Category: General Ramblings

Inevitably, there is bad in the world — some of it evil, perpetuated by evil people, some of it just bad, caused by natural or man-made events, but without malice. In the wake of another evil act here in the U.S., we are also starting hurricane season, the time when we face the strong likelihood of natural disasters as well. Yet another situation we face following any tragedy is that of scammers taking advantage of the generosity and caring of people.

It never seems to fail. In the wake of a hurricane, tornado or even man-made event, pleas for help go out and people respond. While this represents the best in people and is absolutely wonderful, many of these awesome deeds and donations can easily end up in the hands of scammers. For this reason, it is important that we help the people who need it, not the unscrupulous people who prey on good people. As humans, when we are in a state of high emotions, we can easily overlook signs of misrepresentation that we would otherwise spot easily. This is why they go on the attack after a major, heart-wrenching attack.

If motivated to help the victims of these events, we should be cautious indeed. If the request for help comes from an unsolicited email or a social media post, care should be taken to ensure the organization is legit. A quick web search will often turn up information about the charity and help guide you past the scams. See if there are recent Form 990 tax records filed (for U.S.-based charities) and look for financial reports that can show how much actually goes to the victims. If the charity is well-known to you already, it still pays to be careful by browsing straight to the charity’s website rather than clicking on a link in a post or email. If the charity is raising money to help, you can bet there will be a mention of it on their website along with instructions on how to donate securely.

While tragedy will occur in this world, we can ensure that the intrinsic good from people can prosper by taking a few moments to make sure our help goes to those who need it, not scammers or cybercriminals.

Cybersecurity is often thought of as a technical field, one in which some geeks gather up cool tools and fight the battles on the front lines, defending our organizations and personal use from the constant onslaught of cyber attacks and scams. While there may be some truth to that, we do love high-tech tools to help us defend our networks, there is a whole part of cybersecurity that has little to do with blinky boxes and the destruction of electrons, and it might just be the most important part – the people.

Yes, most of us know that people are the targets of cybercriminals looking to get into networks. Phishing emails, phone scams and attacks via text messages are all things we are aware of and even the most tech-focused cyber geek understands that they are the number one way networks get compromised. Educating users about this is incredibly helpful, but there is more to it than just that. Maybe you are an introvert and do not really like dealing with users very much. Maybe you would rather be in a server room full of noisy fans and too-cold AC on one aisle, and too-hot air on the next. I really do not blame you; however, what we are about to discuss can make dealing with users a bit easier, and possibly reduce the number of times you have to do it at all, significantly.

Grab some coffee or some tea and get comfortable (not too comfortable though) and we are going to talk about what may be the least exciting, but most important thing in cybersecurity – policies.

If I did not lose you there with a loud groan and dash for the nearest door, great. I know it is not the most fun topic, so I will excuse the momentary fight-or-flight response, but stick with me for a few moments and you will see how thinking through policies can make your life only slightly less enjoyable than a week in Maui. Okay, maybe that is a stretch, but it might make the trip to Maui possible through a lower workload, meaning more vacation days, some of which could involve Maui.

A Real Problem With Policies

One real problem I see with policies is that they are poorly thought out, and bad policies can and will lead to people finding ways to get around them, resenting them, and possibly resenting you and your team as a result. That is the real story here…thanks for coming to my TED talk.

What Do We Do About It?

If you are still reading after my above revelation, it means you probably want to know how to make better policies that do not result in coworkers tainting the coffee creamer you keep in the break room fridge, with salt. Please do not ask why I used that example. I have had better days.

Here is the trick to writing policies that do not stink. Think about the repercussions from the end user’s perspective. We often write policies that make no sense to them, even if it is the right thing to do. We simply cannot expect users to follow policy, something that may make their job a bit tougher, without them understanding, at some level, why. We also need to recognize when policies no longer make sense and be willing to revise them, so they do. “But we have always done it that way” is no excuse for draconian rules and medieval penalties.

A Recent Example

I have had a couple of jobs in my career that required significant travel. One was even before 9/11. I will NOT use the resulting security changes from that as an example. I just will not. I like to get through the checkpoints quickly and will not risk angering people from ‘that’ organization. I will, however, use our recent and ongoing pandemic and its associated rules with reckless abandon.

Having spent a lot of time in airports during the pandemic, I have come to loathe some of the rules that are currently in place, especially with respect to masks, and I am not alone. This is not a pro or con, as it relates to mask effectiveness, but is about the current rules and how people are acting with respect to them. We can learn a lot about policy from watching how things play out, especially when the policy has such significant enforcement measures behind it, something we are not likely to have ourselves.

