The 2022 Verizon Database Breach Investigations Report (VDBIR) shows that 88% of all incidents have a human element as partial causation for the breach. Why are people not getting this? Why are they so bad at basic security? Yes, some of them are just stupid. But that's the minority of people so we can't hang our hat on that. Maybe it's because we security practitioners, law enforcement investigators, and crime-prevention specialists are just not very good at our jobs. Maybe?
Leadership expert Simon Sinek has a model called the Golden Circle which provides a vehicle to help leaders better communicate company goals and achieve employee buy-in of the mission. Traditional top-down communication starts from “what”. What to do, or not to do, and then moves to how to get it done. The "why" of a task is only explained if the subordinates ask enough, and even then the answer is usually something along the lines of "because we said so".
Sinek proposes that true leaders start with the "Why". The conversation starts with an explanation of why something needs to be done and details the positive benefit the task will have on the organization and the employee. The leader gets buy-in for the project before they move to the hard details of the what and how.
As security and crime-prevention practitioners we are super at telling people what to do, and how to do it, but do we ever really explain the why? Our awareness training sessions usually go something like this: This is a phishing email. This is how you can tell it's a phishing email. "Bad things" will happen if you click the link in this email. O.K. Thanks for your time and we'll see you all again next year.
Did we get buy-in? Or did we only do security theater?
What if we started with the why?
“A security incident cost the average business 3.2 million dollars and can bankrupt a small to medium organization. It's not only the cost to repair the damaged system but also the loss of business. The average ransomware payment is $136,000 with millions more lost due to employee and system downtime. On average, a company victimized by a Business Email Compromise attack will incur a loss of 5.1 million dollars. It's way bigger than just the financial loss, you and your colleagues can lose your jobs. Cybercrime expenses are cut from the bottom line. Even if the loss is covered by insurance our premiums will go up exponentially. Studies show that once a business loses a customer from the publicity of a security incident they don't come back. One poor decision, a single mouse click, can have devastating consequences on our organization. O.K., now that we know the why let us examine the anatomy of a phishing email and some ways to quickly identify them.”
This seems like a more effective method of delivering security training. Let's change our mindset, start with the WHY, and reduce the human element involved in future security incidents.
Say it aint so Timmy
I love Tim Horton’s coffee. I don’t know if it’s really a higher quality or just that I only get it every so often when traveling ‘up-north so it’s “exclusive”. Regardless, it’s a treat for me and I’m devastated to hear they are such a shitty company. They programed their smartphone application to violate just about every tenet of privacy and respect for the customer.
The app asked for permission to access the mobile device’s geolocation functions, but misled many users to believe information would only be accessed when the app was in use. In reality, the app tracked users as long as the device was on, continually collecting their location data.The app also used location data to infer where users lived, where they worked, and whether they were traveling. It generated an “event” every time users entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace.
Kudo’s to Canada for holding them accountable. I’m not naive enough to think they’re the only company doing this so hopefully it sends a message to the rest.
https://www.priv.gc.ca/en/opc-news/news-and-announcements/2022/nr-c_220601/
Government
This article is about ransomware criminal groups rebranding to avoid sanctions but the deeper issue is that the federal government conducted a “year long” study about ransomware only to find out that “70 percent of global ransomware revenue in 2021 went to entities likely located in Russia or tied to the Russian government”. Did you really need to study it for a year to figure that one out? Good grief, no wonder nothing gets done. https://thehill.com/policy/cybersecurity/3509741-ransomware-groups-rebrand-to-dodge-sanctions/
Baby formula a boon for fraud
I don’t know who’s responsible for the current baby formula crisis but the only group benefiting is grey-market sellers and scammers. The fear of not being able to feed your infant child is creating scammers paradise as they can charge obscene prices for the product and in some cases for product that doesn’t even exist. Trend Micro found several fraudulent web stores offering an abundant supply of formula. https://news.trendmicro.com/2022/06/03/baby-formula-shortage-text-scam/
More Government
A new report issued to address the federal governments inability to address the nations cybersecurity crisis outlines a path for the National Cyber Director to strengthen the federal cyber workforce and recommends actions for Congress to support efforts to grow the cyber workforce. I’m willing to bet in two years another report is issued intended to address the exact same issue. https://cybersolarium.org/csc-2-0-reports/workforce-development-agenda-for-the-national-cyber-director/
The Rest…
The Federal Trade Commission claims they have the solution for “junk mail”. https://consumer.ftc.gov/articles/how-stop-junk-mail
The FBI issued an alert warning us that scammers are using the crisis in Ukraine as a basis for fraud. Ah, yeah. Duh. https://www.ic3.gov/Media/Y2022/PSA220531
Harrisburg, PA man sentenced to 24 months in federal prison for running a SNAP benefits scam that netted him 1.8 MILLION dollars. Why was this that easy? Why did it take so long to detect the fraud? https://www.justice.gov/usao-mdpa/pr/harrisburg-man-sentenced-24-months-imprisonment-unlawfully-exchanging-18-million
Angry woman tracks her cheating boyfriend with an Apple Airtag and then runs him over with her car - killing him. https://sports.yahoo.com/woman-faces-murder-charge-man-164535985.html
Cool Job
Security Coordinator - Facilities and Intelligence: Major League Baseball
https://www.mlb.com/careers/opportunities?gh_jid=4244201
Cool Tools
OutlookAttachView scans all messages stored in your Outlook, and displays the list of all attached files that it finds. You can easily select one or more attachments and save all of them into the desired folder, as well as you can delete unwanted large attachments that take too much disk space in your mailbox. You can also save the list of attachments into xml/html/text/csv file.
https://www.nirsoft.net/utils/outlook_attachment.html
Irrelevant
Four tips common to 100 of the greatest commencement speeches.
https://ideas.ted.com/100-graduation-commencement-speeches-common-tips-advice/
Thanks for opening this weeks email. It’s high-school graduation season so congrats to everyone who has a new graduate in their family. What an exciting and terrifying time!
Matt
“A multitude of bad ideas is necessary for one good idea” - me justifying all my bad ideas.