NCSAM, A Personal Security Crash Diet
Category : Rapid7
t’s October, and that means it’s time to kick off the 2017 National Cyber Security Awareness Month. NCSAM is an annual campaign to raise awareness of cyber security risks to improve online privacy and safety habits for public organizations, private companies, and individuals. If you’re in security, and have pretty much any family, you’ll probably appreciate how difficult it can be to inspire more secure habits when interacting with connected technology. Most everyone I know in security has a friend, a kid, a father-in-law, or other family member that, despite their most patient education efforts, refuses to lock their social media profiles, pick good passwords, or learn what 2FA is.
So, this year, we’re probing the boundaries of this consumer/infosec divide. We’re running a month-long experiment in designing a “crash security diet,” where we follow one lucky(?) Rapid7 employee around for the next few weeks and try out all the security advice that is commonly espoused, regardless if it’s followed or not. Our goal is to identify some easy, quick wins that are useful for regular, non-security-nerd people, as well as learn what’s realistic for normal people to actually adopt.
Our candidate for this security diet is “Olivia,” (not her real name), a mid-twenties professional in Boston, Massachusetts. Now, while Olivia works at Rapid7 — a company that does promote a certain level of security tech savvy — she’s not a researcher or hacker or anything like that. Her job functions, like most everyone, have some technical components, but after going over her day-to-day attitudes and lifestyle, both on and offline, she looks to be a pretty typical young urban American. She goes to work every day, uses a pretty standard compliment of social media services, and is constantly tethered to friends and family in the online world by her smartphone. That said, she pretty squarely fits in the WEIRD demographic, so some of her experiences will be atypical for someone with a different personal and cultural background.
Setting Security Expectations
Rather than try to predict what’s useful and what’s not ahead of time, our plan here is to throw pretty much every bit of security advice at Olivia so she can test drive it all over the course of National Cyber Security Awareness Month. This will include things like making sure that internet-connected devices have the latest software and firmware, password management and password picking strategies, being mindful about location-based services, and reviewing social media sharing habits.
For every exercise, the goal will be to start off with the most secure possible configurations, and then ease up until things get reasonably comfortable. I expect that we’re going to find some new habits that are pretty easy — no conflict between security and usability — which will imply that the product or service in question is designed for actual humans with privacy and security in mind. Other exercises in securification will undoubtedly be frustrating fights against defaults that “just work” that are quietly leaking personal info all over the internet (social media defaults leap to mind) or provide poorly designed user experiences (I’m looking at you, anything-involving-encrypted-email-especially-PGP).
In the end, we’ll review what worked, what doesn’t, and hopefully have a handy list of what you can do over the coming holidays to help level-up your own friends and family with respect to sensible secure default settings and behaviors. It should be fun, frustrating, and enlightening — pretty much exactly like how I experience the security industry every day.
To get things started, I did a quick Q&A with Olivia to see where she’s at, and here’s what she had to say:
Tod: So, how “secure” do you think you are today, compared to the average person?
Olivia: Of course, working at a security company, I’d like to think I’m a bit more security aware than average. But alas, I know I also have a good deal of blind spots, which I’m sure these diets (and Tod) will be quick to point out. I’d say a 3.5/5.
Tod: And how “connected” do you think you are today?
Olivia: I’d say I’m pretttty well connected… I’ve got a lot of apps running, social media accounts (most of which I use actively), iPhone, laptops. You could say I’m a (cringe) typical millennial when it comes to connectivity. However, since I live in the city, I don’t own a car or home which rules out most non-phone/computer internet connected things (so no internet-connected cars, home automation, refrigerators, etc.). 4/5
Tod: Is there anything specific that you’re concerned about?
Olivia: I have a feeling there will definitely be some aspects of the security diet that will all but eliminate usability… and make life really difficult – so I’m very interested to see which of those I’ll expect and which will be a surprise. Stay tuned!
Tod: What’s your mother’s maiden name and the name of the street you grew up on?
Olivia: Nice try!