Why Rules-Based Training Isn’t Enough: Building Muscle Memory for Effective Phishing Prevention

It’s been quite a while since my last post but I got inspired by a recent discussion about the effectiveness of phishing training for employees. The person I was speaking with was frustrated that no matter how many phishing simulations they did, their employees were still clicking on the next phish.

Phishing attacks can be quite sophisticated, and it’s more important than ever to ensure that employees are trained to spot them. However, simply providing employees with a set of rules or policies or making them watch a video each time they click on a simulated phish is clearly insufficient which got me thinking, how do we help employees build muscle memory and prevent phishing attacks?

I love analogies so please humor me while I try to explain why rules-based training isn’t enough using the example of making a peanut butter and jelly sandwich.

The rules for making a PB&J sandwich are simple: use two pieces of bread, creamy or crunchy peanut butter, your favorite flavor of jelly, and a knife.

But anyone trying to teach a child how to make a sandwich knows the rules aren’t enough. You need to show them the process:

1. Lay both pieces of bread on a plate or paper towel.
2. Open the peanut butter container.
3. Use the knife to scoop peanut butter from the container.
4. Use the knife to spread the peanut butter on one or both pieces of bread.
5. Use a clean paper towel to wipe off the knife.
6. Use the knife to scoop jelly from the container.
7. Use the knife to spread the jelly on top of the peanut butter.
8. Place the two pieces of bread together with the peanut butter and jelly in between them.

As you can see, the process is much more complicated than the rules and even includes decisions about things that aren’t even called out in the rules! The same goes for phishing training. It’s not enough to give employees a stack of policies or have them watch a training video. They need to walk away with a detailed process they can understand and follow to build muscle memory.

To drive this point home, let’s use another analogy. Imagine your child is learning to drive. You give them the rule book from the DMV, and they read it cover to cover. Then, you take them to get their learner’s permit. As you leave the DMV, you hand them the keys and say, “You’ve learned the rules, and you’ve watched me drive for the past 15 years. You should know how to drive, so take us home!”

How well do you think they’ll do? Good luck getting out of the parking lot without hitting something! They need someone to walk them through the process for months until they build enough muscle memory.

The same goes for phishing, teaching a developer how to build code securely, or any other type of training. You start with your policies and standards but if you don’t take the time to build out standard operating procedures, employees are left to figure things out ad-hoc.

Rules-based training is not enough. Employees need a detailed process they can follow to build muscle memory. Only then will you see a real change in behavior and adoption.

Disagree or have another thought? Please let me know in the comments and let’s discuss!

CISSP Blog Post 2, Domain 1: Security Controls

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

After last week’s blog on Risk Analysis, let’s consider some criteria on selecting countermeasures to mitigate risks.

1. Perform a cost/benefit analysis
2. Determine accountability of the countermeasure – who’s in charge of the safeguard?
3. Don’t rely on design secrecy as the only form of protection. Security through obscurity alone is not enough.
4. Ensure countermeasures are universally applied – especially for tools used in monitoring. You must apply them fairly & consistently to all employees and/or customers.
5. Provide a defense in depth – multiple layers of protection – don’t rely on just one countermeasure!
6. Apply the least common mechanism – don’t always place all solutions in one location. I.e. try to eliminate single points of failure & recognize that you don’t always get the best of breed from all solutions.
7. Get acceptance from your employees and/or customers – users always struggle between security vs. convenience.
8. Minimize human intervention – for things that can be automated (e.g. anti-virus updates)

So what types of controls are available? Control types include:

• Technical / Logical (e.g. a network firewall or a captcha puzzle)
• Physical (e.g. a security fence or camera)
• Administrative (e.g. Reviewing logs)
• Preventative – goal is to stop unwanted activity or behavior (e.g. Intrusion Prevention System (IPS))
• Corrective – goal is to mitigate an incident & reduce damage (e.g. a fire extinguisher)
• Directive – administrative control focused on management aspects (e.g. requiring managerial approval)
• Deterrent – controls focused on consequences
• Recovery – controls focused on restoration
• Compensating – an alternative when the best controls are not available or feasible (e.g. using an Endpoint Detection & Response (EDR) solution to monitor OS files vs. using a traditional File Integrity Monitoring (FIM) solution)

You can also combine controls, for example:

1. Preventative + Technical = IDS or Firewall
2. Detective + Administrative = Reviewing logs, reporting on penetration tests
3. Corrective + Physical = Fire Extinguisher

CISSP Blog Post 20, Domain 4: Network Firewalls

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

09/06/2020 – Edit: I am starting to publish a series of blog posts on topics related to studying for the Certified Information System Security Professional (CISSP) exam. I am updating this post first but I’m changing the name of the post as well to help folks better identify where this post falls in the series. I’m also adding in illustrations!

