Tuesday, June 21, 2022

Security Awareness Training Issues

Issues we've seen of some Security Awareness Training that limit its effectiveness, and ideas on how to improve them.

Does your solution suffer from these issues?

Training notifications resemble spam in a few ways (sense of urgency, a link) in addition to being overly annoying, and that is likely why we have seen them blocked, labelled Junk/spam, and otherwise ignored.  
   
* The notifications don't give the assignee an idea of how long the training will take.  For busy staff, especially those who have to track every hour (or less, as is the case for many professional service people) as billable,  this makes it very hard to schedule in to their plans.  Therefore, making it more likely for them to defer until they have a larger block of time and ability to listen to content to make sure they can complete in one go.   
      To Fix:  List the estimated time to complete, can it be paused or must it be completed in one go,  if Video, with or without Audio, just a slide-deck, or something else.
   
* Training is presented very piecemeal. Each element/training has its own mail stream, such that a busy person, in crunch time, can build up several queued training assignments and end-up with multiple nagging messages a day.  Junk mail handling is the easiest way to get them out of the way, cluttering up the key production communication tool of email.
      To Fix:  Consolidate those nag messages in some fashion.  A default should be One a day, with options both administratively and end user to set preferred time and timings to better reflect the local conditions of The Work (the reason the business exists, the training is a secondary support function that won't be allowed to wag the dog).
 
* Training alerts are currently oblivious to work schedules, even the most standard one of Monday to Friday.  The alert nag is based on X calendar days, not even X business days, so that trainees are getting alerts on off business hours. 
 
* If an assignee has been able to disconnect from email (weekends, vacations, collapse from overdoing a crunch, etc..), then they get a flood of those nags mixed in with all the other built up demands on their time leading to the nags being added to the rest of junk mail handling.
 
* If an assignee is trying to use a weekend to get The Work done during a normally quiet time, it's an interruption during a normally quiet time, again off to junk mail handling or similar in favour of The Work.

 * If an assignee is only paying attention to email on a weekend for emergencies (because normally a quiet time, vendors who send their marketing on weekends get down voted!)  Then any training alerts will only add up to frustration at the training and be invited to junk mail handling process.
      To Fix:  Default to X Business Days, not X Calendar Days for the training reminders, with those as clearly separate options.  And the Business Days needs to reflect the local Statutory and common Holidays, configurable would be nice to add business specific days that are reserved for things other than such secondary functions.   Bonus would be for a way to include(sync?) people vacation schedules to pause the training timers over peoples' scheduled time off.  Perhaps this could be the way to include Business and/or regional specific off days.
      
Related to the off hours notifications the system currently does, is that these notifications do trip up against a new legislative trend to protect employees personal time (that whole work/life balance thing).  Ontario is the first of the pack to have such legislation and off hours notifications put organizations based here in a rough spot, and we may well be forced to find other training providers that respect the Right to Disconnect.  
https://www.ontario.ca/document/your-guide-employment-standards-act-0/written-policy-disconnecting-from-work 

Saturday, April 2, 2022

Why SSL(TLS) is a must for all websites.

What is SSL/TLS?

They are the evolving encryption tools that are the difference between a web page (via HTTP) that can be clearly Intercepted and ALTERED, and a page (via HTTPS) that is both encrypted with a chain of trust that makes it extremely difficult to view and even more difficult to alter in any way.  If you want to know more, you can read more here

To answer the questions of:

 - Why are some browsers making so much noise about why your unSSLized site is so untrustworthy?

 - Why your unsecured site is so low on the search engines?

Reason #1, the big one.

If your website doesn't have a proper TLS/SSL encryption in place, then if someone can intercept a person's browsing, it is easy to inject whatever hostile code is desired. It could be to just change what is showing on the page (this site hacked!), to silently injecting the latest ransomware or worse. 

You want your readers to get the message you so carefully crafted, not something else. You don't want them to equate you with putting malware on their system.

Reason #2
There is a pile of constant malicious scanning going on all the time, and just forcing your site to HTTPS causes a good portion of it hitting your site, to just go away.  One of my sites was getting many dozens a month of links from very dubious sites before I forced a switch to SSL, then they just went away.

There is then the whole Cyberwar part it of, where you could be caught in the middle of the big boys playing, as what was clearly happening as a part of a real hot war with the Russian Invasion of Ukraine as written up at the Internet Storm Center   where an entire block of IP addresses are redirected to another set of servers away from Twitter for a portion of the world.  Just too many ways for Man-In-The-Middle attacks.

So assuming you:

 - Don't want your readers scared away by the browser warnings

 - Don't want your readers to get used to a bad security practice because you taught them to

 - Don't want your readers' devices to become part of a hostile bot-net and/or worse.  

 - Would like (love?) your content to be more readily found by having a higher position in the search engines.

To get there

 This is done on the web-server itself where you either pay for a certificate or use a free certificate service such as Lets Encrypt.  First you want to make sure your site works with the certificate so that you can get that lock in front of your URL (aka address) in the browser, and then you want to set it so that all attempts to come in unencrypted (port 80) get flipped/redirected to encrypted (port 443)

If you built your server, it is time to go RTFM for this as it is well documented for all Web-servers, as well as many others have written about the process. Your favourite search engine can also point you to resources.

If you are using a more typical hosted service, there is a very good chance the ability is sitting there in your control panel, just waiting to be turned on. Automatic free encryption has been a part of CPanel for a couple of years now (my hosters turned it on automatically for me), and a quick search shows that many of the others have a similar feature.  So take a look at your control panel, use the knowledge base most hosters setup, or even contact your support to see how good they are. 

There will be attempts to up-sell you to a higher grade of certificate.  If you just have a basic, low volume static site, then there is no real value in the "enhanced protections".  If you are gathering anything beyond comments and email addresses, such as e-commerce orders, then an actual purchased certificate makes some sense.  If you do go with a purchased certificate, make sure your hoster manages it and the update/renewal process, that they should have, is automated as certificates only last a year or less.

Do you require any assistance in securing your systems? Perhaps we can help.