority answer “yes” when asked if they know how to use a computer; few, if any, will give the same answer when asked if they have had computer security training of any kind.

Consider another example: the October 2011 Sony breach, which was a "weakest link attack" in which credentials were stolen from an insecure site and tested against a secure site in the certain knowledge that some people will have the same credentials on both systems. If more people understood and appreciated the inherent dangers of weak or multiuse passwords, we could start to reduce the chances of such attacks succeeding. Better awareness of what not to do with email attachments will reduce the chances of major security breaches like the one suffered by RSA earlier this year. Sure, that breach did exploit a zero-day vulnerability, but it took the unwise opening of an attachment to succeed.

The people who engage in cybercrime know this. Finding zero-day vulnerabilities to exploit may be getting harder, and thus more costly, but finding out people's passwords is getting easier. Close to 80% of US and UK households now have Internet access. Many households have more Internet-enabled devices than people. Yet very few users of these devices, who are being asked for passwords by a wide array of sites and services, have had any training on even the most basic security measures. So, despite heroic efforts to develop and deploy endpoint security measures, the bad guys can bypass every piece of security technology by targeting the real endpoint: the end user.

Cyber Security Awareness Month

The big deal about October 2011 in the US is that, although October has been designated as National Cyber Security Awareness Month, there since 2004, this year the theme of "Our shared responsibility” helped the event achieve critical mass. There was considerable coverage on local as well as national news, plus an array of announcements and initiatives from some major industry players. Google, a company whose future, one might argue, depends upon the general public achieving some level of confidence in the security of its data, launched the Google Security Center. Firefox filled its October newsletter with security tips, plus some reminders of the ways Firefox helps individuals stay safe online. Also in October, Facebook announced new security tools and reminded users to use existing security features.

Year-round security programmes

However, as anyone who has conducted information security awareness programmes will admit, achieving lasting awareness is a year-round proposition. One awareness initiative that caught my eye this October has embraced that idea, and the parallel perception that achieving security awareness across all sectors of society and all age groups takes a community effort. Started by ESET, the Slovakian antimalware vendor, the initiative known as Securing Our eCity has taken on a life of its own and is starting to spread from San Diego (where ESET has its US headquarters) to other cities in North America and beyond.

Securing Our eCity is different because it involves a wide range of stakeholders, from schools to Scouts, law enforcement to city employees, government agencies, hospitals and local companies, big and small. A year-long schedule of events keeps the awareness going and a squad of trained instructors, all volunteers, are on hand to deliver awareness presentations to civic groups, churches, or any organisation that promises 25 or more interested listeners.

A programme like this meets a real and growing need and we need similar initiatives here in the UK. And it’s not just about passwords. People need to know how to live and work securely online, why they should destroy storage devices they no longer need, why many pop-up ads are too good to be true, and why they need to keep their firewall up to date. Recent statistics from the UK government reveal 21% of Internet users admitted their skills are insufficient to protect their personal data. Frankly, I reckon many people in the other 79% are over-estimating their skills.

At a recent Securing Our eCity symposium, scores of people took a test, conducted in a simulated office, in which they had to identify all of the visible security problems. Only a handful got full marks and most people missed at least half a dozen problems that were in plain sight.

Attacks against users are continually evolving and getting more sophisticated, so we also need to keep everyone’s security knowledge current. The UK government’s Get Safe Online site is a step in the right direction. But we need our own FTSE 100 companies, who have a vested interest in maintaining people’s trust in the Internet, to set up innovative programmes like Securing Our eCity here in the UK if we are to achieve the levels of security needed to function and prosper as a digital society.

About the author:
Michael Cobb, CISSP-ISSAP is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of’s Security School lessons.

Read more on Identity and access management products