It’s been quite a while since my last post so here’s hoping I can keep the momentum going!

In this post, I’m going to walk through the four different types of firewalls and what they are best used for.

The four types of firewalls, from most basic to most complex include:

1. Static Packet Filtering Firewall
2. Stateful (aka Dynamic) Inspection Packet Firewall
3. Circuit Level Proxy Firewall
4. Application Level Proxy Firewall

Static Packet Filtering Firewalls
Static Packet Filtering Firewalls are the most basic type of firewall. The only type of filtering you can do is allow or block specific IP addresses and ports from entering or existing the firewall. I.e. you can block computers on your network from accessing Google’s DNS service by creating a block of any outgoing traffic to 8.8.8.8:53 (TCP & UDP).

Benefits: Cheapest option, fast to apply rules

Drawbacks: Limited filtering abilities, cannot scan or inspect inside a data payload

Static Packet Filtering Firewall

Stateful (aka Dynamic) Inspection Packet Firewall
Stateful or Dynamic Inspection Packet Firewalls provide all the functionality of Static Packet Filtering Firewalls, plus they “inspect” and allow or block based on connection states. For example, the firewall can watch a TCP handshake being performed and determine if it is executed normally, or if there’s a denial of service (aka a SYN flood) attack occurring and then automatically block the incoming traffic, keeping your internal machines from being overwhelmed.

A typical TCP handshake occurs when a SYN request is sent from one machine to another, the second machine sends back a SYN and an ACK acknowledgment back to the requesting machine. The original machine then sends an ACK acknowledgement back completing the handshake and allowing communication to begin. If the original machine doesn’t send a second ACK acknowledgment and instead just continues to send a stream of SYN requests, the firewall will realize that the handshake is incorrect and block the flood of incoming SYN requests.

Benefits: Stronger filtering capabilities, retains (logs) state information about a connection for further offline analysis

Drawbacks: More expensive system, slightly slower filtering, still cannot inspect inside a data payload, requires static rules to allow unsolicited inbound traffic (e.g. email incoming to an email server)

Stateful Inspection Firewall

Circuit Level Proxy Firewall
Circuit Level Proxy Firewalls provide all the aforementioned functionality of both the static packet filtering and stateful inspection packet firewalls. In addition, they provide Network Address Translation (NAT) and Port Translation.

Benefits: There is no direct contact between client and external server, internal IPs are hidden from external systems, malformed packets are dropped and not forwarded onwards

Drawbacks: Requires a minimum of 4 packets per round trip (e.g. client sends packet #1 to firewall, firewall repackages into new packet #2 & sends to external server, external server sends reply packet #3 back to firewall, firewall repackages into new packet #4 and sends to internal client), more expensive system than the previous two, still cannot inspect inside a data payload.

Proxy Firewall – Circuit Level

Application Level Proxy Firewall
Application Level Proxy Firewalls do everything the last three firewalls can do and in addition, can inspect inside data payloads! The firewall does this through proxies that are written for each service that’s required to pass through the firewall “air gap”. A proxy is a piece of software that’s customized to each service (e.g. HTTP, SMTP, FTP, etc.) and is able to unpack the data packet and inspect the data inside, and filters the content based on proxy rules.

Benefits: Can inspect inside data packets! Can even inspect inside encrypted payloads provided you have the requisite certificates to un-encrypt the payload and re-encrypt before sending onward.

Drawbacks: Most expensive option, much slower to filter data, not all services have proxies written and may require custom coding or a generic UDP/TCP proxy to essentially bypass the proxy filtering capabilities (i.e. it can’t scan inside the payload) and allow traffic through on a specific service port.

Proxy Firewall – Application Level

What I learned during the TAG Cyber Attack & Business Continuity Simulation

Georgia’s Governor Nathan Deal proclaimed February 25th, 2014 to be “Business Cyber-security Day in Georgia”.

