CI Cyber Security: July 2021

Sunday, July 18, 2021

Cyber Security - professional training options

Throughout my time working in Cyber Security, I have attended a variety of different security training courses that have helped me to successfully attain a selection of professional qualifications. There are four main training options available to you. Before committing to one you’ll want to consider what options are available and assess the suitability of each to your needs.

In the following article I have assessed each of the training options and rated them according to cost, speed and convenience factors. These have been ordered with the lowest cost options first.

If you are unsure if security qualifications justify the commitment I suggest reading a supporting article I produced covering this topic.

Self-study

In 2017 I successfully passed the Cloud Security Alliance CCSK qualification and more recently the ITIL Foundation exam in 2020. This option is well worth considering but despite the low cost may not be suitable for everyone.

	Cost	Speed	Convenience
Rating	Low	Slow	High
Description	This just includes the cost of the study materials.	This is driven by your self-motivation and the amount of time you can commit to study. From personal experience it has taken up to 6 months to prepare for an exam through self-study.	You get to take the training at times that suit you rather than committing to set dates / times.

Suitability

This is ideal if you:

Are looking for a low-cost option
Are able / willing to commit the time and effort required
Can balance the training around your other commitments
Can self learn without support / guidance from an instructor
Don't have time pressures to achieve a qualification quickly

Assessment

This is by far the most cost-effective option but its highly dependent on your ability to motivate yourself and commit to undertake the study.

If you're struggling for motivation I suggest booking the exam in advance but give yourself enough time to complete your preparation. This gives you a timeline to work towards and the deadline acts as a great motivating factor!

Whilst you don't have support from an instructor there is likely to be wealth of materials available to you and online communities that provide a level of support / guidance.

On-demand training

I have attended several on demand training courses through SANS including web application security, ethical hacking and incident management. Of the three courses I only took an exam in web application security and passed this in 2012. I had an incredibly positive experience in the use of the SANS platform.

As an alternative to specialist training providers like SANS I have experience working with learning platforms such as those provided by Pluralsight and Percipio. They cover a broad range of training topics at a far lower cost. These type of platforms are ideal for supplementing your self study but be aware that the quality of training offered can be highly variable.

	Cost	Speed	Convenience
Rating	Low to Medium	Medium	High
Description	The cost of this option will vary according to the vendor you attend the training with. Dedicated training such as that provided by SANS is comparable in cost to instructor led training. Learning platforms come at a much lower cost but should be considered as a supplement rather than replacement for self study.	You can do the courses at your own set speed. This is likely to be at a slower pace than instructor led training especially if you are having to balance multiple commitments.	This is the main selling point of this option. You get to take the training at times that suit you rather than committing to set dates / times. Learning platforms provide you with access to a range of courses for an ongoing monthly fee. Specific courses you sign up to will give you access to the on-demand training materials for a set duration (i.e. 3 months) with the potential to extend access at a cost.

Suitability

This is ideal if you:

Are able / willing to commit the time and effort required
Can balance the training around your other commitments
Can self learn with minimal support / guidance
Don't have time pressures to achieve a qualification quickly

Assessment

This is an ideal alternative to self-study as the training is far more engaging. There is a significant difference between booking a particular course on demand and subscribing to a learning platform. If you book a particular course the costs can be comparable to instructor led training.

If you opt to use a Learning Platform I would advise using this as a supplement to rather than replacement of self study.

Instructor led (in person or virtual) training

I have had the opportunity to attend a selection of in person and virtual training courses. Most recently I attended ISACA hosted training for CRISC in 2020 and went onto successfully pass the exam.

	Cost	Speed	Convenience
Rating	Medium	Medium	Medium
Description	The cost of this option will vary according to the vendor you attend the training with and whether its in person or virtual. Even at the top end cost this is likely to be at a lower cost to the bootcamp equivalent.	The courses are less intensive than doing through a bootcamp equivalent. From experience they tend to span a typical working day (i.e 9 – 5). For the major cyber security qualifications expect to do significant self-study to supplement what you learn in the training sessions.	The shift to remote / virtual training has improved the overall convenience of attending this type of training although you do lose the additional benefits of learning in person in a class room setting.

Suitability

This is ideal if you:

Want to supplement your own self study with instructor led training
Need support with understanding / learning the material
Can commit to attending fixed time / date sessions
Struggle to motivate yourself through personal study

Assessment

Instructor led training will help you to understand the more complicated topics and will support you in preparing for the exam.

You should consider this as a supplement to self-study. From experience I have had to commit to far more personal study prior to the exam than was required after attending bootcamp training.

Bootcamp

I have only had the opportunity to attend one training bootcamp. This was back in 2016 when I was preparing for the ISACA CISM exam. The course was held by Firebrand. Overall, I had a positive experience and went onto successfully pass the exam a week after finishing the course.

	Cost	Speed	Convenience
Rating	High	Fast	Low
Description	Given the intensive nature of the courses you should expect to have to cover the cost of food and accommodation as well as the course fee. This is the most expensive option.	Bootcamps provide an intensive experience that forces you focus and study in preparation for the exam. This is by far the quickest option. It would be difficult to personally motivate yourself to emulate this through self-study. Well, certainly from my own experience!	The likes of CISM and CISSP have respective bootcamps spanning between 4 and 6 days. These courses require you to dedicate your time across long days with the addition of self study in the evening.

Suitability

This is ideal if you:

Can cover the higher expense, or this is being picked up by your company
Need to achieve the certification quickly
Can commit to dedicating up to 6 days intensive study
Struggle to motivate yourself through personal study

Assessment

This is a great option to pass an exam quickly but comes at significant cost. It also requires a high level of your commitment over a period of up to a couple of weeks.

Even though these courses will cover all the topics within the exam I would still advise you to do some study in advance of the course as this will help you to maximise the value of your training.

