Maybe did you forgot what you were doing last week? Even if you do, you probably don’t know exactly what you where doing last summer.
(Un)fortunately, your friend Google can help you. You may already know it (or not) but Google keep track of all you movements (if you use their services and clicked “Yes” when they ask for your permission). If you have activated Google now or Google map using your Google account, George Orwell’s 1984 and his Big Brother seems to be an optimistic view of the actual reallity. But, as nothing is always black or white, especially in risk management, this invasion in your privacy might help you remember where you were last summer. Google does not advertise it so much but you can see all your history of location (if you have allowed them to do so) on the location history map on https://maps.google.com/locationhistory/.
You can use it to relive your hollidays using Streetview , find where you were at a specifi date and time, check the number of kilometers you drove on a specific day.
Of course you can imagine the amount of information you can gather if this system start to keep track also of all the network nearby, the blutotth devices visible at a specific time, the NFC payment you or the sound heard by your phone (yes, remember Google Now wait for you “OK Google” and is thus listening continuously when it run).
If you have an office network or a home network, you might be willing to use a proxy server to cache and speed up your Internet surfing. More you have machines connected on your network, more likely it is that you will request multiple time the same files (Just imagine how often the Doodle from Google is uploaded on a network with 10 machines on it). A proxy is also a good way to add restriction allowing you to prevent your users to go to undesirable websites or to use unsafe protocols. It can also allow you to request a user authentication before being allowed to access the Internet. Or, it can also allow you to channel all traffic through a privacy protection service like TOR.
Whatever is your reason, if you have a Synology server, setting up a proxy server becomes much easier these days.
There is two parts in setting up a proxy: 1° Install the server 2° Ensure the users will use the proxy.
For the first part, on a synology, it is now really easy. Go to The Packet Center, click on Utilities and select Proxy Server (from Synology inc.). Click on Install, that’s it.
You will have to configure it: Just provide your email address if you want your user to be able to contact you should they have a problem and set the port address on which the server will listen. You can use 8080 but any not used port will do it. Noticed that it is likely that port 80, 443, 5000 and 5001 will be already taken. Usually, we advise not to use port numbers between 1 and 1024 as they are already reserved and assigned to specific services. Above 2048 is even safer. 8080 is quite common for web services or proxy servers. Activate the cache and the connection, check “Activate Automatic Proxy Discovery” in proxy deployment and leave the other parameters by default.
That’s it, your proxy is up and running. Congratulation!
Now you have to tell your computer to use this proxy to navigate in HTTP or HTTPS.
Hopefully, you clicked on activate automatic proxy discovery and it will help.
The first possibility, if you have a standalone computer, is to go to the network settings (it can be through your Internet Explorer or Chrome settings) and set Use a proxy.
To make it easier, you can configure your DNS and/or your DHCP to provide automatically the proxy setting to your client computers using a PAC file (Proxy Automatic Configuration). When clicking on the proxy distribution address, this file was automatically generated and configured for you on your synology.
For the DHCP, you must add the DHCP option 252 (text or String) with the url to the wpad.dat file (example: http://192.168.1.254/wpad.dat)
For the DNS, its even easier, the webserver on which you have placed the wpad.dat file (in the root folder of the server), likely your Synology server, must be know by the allias wpad.your_network.com (where you replace your_network.com by the domain name of your network as define in the DNS server). When configured on Automatic Proxy Configuration, browsers will look for a set of possible variant of http://wpad.my_network.com/wpad.dat. When the file is found, it is used by the browser to configure how it access the Internet using a proxy.
Be sure your computers are set on Automatic Discovery of Proxy settings (in network settings).
Sometimes, the default wpad.dat file generate by Synology will not work perfectly as it might try to use the proxy to access computers on your own network. You can edit the file using an editor (the file is located in the root folder of your web server on the synology) and type something like this:
function FindProxyForURL(url, host) { if (isInNet(host, "192.168.1.0", "255.255.255.0")) { return "DIRECT"; } else { return "PROXY 192.168.1.254:8080" ; } }
In that example, 192.168.1.0 is the network address of the local network. 192.168.1.254 is the IP address of the Synology and 8080 the port defined for the proxy server.
Be really careful with wpad.dat file, it is extremely sensitive to misplaced whitespace or the absence of trailing “;”.
How do we implement security efficiently in an organization, small or big?
Although some security officers seems to still believe that having security policies and a plan to implement expensive controls like IPS, IAM or DLP (you’ll notice the common use of nice marketing buzzwords and acronyms to make you believe that you should know what an Intrusion Prevention System, an Identity and Access Management or a Data Leakage Prevention system are, like everyone else is supposed too, and maybe does. But does it mean it’s the solution to your problems?) are the solution, it is not! You can believe me on this, I was thinking the same way years ago, I saw it failing too often and now, I took another approach. And that’s probably one of the reasons why I still have a lot of work as a consultant.
So, what is the first thing we should care for?
When Kevin Mitnick, one of the most famous hackers, was still hacking PABX in order to have the possibility to do war dialling on all available modem in a region for free (yes, it was a long time ago), the weakest point for most computer security systems was already between the chair and the keyboard. Whatever you do, there is always a human involved somewhere and human are harder to control and less predictable than human (even if it might not always be the case). Bottom line, a good security starts with a good communication and training plan, like for any transformation journey, as it is the only good way to change users’ behaviour (depending where you live, you might also think about torture and brain washing but in as I live in Belgium and moreover due to my philosophical convictions, I exclude those from the equation)
Is it really necessary to have a communication and training plan?
