If you’re inclined to adopt a New Year’s Resolution, forget the gym. Commit to learning about an aspect of your user population that’s markedly different from your own. Learn how others are (and aren’t) served by your technologies, services, and policies then fix what isn’t working.
In my last TEISS column of 2018, I advocated for security professionals to overcome their own concerns regarding uncomfortable topics to teach their users how to respond properly to phishing attacks that leverage embarrassment and fear to provoke a desired response. It’s a short piece that I recommend reading. Then consider changing your 2019 Security Awareness plan to incorporate more uncomfortable-but-necessary learning.
Along those lines, I also advocate that everyone in our field commit some time in 2019 to venturing outside of their comfort zone. We need to learn about user communities that don’t resemble us so that we can start to understand how we’ve been under-serving – or, worse, inadvertently harming – some of our people.
I took this challenge myself in 2018 and I’ve learned far more than I’d expected in the process. Coming at cybersecurity from a male perspective, I suspect that I was oblivious to some critical aspects of user life unique to my female counterparts. So, when a boffin that I follow on Twitter recommended Violet Blue’s book The Smart Girl’s Guide to Privacy: Practical Tips for Staying Safe Online, I immediately bought it and spent a week coming to grips with just how much I didn’t know.
I experienced one stop-dead-in-your-tracks moment at the start of Chapter 8. Early on when discussing how to use online dating sites, Violet wrote: ‘Never use your real email address (or your work email address!) on a dating website. Use a free email account and make sure to use your dating website screen name or another nickname in the “from” and signup fields. This protects you from anyone trying to search your email address to find out more about you on Google, on social websites, or anywhere else your email address can be found online.’
I appreciate and accept that I’m likely to get sardonically eye-rolled by all of my female relatives for not grokking that idea. I agree, I’m sorry, and I deserve it.
It’s obvious advice in retrospect. I’d never considered the problem from that angle. So, we took those concepts and incorporated them into the Social Engineering defence section of our Annual Security Awareness course. We also added comments in the supplemental trainers’ notes sections pointing out that it’s completely normal for people to adopt multiple online identities, profiles, and accounts that may not point to their physical identity.
Since reading this book, I’ve been forced to reconsider the ramifications of OSINT/stalker/’Creepy Steve” behaviour in how we protect Personally-Identifiable Information (PII), personally-owned devices (like employees’ smart phones), and social events held near the office. Things that I’d never previously considered threatening now stand out as risks to be addressed pre-emptively for the sake of my colleagues.
A few months later, an InfoSec writer recommended a new collection of essays that took me even further outside my usual environment. Sarah Jamie Lewis’s book Queer Privacy: Essays from the Margins of Society addressed topics that I’d only vaguely heard about in the military, and then only after the U.S. Department of Defence’s ‘Don’t ask, don’t tell’ policy was finally binned. I’d known that some of my brothers- and sisters-in-arms weren’t straight, but I had no idea how some of the IT services that we’d offered to our users were endangering their personal safety more than helping them.
In Chapter 7, The Myth of the Anonymous Troll, Violet Hargrave wrote the case of Sarah Nyberg, an activist whose protective anonymity was broken by a ‘reactionary hate mob’ as part of an extended and vile harassment campaign. In Nyberg’s Medium article, she wrote:
‘Most of the harassment initially was relatively fangless; not because it wasn’t malicious, but because they had nothing to go on. I was anonymous, for my own protection.’
‘That protection was removed, intentionally, as a silencing tactic in late December of last year. I watched them, live, pore [sic] through reams of private information in an attempt to discover who I was. Being trans made me particularly vulnerable to having my private information used in a campaign to terrorize me. They found my deadname, eventually, but only by combing through the obituary of my mother.’
The lengths that some blackguards will go to harass women constantly surprises us men sometimes. It shouldn’t. We need to understand just how vile this problem is and take appropriate measures to help protect and defend our female colleagues.
That essay (and linked article) helped improve our annual Security Awareness course as well. We added a section to explain – with examples – how it’s not only a user’s own social media content that risks exposing their identity and crucial password reset answers to an attacker. It’s also everything that everyone else has ever posted about them that helps an attacker to build a complete picture.
I realized that these are concepts that I should have learned much earlier on; I’ll admit that I probably sat through a lecture that made these exact points some years ago. The ideas hadn’t resonated at the time, probably because they didn’t ‘fit’ with my own life. I needed to see the world from someone else’s perspective for the metaphorical tumblers to finally click.
That’s why my 2019 recommendation for all of you is to tamp down your own discomfort and get inside the head of someone markedly different from you. Learn how the technologies, services, and policies that you think you understand might not be impacting others the way you expect. Come to grips with the limits of your own perspective so that you can better serve your users. We owe it to everyone in our respective organisations to do right by them, no matter how different they might be from us.