The American View: Spleen of Darkness
9 October 2018 |
Do normal users really need to know IT's deep, dark secrets is order to exercise good security hygiene? Business Reporter's resident U.S. 'blogger says ‘no,’ and argues that training on practical skills is a better investments in enterprise defence than teaching academic theory.
I was recently asked why my Security Awareness team invests so much time and effort teaching our users intermediate cyberdefense skills instead of focusing on the basics like everyone else. Why waste people’s time droning on about how social engineering gambits work when you can just teach people to never answer their phone (and, thereby, be protected from all phone-based attacks). I explained our intent in the form of a ‘first aid’ analogy that I think is worth sharing.
Everyone knows what the heart does: it pumps blood so that all of the cells in the body get oxygen and get rid of carbon dioxide. Without oxygenated blood, the brain dies, and the rest of the body follows. Straightforward. Easy to understand. But what does the spleen do? What exactly is ‘first aid for the spleen’? Should the average body-owning human really need to delve into his or her owner’s manual to look up ‘preventative spleen maintenance’? Well … yes and no … Let me ex-spleen ... 
First: your spleen is an important organ in your upper abdominal cavity. It’s tucked behind your stomach, where it filters out and breaks down your old red blood cells. It creates antibodies and maintains a tactical reservoir of white blood cells that act like an emergency services agency during a trauma. It does more than that, but you get the idea: the spleen is an important part of a body’s defensive and maintenance systems.
To be fair, I only know this much about spleens by happenstance. I was a combat medic  when I first enlisted in the Army. My platoon sergeant suggested that I take some correspondence courses for ‘professional development,’ so I spent a year slogging through the army’s Advanced Medic course  and the year after that working the Practical Nurse course.  Both courses contained a ton of ‘anatomy and physiology’ content that we hadn’t covered in the field medic course; I learned that we were nicknamed ‘gift-wrappers’ by more senior medical staff because we knew how to bandage and evacuate the wounded but tended to know almost nothing about what was actually wrong with our patients. We didn’t need to know.
Back in the post-Vietnam/pre-Gulf War I days, most of our ‘clinical doctrine’ consisted of ‘get the hurt person to someone much smarter than you as swiftly as possible.
I asked my platoon sergeant why there was such a profound difference in curricula between the three courses. He explained that the type and quantity of ‘technical knowledge’ a soldier needed to be effective at his or her job was based on what specific challenges they were likely to experience and how lethal those challenges were.
- The army taught all soldiers basic first aid. That is, diagnosis and treatment for life-threatening trauma, like bullet and shrapnel wounds, burns, broken bones, heat and cold injuries, etc. Everyone in uniform knew how to bandage a wound.
- The army taught all us field medics how to recognize and treat more complicated battlefield injuries, like collapsed lungs, internal bleeding, concussion, etc. We were supposed to be able to save a life when normal first aid was insufficient. There was generally one field medic for every 100 or so other soldiers in a unit; close enough to apply our skills when required.
- The army taught senior medics much more training on how to diagnose illnesses, mitigate severe trauma, and oversee long-term recovery. These specialists had to know how all of the parts and systems of the body worked in order to effectively address more nuanced and complicated problems. These 91Bs and -Cs ran our battlefield aid stations, casualty clearing units, trauma platoons, etc.
If it seems like I’m stating the obvious … well, yes. This approach is basic threat management modelling. The Army considered the likelihood and impact of wounds, illnesses, and conditions encountered over the course of hundreds of global conflicts, and came up with an affordable, practical model for managing field medicine. No army can train 100% of its soldiers to be licensed doctors; the cost is prohibitive. Likewise, no army can ignore trauma medicine because the impact of having every wounded soldier die is also prohibitive. So, the army crafted training programmes to achieve the best-possible outcome with the lowest acceptable investment in time, money, and people. It’s a pragmatic balancing act, and it works well enough for its intended purpose.
That ‘cost’ consideration is why I came up with inventive ways to teach my people battlefield medicine that minimized expenses. Everything you see in this 2009 mass casualty training event photo didn’t cost the government a time. The ‘casualties’ were all Boy Scouts working on their Emergency Preparedness merit badges. The cargo truck and liters were all borrowed from the Army. The pavilion and car park were borrowed from the Navy. Oh, and that’s me lecturing up in the back of the truck.
Now, let’s take that same threat management model – especially the need to train different tiers of workers to react appropriately to different types and thresholds of threats – and apply it to cybersecurity. It’s the exact same model. Seriously! Don’t believe me? Consider how most InfoSec Governance models work:
- Tier 0 users – normal workers – get basic practical training on how to recognize, report, and respond to common threats. How to spot and safely dispose of a phishing attack email, for example. Or why you should never plug a strange flash drive into your company PC. Normal users need to know that a threat exists and know how to defend against it, but they don’t need to know complex technical details of how the threat works on the underlying targeted systems.
- Tier 1 users – direct tech support workers – get wide-ranging training on all sorts of cyber threats and the principles behind addressing them. These are generalists who can interpret and apply immediate countermeasures to threats and have the ability to diagnose commonly-encountered issues. They have to now a comprehensive baseline of how systems work – individually and collectively.