The first Palo Alto axioms of communication states that we cannot not communicate (yes, I know, double negation are complicated). Let’s rephrase it: whatever you do or do not, you communicate. So, if you don’t communicate about your security, in fact you just communicate that it is not important or that you don’t care or that you don’t have the budget to communicate. It’s BAD! If you communicate poorly, you might in fact give the same message and even worse as you might give the false impression that security is useless or even boring. Really Bad too! And as you probably know, we just have one occasion to give a good first impression. So, don’t miss it. The basic reason for any communication is to change other’s behaviour. So, if you just want to write policies for yourself and don’t bother about the others behaviour, indeed, you can skip he communication plan.
What makes a communication efficient?
If a communication is intended to change other’s behaviour (or ideas), an efficient communication is the one that will change the highest number of person’s behaviour. How can we assess that efficiency? If you do security and risk management, you should know the PDCA cycle. So, you just use it, like scientists. When you do something you try to measure the effect of your action. Fortunately, there is already a lot of people having tried different paradigms and measure their efficiency. That’s what social psychologist and marketing researcher do. And on the specific risk communication issues, Amos Tversky and Daniel Kahneman, two economy Nobel prize winner psychologists, have developed the theory of perspective, highlighting the numerous biases affecting the human when taking decisions about a risk. Lucky for you, you won’t have to read and understand all those books and articles, I am about to give you a cheat sheet to prepare your next communication.
So, practically, how do you do it?
First, you have to remember the 3 basic rules of education: repeat, repeat and repeat again.
Then, you have to remember that if you repeat too often a signal, it tend to be ignored by your brain. When you put your socks on your feet, you start ignoring the sensation of the fabric on your skin after a few seconds. The same way, you don’t notice most of the object in your office that are there for so long. But, if you move it or change the color, interrupt the pattern, you will start noticing again. So, the basic education rule might become something like: repeat, explain and do it again differently.
Keep it simple, stupid and sexy (KISSS): use terms and analogies that everybody can understand. Your target is not a group is security experts.
Ex.: “Security is wearing belt and braces for your first date“
Give many concrete short examples: give examples that are relevant for your audience. Use their vocabulary, the process they already know, things they do for a living.
Use examples allowing people to identify themselves to the story
Ex.: « The new employee walk into the printer room and find a confidential document on the printer, as he remember the security training, he brings the document to the security officer»
Ask questions and mostly questions creating a knowledge gap, meaning your audience won’t have the answer, or at least, not the right answer.
Ex.: “How long will a 8 characters long password last again hackers attack?“
Use positives sentences (people have difficulties with negative form, they tend to forget the negation)
Ex.: prefer «You will take care» to « You will not jeopardize »
Use emotion and feelings to describe situations, it will make it more memorable (you can also add references to sensations, sounds, colors)
Ex: “Alice is afraid of loosing her beloved grand-mother gold ring”
Explain to your audience as if they were your kids or grandparents
Ex.: “You may see Risk as the cost resulting from an incident (like having a car crash) multiply by the probability of this incident occurring“NB: I know, I Repeat myself, but what we call the knowledge curse, meaning believing the others understand what we are saying, is really killing most security communication
Use precise numbers, it will be perceived as more credible
Ex.: “You have 2.13 times more chance to die from self-inflicted injuries than from transport accident“
Naming your sources will also add credibility? (if they are credible).
Ex.: « as stated in the Federal Statistic Death Cause report of 2009 »
Link important concepts to images, Preferably known locations and persons. Use unusual associations (incongruence) to increase the remembrance.
Ex.: “Ghandi walks into a computer shop and ask for a computer bringing serenity“
Spot the « victims » of the incident or the persons impacted by an incident. Give a face, a personality, to the victims.
Ex.: « Alice, Bob’s secretary, is affraid of being fired after she disclosed confidential information »
Provide multiple examples of the same risk. it will create an illusion that the risk is higher, helpful to trigger action & compliance
Use yes sets (A set of affirmation that will be acknowledge by most people (Yes) preceding an affirmation we want them to acknowledge): As they acknowledge the first affirmations (priming), they are more likely to acknowledge the last affirmation.Once acknowledged, not complying with this affirmation will likely trigger a cognitive dissonance (inconsistency) in their mind, increasing the probability of compliance.
Ex.: “As many, you like to keep your secret secret. You understand the risk of disclosing such information. So, You will probably keep this information secret.“
Use double “No” or paradoxical sentences:
Ex.: « You don’t want us to take such a risk, don’t you? », « As you care about our security, you will classify the document adequately. No? » or « You may give your password to your colleague and be responsible of all his mistakes. No? »
Make it look like normal: Make your expectations appear like something normal, that we should do as part of our normal behaviour
Ex.: “As most of your colleagues, you take care of your customer’s information…”
Provide a meaning to your expectations (appeal to our inner trends to make things right)
Ex.: “Keeping our customers’ transaction confidential prevent insider trading…”
In the military, it is known that no plan survives the contact with the enemy. To circonvene this, always think to provide the CI (Commander’s Intent) that will allow people to take judgmental decision.
Ex.: “The main goal is to ensure our CRM applications remains available between 7 to 20“
If you make a presentation, speak slowly, pause for a second after important information, it will be perceived as more charismatic
Ok, I stop here. There is of course more to say but you have already more than enough to make your communication at least 3 time more efficient. Combining all these advices, you may change the odds of behavioural change from 21% to 78%! Can you do better?