Keeping Information Security Simple – Chocolate v. Kale and the Importance of Reporting Information Security Mistakes

Letter from the CISO, Vol 3 Issue 1

Washington University Community:

Do you like chocolate more than kale?

Of course!

In a recent keynote presentation at the Gartner Security and Risk Management Summit, Mary Mesaglio, a Managing Vice President who leads Gartner’s Executive Leadership Dynamics team, discussed the importance of getting people to care about information security. This is the same driving intent of our Information Security ABCs (Awareness, Behavior, and Culture) program. We start with the idea that people need to be made aware of good security practices and shown what dangerous security threats look like.

Mesaglio’s central point was that most people already know what they need to do to be safe, just as they know that eating kale is good for them. Nevertheless, we all usually – if not always – choose chocolate over kale, because chocolate is delicious. And kale is, well, kale.

Information Security is not kale

I think Mesaglio is correct to a degree. Improving awareness is very important in the real world where skilled malicious actors exploit urgency to hijack people’s amygdalae, present time-limited offers, employ deceptive tactics, and otherwise make chocolate look like kale.

However, neither chocolate nor kale misrepresent themselves.

In other words, in the real world, it is easy to tell the difference between kale and chocolate. But in information security, malicious actors can disguise their evil intent and sometimes con even the most careful users into making mistakes.

A culture of support, not blame

It is vitally important not to shame or punish people because they eat chocolate, or occasionally make an information security mistake.

I’ve made mistakes myself, and I am very aware and careful.

The next most important thing

In this column I usually tell everyone to be vigilant, suspicious, and a little bit paranoid.

Today I’m going to tell you the next most important thing: to quickly report information security mistakes when they inevitably happen. It is vital that you report them at once to the Office of Information Security (OIS).

Even if you aren’t sure, it is better to report when you might have made a mistake. The sooner mistakes are reported, the more quickly and easily the OIS can contain any damage, and the better off we all are. If a mistake was not made, we’ll be able to tell you so easily.

Real world benefit

Almost every day we receive many reports of phishing messages from the Wash U community via the Phish Alert Button in Microsoft Outlook, pictured below. More information about how to report phishing can be found at Phish Alert Button (PAB).

Usually, one report allows us to protect 10s or 100s of other users from the same phishing message, often before they even see the dangerous message.

Sometimes the impact is bigger. Earlier this month, a compromised user account sent more than 6,000 phishing emails to WashU users. Many people reported that they received messages from the compromised account in less than 5 minutes. This enabled the OIS to quickly quarantine and remove the phishing message from mailboxes, reset the password on the compromised account, and nip a potentially very large problem in the bud.

The human firewall is our last, best defense

While the university has many state-of-the-art defenses in place to prevent these problems, we rely on all of you to be the last line of defense against clever messages that sneak through.

Not all attacks are as large scale as the one mentioned above. In some cases, individuals and small groups are targeted, and the one person who uses the Phish Alert Button to report it allows the OIS team to respond and contain the threat.

If you need help with any of these things, please contact the OIS.

Thank you for reading and being members of the university’s Information Security team!

Good luck, and be careful out there!

-Chris Shull, CISO