- Tier 2 users – technical specialists – get advanced training in specific functional areas, like secure programming or intrusion detection. The few specialists that an organisation employs get access to specialised resources to carry out one or more highly-technical activities. They need deep knowledge of their specialisation(s).
- Tier 3 users -- senior technologists – are extensively educated on all aspects of the enterprise. The understand business functions, technologies, threat actors, historical issues, trends, history, and strategy. These ae the people who diagnose complex and obscure issues to determine ‘root causes’ in order to design new systems and tactics for mitigating complex vulnerabilities. They’re the experts who venture the furthest into the spooky fog of cutting-edge cyber threats.
That sounds suspiciously like the ‘all soldiers/field medics/senior medics/nurses’ army medical training tiers, doesn’t it? Of course. Why invent a completely new model when you have a proven one at-hand with decades of lessons-learned to draw on? The support and InfoSec model builders rummaged around in military best practices and helped themselves to some perfectly-serviceable templates.
Work’s hard enough; no sense making it harder by reinventing the wheel if there are free public models available to crib from.
Speaking of, one of the crucial lessons that I learned over my military career was that leaders can improve soldier survival rates by regularly improving baseline skills at the lowest tier of the first aid model. I started teaching combat first aid as a cadet and eventually wound up running all first aid training for an entire air wing.  In the decade that I spent commanding a unit, I invested tons of resources teaching my airmen more advanced skills than the ‘minimum standard’ required by doctrine. We tackled practical subjects ranging from how to rescue unconscious victims from vehicle wrecks to how to safely manoeuvre a litter down a spiraling office stairwell. The guiding concept throughout was to increase people’s confidence, skills, and willingness to respond … thereby increasing the probability that they’d be able and willing to save a life when the time came to put their skills to use.
It shouldn’t come as a surprise, then, that we apply the exact same principle in training cybersecurity with our end-users. Yes, we have minimum baseline skills to teach that are often codified by industry standards and governance models. Everyone needs to know how and why to lock their PC when they step away from it. Everyone needs to know how to report a suspected phish. We cover the foundation skills just like every other responsible organisation.
We also try to teach advanced skills whenever opportunities arise. Every additional concept that we can teach makes the whole organisation harder to attack and, thereby, more resilient. Raising the general level of cyber preparedness across the user population takes pressure off of the higher tiers of security support, which (in turn) allows those high-demand/low-density assets to tackle thornier problems. Steadily investing in designing and delivering proficiency enhancement pays off in the long run.
Note that we tell all of our new users up-front that we have no intention of trying to turn them into cybersecurity PhDs, just like the army has no intention in turning every soldier into an MD. That’s neither cost-effective nor a good use of their time. Or ours.
Neither is parade detail, if I’m honest. I could probably have earned half of a degree if I’d gone to class instead of marching in circles for hours on end.
Further, we’re aware that the cybersecurity field can be intimidating. There’s so much to learn that the prospect of tackling it can be overwhelming. The more that a person learns, the more depressed and hopeless then seem to get; how can anyone effectively defend such a fragile and poorly-implemented edifice as a corporate network when the attackers have all of the advantages? The very act of learning just how dangerous and ambiguous the ‘territory’ is resembles Marlow’s voyage up-river in search of the mysterious Mr Kurtz in Heart of Darkness, in that you can’t un-know what you learn, and the knowledge that you gain leaves you jaded and demoralized forever after.
So, no; we teach the bare minimum of what passes for ‘A&P’ in the security world. We don’t make users understand how TCP/IP works unless it’s already part of their job. We don’t require people to memorize router ports unless it’s already part of their job. We don’t expect anyone to understand programming languages or concepts unless it’s already part of their job. We don’t want to overload people with abstract theory.
Instead, we teach threats and practical countermeasures, with just enough academic background to make the countermeasures make sense. We focus on the acquisition and refinement of practical skills, not the anatomy and physiology of an enterprise infosphere. Per my opening analogy, we’ll teach you why an upper abdominal wound is important and how to bandage it for evacuation, but we won’t subject you to an extensive ex-spleen-ation. 
This pragmatic approach – teaching a wider-variety of hands-on skills – is empowering. It builds confidence. Users (rightly!) feel more in control of their own protection and (metaphorical) survival. Investing in people demonstrates that security has their best interests at heart, so they’re more inclined to pay attention when security makes an announcement and they’re more likely to take new threats seriously. We accomplish this by bringing Tier 0 training levels up, not by trying to push Tier 2 and 3 skill requirements down.
 I shall not apologize for making the obvious joke here. Classic ‘dad jokes’ never go out of style.
 At the time, Military Occupational Specialty 91A (taught via a 12 week long school)
 MOS 91B (another 10 weeks of training on top of 91A)
 MOS 91C (another 50-some weeks of training on top of either 91A or 91B)
 I was a cyber operations officer at the time, but the physician’s assistant who was supposed to run the program let me ghost-write and shadow-manage the programme under his name for years.
 I said no apologies for the obvious jokes and I meant it!
Title Allusions: Joseph Conrad, Heart of Darkness (1899 serial; 1902 book)
POC is Keil Hubert, firstname.lastname@example.org
Follow him on Twitter at @keilhubert.
Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant.
Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.