Spidey-sense for the people

James Chappell | 23 June 2016

If you liked Marvel’s SpiderMan then you will recognize the special Spidey-sense skill that Peter Parker possessed. The skill refers to "a vague but strong sense of something being wrong, dangerous, suspicious, a security situation.” It’s a type of personal situational awareness that helps him to avoid disaster. That does sound useful!  

Can a business have spidey-sense? 

As a defender of networks, I’ve always been impressed by stories where someone spotted something that didn't quite look right and followed their suspicion, investigating it further eventually leading to a reveal of something much more serious. A classic example is given in a true story by Clifford Stoll, “The Cuckoo’s egg”, where a 1970’s computer engineer investigates an accounting glitch that eventually unearths a major international espionage campaign on a university’s computer system. 

It seems that our ability as a human being to be suspicious, or “feel” that something is wrong has been an invaluable tool since we were being chased around rainforests by predators. In information security we think of the network engineer as being the most important person to employ this skill. To follow a hunch leading to the ultimate discovery of a major security issue.

But what about a world where everyone had Spidey-sense?

In real historical terms the computer networks in the workplace are a relatively new invention. But in the 50 or so years that they have been part of our lives, we’re now at a stage where most of the workforce is computer literate by default.

The vast majority of our workforce has at one time had a Hotmail, Gmail or similar Internet e-mail account and have received untold quantities of spam e-mail promising us untold riches from dissident ambassadors or tax refunds that never quite are. Add to this our workforce of millennials, we have a digitally sophisticated group of netizens who grew up pranking each other on Facebook and on their phones. The simple fact is our modern workforce has Spidey-sense in spades.

As little as ten years ago the perceived wisdom to deal with phishing, or user error, was to suggest writing a wordy policy document or enacting disciplinary procedures to be targeted at our “stupid users” who click on the wrong link or open the wrong document.   

But in truth, a lot of the types of social engineering campaigns that we now fear are easily spotted by our millennial work force. They are attuned to spotting something “a bit phishy”. Taking phishing as an example, most spam testing companies will tell you a typical click rate on a phishing e-mail campaign is on average 20-30%. Turning that on its head - that’s 70-80% of people who are not clicking and either ignoring the e-mail or noticing that something is up. What a fantastic opportunity - that's 70-80% of our workforce that could tell us something is worthy of more attention. That’s just for phishing – what would be interesting to measure this for employees spotting unapproved equipment or unusual application behavior.

So why aren’t we making the most of this?

This is *exactly* the kind of input that you need in incident management. If I have 1000 people working in my organization, how do I harness the 700-800 folks who might spot something that is going wrong?

As ever, culture sits at the center. Ask any management team and they’ll tell you that creating culture is non-trivial and depends on what went before it, but the basis of it is founded on positive engagement and trust. The most important aspect of this is creating a culture where an employee feels, most critically *trusts*, that the act of coming forward with a security incident will be assessed in a positive manner - even if they made a mistake or weren’t optimal in their response. Some organizations might even consider implementing a reward structure (though a set of clearly defined rules is important to avoid abuse). This exists today for the external reporting of incidents in the form of bug bounty programs why not for reporting incidents? 

It’s not just what you promise, it’s the actions to back it up. Try rewarding the next person who reports a security incident with a $5 amazon voucher. You’ll probably discover that word-of-mouth does some of the hard work for you. The question of how to structure and roll out such a program is worthy of a much longer article and this one. But if you start changing the culture and use positive re-enforcement – that has to be a good start. Ultimately, staff must feel that they are the genuinely important part of the security apparatus of a company. The fact is that they are, be it physical, electronic or otherwise.

 

Spidey-sense for situational awareness

Amongst the best detectors in the business are our people. If we can help them to give us a sense of situational awareness, we can detect waves of campaigns as they arrive, spot the targeted attempts, adjust our defenses and warn others to improve our effectiveness at repelling attacks, frauds or increase our chances of spotting a link in the chain of a highly targeted campaign. Spidey-sense is alive and well in all of us, and it presents a great opportunity to organizations to harness it in order to help them detect early stages of attacks, or security problems.  Harnessing this skill is an essential part of creating the cyber situational awareness that enables secure, self-aware companies.