Something You Have/Know/Are: Multifactor Authentication

Welcome to this week’s Tip of the Hat!

Cybersecurity Awareness Month wouldn’t be complete if we didn’t talk about authentication! Traditionally a perennial topic for cybersecurity training, authentication was also in the news last week with the allegation of a well-known security researcher breaking into a presidential candidate’s Twitter account. The researcher, who also broke into the candidate’s account in 2016, was able to break into the account by brute force, trying out possible passwords based on what he knew of the candidate. In both cases, multifactor authentication was not turned on. If the allegation is true, the candidate did not learn from the 2016 hack, leaving his account vulnerable for all these years.

Why is multifactor authentication (MFA) important? The following is an excerpt from our April post on the LITA Blog where we explain what MFA is, why it’s important, and how to implement it alongside other cybersecurity measures!

Multifactor authentication

Our community college district has required access to our LSP, Alma, that requires multi-factor authentication when used through our single sign on provider. Can you talk a little bit about the benefits of multi-factor authentication?

Multifactor authentication, or MFA, is an authentication method that requires at least two out of the three types of items:

  • Something you know, like your password
  • Something you have, like your phone with an authentication app or like a physical key such as a YubiKey
  • Something you are, like your fingerprint, face, voice, or other biometric piece of information

(FYI – More MFA methods are adding location-based information to this list [“Somewhere you are”].)

MFA builds in another layer of protection in the authentication process by requiring more than one item in the above list. People have a tendency to reuse passwords or to use weak passwords for both personal and work accounts. It’s easy to crack into a system when someone reuses a password from an account that was breached and the password data subsequently posted or sold online. When combined with two-factor authentication (2FA), a compromised reused password is less likely to allow access to other systems.

While MFA is more secure than relying solely on your traditional user name and password to access a system, it is not 100% secure. You can crack into a system that uses SMS-based 2FA by intercepting the access code sent by SMS. Authentication apps such as Duo help address this vulnerability in 2FA, but apps are not available for people who do not use smartphones. Nonetheless it’s still worthwhile to enable SMS-based 2FA if it’s the only MFA option for your account.

This all goes to say that you shouldn’t slack on your passwords because you’re relying on additional information to log into your account. Use stronger passwords or passphrases – ideally randomly generated by Diceware – and do not reuse passwords or passphrases. Check out this video by the Electronic Freedom Foundation to learn more about Diceware and how it works. It’s a good way to practice your dice rolls for your next tabletop gaming session!

As a reminder – your security is only as strong as your weakest security practice, so once you have created your password or passphrase, store it in a password manager to better protect both your password and your online security.

Silent Fatigue

Welcome to this week’s Tip of the Hat!

Cybersecurity Awareness Month wouldn’t be complete without a post about a current cybersecurity threat. This month we learned that Silent Librarian is making the rounds right on time for the start of the academic school year.

Academic libraries encountered Silent Librarian last year, where several prominent universities were targeted by this phishing attack. Silent Librarian targets students and academic staff/faculty by sending an email that appears to be from the library, stating that their library account is going to expire and that the recipient needs to click on a link to reactivate it. If the user clicks the link and tries to log into the spoofed site with their university account, the attacker can then use this account to gain access to the university network and other sensitive systems.

Last week, Malwarebytes reported the first round of attacks for the 20/21 academic year. The attack follows roughly the same pattern from previous years; however, this year is a bit different due to the current chaotic state that many universities are in due to the pandemic. The attackers can take advantage of the confusion and disorder caused by the rapidly changing plans of on/off-site teaching, access to academic resources, and changing restrictions and guidelines set by campus officials. 

The fatigue caused by all of these changes can change how a person behaves and potentially lower the person’s ability to protect their digital security. This fatigue is a boon for attackers because the behavior changes lead people to be less diligent about cybersecurity – people may not be checking email messages before clicking on a link in a phishing email, for example. It’s difficult to prevent this fatigue with everything going on in the world and harder to recover from once fatigue sets in. 

