Michael Eriksson's Blog

This October 31st we have that yearly horror of my current client’s, that thing that has the employees groaning and wishing they could be somewhere else, that most dreaded part of the year.

No, not Halloween: The deadline for the annual security awareness training.

There is so much wrong with it that I hardly know where to begin—and honestly doubt that I will manage to remember all issues. To give it a try:

1. In order to complete the training, an online course, it is necessary to use a Flash* program/lecture/presentation/interactive course/whatnot loaded over an external** website.

   Pause right there: It is necessary to use a FLASH program from an EXTERNAL website—in order to take a SECURITY course.

   In other words, the greatest single endangerment of my work computer and my clients internal network that I am involved with in the course of the year is the security course…

   As one of the colleagues remarked, he actually considered the possibility that the course was some form of test: Refuse to take it and complain to the security officer—automatic pass. Take the course—automatic fail.

   *Writing this, I contemplate the minor possibility that the course might have been re-written to use some variation of HTML5 and JavaScript, although it still felt and acted like Flash—unlikely, but possible, and I mention it for the sake of fairness: Last year, I definitely had to take actions to re-activate Flash and to grant it access to the sound system, things I have de-activated as a matter of course. This year, I did not. It could be a re-write, it could be that some automatic update had re-activated/-reset Flash. (Something that has happened repeatedly in the past with this client.) I also have JavaScript deactivated, as a matter of course, but since I deliberately switched from Firefox to IE for the duration of the course, the fact that I did not have to reactivate JavaScript means nothing.

   **I am unaware of the actual authorship of the program and to what degree the client is able to control contents. However, the contents are most definitely from an external website, implying that even if the program was non-malicious to begin with, there is no guarantee that it still was so at the time of the download. Of course, Flash is well-known as one of the greatest security horrors, with the most vulnerabilities, of any web-based technology. It is no coincidence that even those who once were hailing it as the future are now distancing themselves, nor that future developments will not take place: Earlier this year, Adobe, the maker of Flash, announced its end-of-life.

2. The presentation is poorly made, with many unnecessary moving objects, artificial and droning voices, and other annoyances and distractions. The general format is similar to a PowerPoint-style presentation: Imagine someone being given an extensive introduction into the various features of such a presentation program—but not one word on how to make a good presentation in any non-technical regard. Imagine this someone, as such people often do, go nuts with using any feature available without any regard for anything but feature use. That type of presentation is the equivalent of this course.

   Why a presentation style course instead of possibly two pages of text and a questionnaire to begin with? Beats me…

3. Most of the contents are too trivial to keep a computer professional out of boredom or to teach him anything really useful. On the outside, different courses for different target groups, with different skill levels, should have been provided. I, e.g., have read several books and many articles on various topics related to computer security, including two by the infamous Kevin Mitnick on social engineering. What do I gain from being shown one or two presentation slides that amount to “watch out for social engineering”? Nothing: Either I already have a certain knowledge and understanding or I do not. In doubt, chances are that I would be better qualified to hold a course in computer security for the makers of this course, than they are to hold one for me…

   (A partial explanation might be that the keyword is not so much “security” as “awareness”: The intention is likely less to educate people about security and more to remind them of the importance, which also explains why what amounts to the same course is mandatory every year, rather than just once. This is to some degree something that can be of value even to those with a considerably above average knowledge. It is also something that could be done much, much more efficiently and effectively, and without boring the “students” to tears.)

   To boot, the general level of the course is truly for the “lowest common denominator”, suitable for high-school drop-outs, and extremely condescending: Let’s see if you can help Mary avoid phishing! I can only be thankful that this was not a course on dogs or English: See Spot run…

4. Considering the low amount of actual content, the course is much too long*, especially since there is a boredom factor, with the ensuing lack of concentration—and I repeatedly caught myself drifting off to the point that I had missed was what said. Cutting it down considerably would have resulted in something with greater educational value (for those weaker in knowledge) for the simple reason that they would be that much more focused. For those already knowledgeable, it would have shortened the pain.

   *I did not time my effort and also paused the course several times to answer questions concerning/suggest solutions for a work problem—as well as getting at least two cups of coffee. However, in a guesstimate, the actual “course time” might have been around two hours. At any rate, even materials for a beginner should have been coverable at, say, three times the tempo used; for those knowledgeable, with less material needed, there was likely less than five minutes worth of content…

5. Interactive questions: The progress checking takes the form of a number of multiple-choice and match-left-item-to-right-item style questions to answer. Most of these are fairly useless and/or can be answered without taking the course based on common sense and an ability to guess what type of answer this type of test maker wants to hear. (The reader might recognize the latter part from high school or some social-science course in college.) This to the point that several questions are of the type “Which of these items are dangerous?”—with the correct answer “all”.