As part of the initiative, the Technology Association of Georgia (TAG) ran a Cyber Attack & Business Continuity Simulation, which I attended. It was an amazing presentation, not only of content but also of coordination.

The simulation was of a fictional company (The Logistics Company, aka TLC) and how it would respond to different attacks on its systems. There were seven attacks carried out during the simulation. There were roughly 30+ people involved with the simulation and the entire event was broadcast to multiple locations around the US as well as to Kuwait. Making it more interesting, the people involved hold the same positions in their real companies as the people they were portraying in the simulation. The people playing the C-suite in the simulation, are really C-suite executives in their respective companies, the lawyers in the company are really corporate lawyers in the real world, etc.

In addition, due to the Governor’s proclamation, the entire event was hosted at Dobbins Air Force Base and included participation from the Georgia Air National Guard, the Cobb County Police/911 department, the GBI, as well as the FBI.

There were five cyber attacks, one physical attack, and one social engineering attack.

In reverse order, the social engineering attack was left until last and was more informative vs. something that the business needed to directly respond to in the simulation. An outside resource recruiter informed the business that she had been approached by a Chinese company to try & poach recruits from TLC’s supply chain division. She was approaching TLC because she had become suspicious after following up with each of the recruits to see how their interviews had gone with the Chinese company and been told that the interviews were all one way with the Chinese company asking all the questions & not following up to actually hire any of the interviewees.

The end result was, the Chinese company was trying to gather intel about TLC for a variety of potentially nefarious reasons. I assume the logical response of TLC would be to warn/train its employees about how to respond to strange recruiting requests. Obviously, TLC cannot mandate that their employees don’t talk to recruiters at other companies, but they do need to be aware that every time they talk to someone outside the company, the information could be used to hurt TLC.

The physical attack proved very interesting to me because it helped me realize the role of police and other emergency response personnel in an emergency. The fictional attack was two ex-employees sabotaged the company’s data center (it turned out to be their backup data center, so it wasn’t as large of a crisis as it could have been). The employees went and destroyed cooling towers as well as backup generators so the data center had to be taken down immediately or risk frying all the equipment.

The immediate business response was to call 911. After which, they realized it was their backup facility and it did not hurt their primary data center. They then quickly made arrangements to back up their main facility to a third-party data center. In real life, the backup would take a while to accomplish but so long as their primary facility didn’t go down, it would not hurt their day-to-day operations.

The problem with the immediate business response was, as soon as the police arrive at a potential crime scene, the business loses all control of the scene until the police allow them back in. Therefore, if the business needs access to computers, data, etc. they may lose access to all of it until the police finish collecting the evidence they need. This can potentially hurt the business even more than the actual damage if they cannot complete in-progress business at the time of the crime.

The cyber attacks ranged widely in nature (I forgot what the fifth one was):

• An international hacker encrypting the business’s data files & demanding a ransom
• Disgruntled employees installing Raspberry Pi’s to override PLC (Programmable Logic Controller) instructions to disrupt a sorting & packaging facility
• Hackers disrupting the shipment routing system and sending critical shipments of organ transplants to random addresses
• The DoD finding out that routers shipped by TLC included malware which was spying on the data flowing through the networks

All of the cyber attacks were pretty complicated and included potential damage to the business’s brand image in the marketplace (especially when the critical organ transplants were not delivered on time), as well as complications involving contracts and insurance policy questions. The main lesson learned here was to ensure that your legal team is involved in preparing your business continuity planning to ensure that you are not breaking contracts with suppliers, clients, or insurance policies depending on how you respond in an emergency situation. There may be SLAs, legislation (such as HIPAA or other privacy laws), or other contractual agreements which you may be bound to regardless of what has happened to your company.

The three main points I got out of the simulation were:

1. Having a single page listing all important phone numbers is better than any 8 inch thick binder full of amazing plans, because the binder will get left on the shelf during an actual crises.
2. The act of planning is almost more important than your response in a situation. The act of planning forces you to organize and think through your response so that you at least do something instead of freezing in an emergency situation.
3. It’s important to have a good response team put together – but even more important is to have all of them in communication during a crisis. Get the key decision makers in one room, or on one conference call. No one leaves until the crisis is over. If they need information, send out others to collect it. Keep your decision makers in the loop at all times so they can respond as soon as the situation changes.

I’m looking forward to attending next year’s simulation!