This year’s Cybersecurity Awareness Month comes at a time where information security and privacy folks have to be mindful about over-relying on individual responsibility. Advice to combat this security fatigue usually center around what the individual should do, but what happens if the individual is already overwhelmed? This fatigue is not new – research has shown that users mentally check out when they are presented end-user agreements and privacy policies. The user can only do so much if they are distracted and overwhelmed by, well… everything that’s going on in 2020.

Users have a part to play in protecting data, but solely putting the burden of security on the end-user can create a vulnerability that is hard to fix in an organization when fatigue sets in. For libraries, this would be a good time to check what cybersecurity measures are in place and where the organization can alleviate some of this fatigue in staff. In the last two weeks, we explored different types of cybersecurity training – it might be a good time to create reminders or training that use positive reinforcement and motivate staff to be proactive in securing the library’s data. It’s also a good time to check firewalls, spam filters, and other email and network security settings to identify and block phishing emails, particularly repeat attackers such as Silent Librarian. Creating checklists for staff using personal devices for work purposes, as well as checklists for staff doing remote work, can help already overwhelmed staff in ensuring that they are not putting library data and networks at risk. Even smaller actions such as a checklist can go a long way in reducing data security and privacy risks. Providing any assistance to users at this time will not force users to spend all their energy (or, in some cases, spoons) trying to do all the things to protect data on their own, quickly leading to burnout and increased risk to data security.

Roll for Initiative! Gaming in Cybersecurity Training

Welcome to this week’s Tip of the Hat!

We learned last week that cybersecurity training is not as simple as choosing a particular training and rolling it out – training methods, goals, and context all determine the effectiveness of the training. While interactive training engages trainees and helps with understanding and motivation, the type of interaction matters. Simulations such as the phishing simulation test can backfire if not planned and deployed with care, but other types of interactive training engage users in a more controlled space and minimize unintended consequences… and you might level up in the process.

Games in training are not new, but turning training into a game by incorporating game elements or using existing games to teach particular concepts has grown in popularity in the last couple of decades. You’ve encountered gamification in other areas of your life – badges, leaderboards, and point systems, to name a few. These elements play into common human desires and motivations, such as collaboration/competition and accomplishment, which in turn can boost morale and knowledge retention. When combined with story elements and a positive reinforcement approach, training with game elements have a better chance overall of being more effective than traditional lecture-based training.

Libraries are no stranger to gamification. Academic, school, and public libraries use gamification for instructional sessions as well as patron programs. ALA has a Games and Gaming Round Table, as well as several resources for libraries, including two new books published this year about gamification in academic libraries and ready to use gamified programs for libraries of all types. It wouldn’t be a big stretch, therefore, for libraries to incorporate game elements or entire games into a training program, including cybersecurity training.

What does gamification look like in security and privacy training? Here are a few examples that you can use for both staff and patrons:

  • Tally Saves the Internet – This browser extension turns the Internet into a turn-based RPG where you fight an invisible enemy – online trackers. Players not only gain points and badges for fighting these online tracker monsters but also actually blocks trackers 😊
  • Cybersecurity Training for Youth Using Minecraft: A Field Guide – You can use existing games to teach cybersecurity, too! This field guide provides ways in which library staff can use Minecraft to teach patrons threat modeling in a way that doesn’t require prior knowledge of cybersecurity concepts but instead uses an environment the patrons might already be familiar with in their daily lives.
  • Tabletop exercises – unlike the other two examples above, tabletop exercises (TTE) have been around for a while in the cybersecurity world. One common TTE in cybersecurity is incident response, going through how an organization would respond to a particular scenario, such as a data breach. Think of it as a one-shot TRPG, but you role play as yourself, and your abilities and inventory consist of whatever policies, procedures, and resources you have in your organization at that moment. You can include other gaming elements and methods within TTE, such as Lego Serious Play, for additional collaborative/competitive opportunities in the scenario.
  • Cybersecurity games – There are several off-the-shelf cybersecurity games that you can use in existing training or at game night at your library!