The current federal mask policy for air travel says this:

“Persons must wear masks over the mouth and nose when traveling on conveyances into and within the United States. Persons must also wear masks at transportation hubs as defined in this Order”

Here are all 11 pages of the order if you would like to read it. This was published on January 29, 2021, extended through September 13, 2021, then again until January 18, 2022, followed by March 18, 2022 then April 18, 2022, and now for another two weeks.

Now this order, or policy, has the backing of the federal government, which has applied pressure on the airlines and airports to enforce the policy. In the beginning, enforcement was rigid, however, as time has gone by, the enforcement has become a bit more lax, well, at least in the airports it has. On the aircraft itself, it seems to be hit or miss. It is not uncommon at all to see people walking through the airport with no mask at all, a mask hanging off one ear, or only covering their mouth and not their nose, and unlike in the early days, nobody really says anything. So, why is this happening? We can learn a lot from this example.

First, people may go out to see a movie in a crowded theater, then have a meal in a crowded restaurant, and grab a drink in a packed bar, all without a mask, then when they get to airport, one of the last bastions of public mask wearing, they are told they must wear one. For many people, this simply does not make sense. As the world around them has relaxed, this policy may feel prehistoric, so they look for ways around it.

At some point, people look for, and discover, loopholes in the policy. For example, some enterprising person realized that in the airport terminal, if you hold a drink or food in your hand, you can get around the rule using the “I am eating/drinking” defense to sit around with no mask. I even heard a person on a phone call bragging about how they were bucking the system like this, although I have not seen anyone enforce a mask policy at the gates or in the airport in a long time. On the aircraft, this may or may not be enforced as well, which brings me to another problem.

If your policy is not enforceable or is enforced inconsistently, people will ignore it. This is where things can get a little tricky and careful planning can pay off in a big way. Let’s say you have a policy that forbids online shopping from company-owned devices, and perhaps you even have a proxy server or some other tech enforcing it, but then the organization also requires people to get three quotes on an item prior to making a purchase, or to look into the best options for the money. You make that nearly impossible as people cannot price check or even read product reviews from shopping sites. This means you must start making exceptions, a very slippery slope indeed. If you allow Alice in Finance an exception, Bob in Marketing may argue that he should get an exception too, etc. and so forth until almost everyone has an exception to the policy, making the policy pointless, tedious and ultimately frustrating for you and the other employees.

Why Well Thought Out Policies Matter

In a case like this, how much of a security risk would it be to allow access to online shopping services from the start? This would eliminate animosity (along with the probable salting of one’s precious hazelnut coffee creamer), impact morale in a positive way while not really impacting security in a negative way, and it would reduce the temptation to perhaps find a web proxy service that would still take you to a shopping website, while appearing not to. I have heard that may or may not have been a ‘thing’ at a past employer, especially back when Woot-Off!’s were a serious manner. (I’m not the only one that rembers Woot! when it was great, right? Comment below!) Totally hearsay though. Totally.

There will be times when policies really do need to be firm with an allowance for some, but not many, exceptions. It is a fact of life, however, when you write the policy, try to anticipate where these exceptions may be required and account for it in the policy. Also, have a well-defined process for requesting and managing these exceptions, either permanently or temporarily. The less frivolous policies you have in place, or ones that the users do not understand, and the more consistently these policies are followed, the more likely they are to follow the policies that really matter. The less that policies need exceptions, the less interaction you must have with the (oftentimes frustrated) users. That is a huge win right there.

In addition, reviewing the policies on a regular basis is very important. I do not mean opening the document, changing a date and calling it ‘reviewed’ for compliance reasons, I mean really considering if it is still valid and important. You may have installed some technical controls that mitigate the risk you were trying to address in the policy or perhaps the way people are working has changed. If a policy is no longer needed, can it be removed or changed? It is one less point of friction and one less thing to maintain.

Summary

Remember that as cybersecurity professionals, our job is business enablement, not being the “Department of No”. Eliminating friction between ourselves, the users, and other business units has always served me well. Having reasonable policies and considering where policies may cause friction can be the difference between someone bypassing a policy when it does cause a security risk and following it. This also helps contribute to an improved overall security culture, as the users can understand that policies that are in effect are there for a reason, especially if you educate them on the reason behind the policy.

Don’t forget to subscribe to the blog for future updates!