   At the same time, some require actually deliberately giving a wrong answer, because there is no logic or insight behind many of them, merely a mechanical comparison to earlier examples. Notably, I needed three* tries to answer a matching question for the simple reason that I matched the label “quid-pro-quo” to an example actually containing a quid-pro-quo… Unfortunately, the test makers did not follow the normal meaning of “something-for-something” in a trade/barter situation (where, for all I care, one of the parties might be dishonest), but instead intended something along the lines of “pretending to offer something so that someone else unwittingly would give up something valuable” (specifically, “pretend to want help you with your computer so that you thoughtlessly give access to it”)—something incidentally matching the normal meaning of another item, “pretexting”, very well… The intended match for “pretexting”, in turn, had very little to do with the normal meaning of “pretending to want something in the hope of actually getting something else” or “using the claim of wanting something as an excuse for an action with a different agenda”, but instead referred to a social-engineering practice of pretending to know something/being someone, or offering a bit of known information, in the hope of learning something new that could later be used for further infiltration.**

   *Multiple tries are allowed, which reduces the insight needed even further, especially with the low number of possible answers. However, rumor had it that there is a three-strikes limit, and I did grow a bit nervous there. Specifically, I got the first try wrong due to quid-pro-quo and, not even reflecting on the possibility that that could be the issue, I just turned two other matches around, and failed again (because quid-pro-quo was still in the “wrong” match.)

   **Disclaimer: I go by memory here, not having access to the actual questions at the moment. It is conceivable that my details are off—but not the overall principle.

   In such cases, it might actually be an advantage in not being a sharp thinker and not having much prior knowledge. Notably, someone who lacked an understanding of quid-pro-quo (e.g. a high-school drop-out…) might just go blindly by the examples to begin with, and get it “right” in one attempt.

   To my recollection, I had one other answered turned down: In a “chose all things on this computer desktop where secrecy is needed” (or similar) scenario, I reasoned that the test makers probably wanted to see the icon for MS Word included, seeing that careless use of MS Word can be a confidentiality issue*. They did not: They argued that MS Word is a program and, unlike data, is not a matter of confidentiality. This actually matches my own opinion, but it was also a distinction that I had judged to be beyond the intellectual horizon of someone engaging in such extreme dumbing down. In other words, the format and “stupid” questions, which moved the test taker to not give the right answers, but the “right” ones, back-fired on me.

   *Notably, the totality of the information present is not necessarily equal to what can be read in the document, due to meta-information, “track changes”, comments, and possibly some other mechanisms. Say that the sender of a document has the display of “track changes” turned off, the recipient turned on, and that the changes contain confidential data (or e.g. derogatory remarks).

6. Some of the items take an attitude which is practically unrealistic or too focused on the security aspect. For instance, one question described a situation where someone dropped a report of some type near a fax machine, despite this type of report normally only being sent by email: Guessing the intentions of the test makers correctly, I opted to keep quite in the moment and bring the issue to the immediate attention of HR. In theory, this might be a good idea. In real life? Probably a very bad idea: There is an undue risk for both me and the other party, in that I could be seen as paranoid, untrusting, or unfriendly (especially if details got out or I had bad luck with the who-knows-whom), and the other party might see his reputation hurt by unfair suspicions—bear in mind that most instances of suspect behavior actually have a non-malicious explanation. Left to my own devices, I would probably have just asked for an explanation, feigning casually curiosity*. Depending on what that explanation ended up being (possibly including factors like delivery), I might or might not have talked to HR or made some alternate research. For instance, if the answer was “Bob is stuck with a dead lap-top battery and needs the report urgently for a customer negotiation”, I would have pretended to take it at face value—and at first opportunity, again casually, brought the topic up with Bob. Now, if Bob had a different story, then I would have talked to HR**.

   *As opposed to the “confront” alternative given among the multiple choices.

   **Or someone like the security officer, the other party’s boss, whatnot. Depending on company culture, regulation, and the individuals involved, HR is not necessarily the best starting point—nor even necessarily a good one. In fact, I suspect that a partial reason why HR was the “right” answer is that going to HR puts the employer in full charge of the process, which might be preferred for reasons unrelated to security topics (but is not automatically in the best interest of the other parties involved). From another point of view, many people in corporate hierarchies see themselves as necessarily smarter, having better judgment, being better educated, whatnot, than those theoretically lower in the hierarchy. This might be true when most of the employees are e.g. uneducated factor floor workers or clerks. In my field of work and during my career, a Master’s degree in a STEM subject has been the norm, and the situation is correspondingly very, very different. (Admittedly, this is changing for the worse over time.)

7. Many highly needed pieces of advice (to the uninformed) are left out, notably safe-surfing tips like “make sure that Flash and JavaScript are deactivated per default”…
8. Technical problems: At least two colleagues have complained about program interruptions and state not being saved, forcing them to start over—with something that was a chore the first time around. I suffered a “website not responding” scare my self, but program execution resumed shortly after.
9. Political correctness: There are plenty of images of people (none of them adding any value). To my recollection, only one features a white man: An image of a disgruntled employee, out to do harm to his employer, sadly hunched over his computer, face hidden. The rest were women, various non-Whites, or both—all smiling, happy, beautiful.

   (It is saddening that this topic pops up even in a context where it should be entirely irrelevant.)