There are many paths to incorporate game elements into cybersecurity training, so the best approach to take is to, well, play around and find which ones best fit your training audience. Don’t forget to have fun in the process, and may the dice roll in your favor!

Friendly Phishing, or Should You Phish Your Own Staff?

Welcome to this week’s Tip of the Hat!

October is a very important month. Not only does October mean Halloween (candy), it also means Cybersecurity Awareness Month. This month’s TotH posts will focus on privacy’s popular sibling, security. We start this month by focusing on one common “trick” – phishing – and why not all cybersecurity training is created equal.

A hooded middle aged white man wearing sunglasses laughs as he holds a fishing pole with a USB drive at the end of the line.
This is also the month where we get to use our favorite phishing stock photo. Image source: https://www.flickr.com/photos/hivint/36953918384/.

We wrote more about phishing in a previous post if you need a refresher; the tl;dr summary is that phishing is a very common attack method to gain access to a variety of sensitive systems and data by pretending to be an email from a trusted source (business or person). Phishing can be very costly on both a personal level (identify theft) and an organizational level (ransomware, data breach, etc.), so it’s no wonder that any digital security training spends a considerable amount of time on teaching others on how to spot a phishing email and what to do to prevent being phished.

It turns out that this type of training, for the amount of time spent in covering avoiding phishes, might not be as effective, and in some cases, can actively go against the goal of the training itself. A good portion of cybersecurity training comes in the way of lectures or an online web module, where users listen/read the information and are then tested to assess understanding. While that has been the main mode of training in the past, lecture/quiz style training, trainers realize that interactive training that goes beyond this model can be more effective in knowledge retention and understanding.

A growing number of organizations are using another type of security training – sending out phishing emails without warning to their employees. The phishing email, created by an external cybersecurity training company or by the local training team, would be sent out to spoof ether an organizational email or an email from a trusted source. This live test, theoretically, would more accurately assess employees’ knowledge and awareness of phishing methods and provide on-the-spot results, which could include corrections or remedial training. There are a variety of vendors offering both free and paid tools and services, such as KnowBe4 and PhishingBox.

Simulated phishing tests appear like a great addition to your organization’s training approach; however, these simulated tests can backfire. One way it can backfire is turning staff against the organization. One recent example of this comes from a simulated phishing email sent to Tribune Publishing staff, promising staff a chance of a company bonus if they clicked on the enclosed link. This email was sent out after staff went through furloughs and other drastic budget cuts, and the staff reaction to this email led to further erosion of trust between employees and administration. The debate extended to the security field, questioning the ethics of using content that otherwise is used in common phishing emails in an organization where employees went through considerable stress due to budget cuts. 

Another way simulated phishing tests can backfire is when the tests focus on shaming or negative outcomes. Some phishing tests focus on those who do not spot the phish, providing on the spot corrective training or assigning the employee to a future training. However, research has shown that focusing on shaming to correct behavior doesn’t work in the long term and might lessen the chance of someone reporting a possible phishing email or other cybersecurity issues to the organization. Negative reinforcement serves to create a more insecure organization by creating an environment where staff either are not motivated to or fear reprimand if they report a cybersecurity issue.

The use of simulated phishing tests will be the topic of debate for some time, but this debate presents two takeaway points to consider for any type of cybersecurity training:

  1. Context and methods matter – simulated tests can be effective, but the test’s logistics – including timing and content – can work against the desired outcomes of the trainers. Trainers should also consider the current state of the organization, such as staff morale and major crises/events in the organization, in choosing and developing cybersecurity training for staff. Another thing to consider is the effectiveness of training methods, including how often training has to be repeated to keep staff current on cybersecurity threats and procedures.
  2. Positive reinforcement – positive reinforcement, such as awarding staff members who do not click on the test phish email, can help with creating a more security-conscious organization. 

Next week we will dive into another type of cybersecurity training that is a simulation of another kind – stay tuned!