Final thoughts

The below table summarises the training options and shows you the trade offs between the cost, speed and convenience factors.

	Cost	Speed	Convenience
Self-study	Low	Slow	High
On-demand	Low to medium	Medium	High
Instructor led	Medium	Medium	Medium
Bootcamp	High	Fast	Low

In reality I have always taken a hybrid approach combining multiple training options rather than any one in isolation. The key is in finding an approach that works for you whilst balancing each of the factors to fit your needs.

Some of the training options will include the cost of the exam. The exam cost alone can be considerable.

Its important to note that the quality of study materials, training courses and instructors can vary considerably even within one particular vendor. I advise doing some research on a given vendor and ideally speaking to others in the Cyber Security community to get an idea of who's good and who should be avoided.

Thursday, July 1, 2021

How to identify people related phishing vulnerabilities

Phishing is a significant threat to organisations and remains a common vector that threat actors used to compromise organisations. Whilst traditional email defences will block most malicious emails from reaching your employees there will always remain a portion that will get through. This is where the security capability of your employees is key in the detection and reporting of phishing-based threats.

In this article I’m focusing on how to gain visibility of people related phishing vulnerabilities to support in increasing the security capabilities of your own employees. Whilst technical controls remain important the people related aspects are often overlooked and under resourced. This is not surprising with many referring to people as being the weakest link in company security. A paradigm shift to seeing them as a significant asset in your defence in depth approach to security will deliver significant value and increase the effectiveness of both your technical and process related controls.

What do you want to achieve?

Your goal is to reduce the risk phishing poses to your organisation. Whilst you will never eliminate the risk, you can take significant steps towards achieving your goal through the delivery of the below objectives:

Building visibility of people related vulnerabilities;
Increasing the capability of staff to spot phishing scams;
Increasing the willingness of staff to report phishing.

The following sections look at each of these objectives and describe what actions you can take to achieve them.

Building visibility of people related vulnerabilities

Undertake phishing testing against all or targeted individuals / groups at frequent intervals. Whilst they need to be operated at set intervals make sure these aren’t done too frequently (i.e. more than once every 6 weeks to the same individual) and check the timings aren’t predictable.

You will need to vary the lures, difficulty and types of phishing (link, attachment, credential harvesting) to identify which employees are susceptible to certain types of threat. Prioritise testing according to the genuine threats’ employees are proving vulnerable to.

Increasing the capability of staff to spot phishing scams

As you increasingly identify people related vulnerabilities, you will need to deliver bespoke / targeted training and awareness to help increase staff capabilities. Whilst bulk training may help to improve general capabilities around basic phishing threats, it will not help your staff to identify the more sophisticated threats that are being specifically targeted at individuals in your organisation.

Everyone is susceptible to phishing threats but at varying degrees of difficulty and lures. You need to identify these and specifically focus on addressing the needs of individuals.

Increasing the willingness of staff to report phishing

Build a culture of security where employees know the importance of their role in keeping the organisation safe. You want employees to report phishing emails quickly to give the security team the opportunity mitigate the threat before a wider audience has the opportunity to be compromised by it.

Building visibility

Visibility of people related phishing vulnerabilities can be achieved through a combination of operating phishing testing and through the analysis of genuine threats. This will provide a great insight into the types of emails individual employees are vulnerability to.

When running phishing testing against your employees you will find it challenge to understand individual vulnerabilities when the main measures you have to work with are:

Click rate - based on links;
Compromised rate - based on staff giving away sensitive information (data harvesting) or clicking on suspicious attachments;
Average Failure Rate – benchmarked failure rate across different organisations.

Whilst these are useful indicators in trending progress at an aggregated (high) level, they are not particularly suited to explaining vulnerabilities at a granular level.

NIST Phish Scale

In 2020 NIST published a research article introducing a means of categorising human phishing difficulty using a method called Phish Scale. The method uses a scoring mechanism to calculate the difficulty according to the number of cues visible in the email combined with the premise (applicability, alignment or relevancy) to the organisation. Premise considers the threat within the context of both inside and outside of the organisation.

One of the key failings of using a benchmark figure to compare organisations is that the premise (context) rating of the phishing threats will vary across organisations. For instance, a phishing email themed on a technology has a far greater likelihood of being effective if a given organisation is using that technology. So what is a difficult threat in one organisation may lack relevance and be perceived as easy within another.

As with any research paper the challenge is to take it from an academic concept and apply it to provide beneficial outcomes in a real-world scenario. The method (unlike many others) can be fairly easily translated into a workable assessment tool even if this is just via a Spreadsheet.

Whilst the fundamentals behind the method are great there are still opportunities for refinement.

Phish Scale - potential improvements

I have personally supplemented the existing cues to include unfamiliar tone, overly vague and unusual request as well as updating cue names, descriptions and criteria to make them easier to understand / apply.

The common tactic section of cues suffers from being very specific. In this form, for the list to be effective it would need to be actively developed and would require ongoing maintenance to keep it relevant with changing tactics.

The list can be more effectively represented through utilisation of the 6 types of social power. Each of the existing tactics can be matched to at least one social power. I recommend reading the linked article to understand more about these. They are useful in building an understanding of the techniques used by threat actors to persuade people to undertake their desired actions.

The premise calculations provide a good articulation of context but it is valuable to detail the lure/s (something that tempts or is used to tempt) used in the email as these are important factors in understanding why certain individuals are proving susceptible to it.

Summary

The NIST Phish Scale method has helped me to fill a gap in understanding people related vulnerabilities. It can be applied to both test phishing campaign emails as well as genuine phishing emails. Through combining your existing indicators with those within the Phish Scale method you can help to build actionable intelligence that can enhance the security capabilities of staff in your organisation.