A mistake or uninformed decision by a developer or IT employee can easily lead to a serious breach. Conscious of this, organizations have been investing in security training to prevent such mistakes, but are they delivering effective training?
October 2015. A 17 year old discovers a flaw in a TalkTalk website that exposes more than 150,000 customers’ personal data, resulting in reputational damage and a hefty £400,000 fine. The culprit, a line of code. Writing that line of code correctly in the first place would not have been more expensive or difficult for the developers, neither would it have required a more advanced technology than what was already available to them. They simply did not know better.
With an ever increasing number of attacks (the 2016 Verizon Data Breach Report included more than 100,000 security incidents across 82 different countries), organizations have started to recognize the importance of providing technical security training to IT employees as a key piece of their security puzzle.
However, not all training programs are created equal and organizations need to ensure that the training they give their staff achieves the desired outcomes and is not forgotten or not applied. The type of training that you choose will determine how effective it will be at inspiring and empowering your employees to take responsibility of the security of the applications and systems they build proactively.
How then do you design training that causes meaningful and measurable changes in developers and IT teams? The ideas discussed in this article will help you evaluate what features to look for when considering security training for yourself or your organization. If up for the challenge, it will also provide you with sound, proven principles on how to structure your own security training.
The two guiding principles of training at MWR are:
The first principle is self-evident if you think of a vulnerability as a bug. If the developers cannot understand or reproduce a bug, the chances of it being fixed effectively are low. Likewise, if we don’t understand how an attacker would look at our systems and exploit a vulnerability, we are less likely to be able to address that vulnerability effectively. This is exactly why in our training courses we focus on teaching offensive security techniques, so that students can fully understand the capabilities of modern attackers and therefore how best to defend against them.
The second principle reminds us that we learn in different ways or styles. Training courses can leverage different types of activities to take into account the different learning styles and deliver an engaging and lasting experience that function as a catalyst to drive positive changes.
The rest of this article will be dedicated to summarize some fundamental research on learning styles and MWR’s own interpretation and approach of the learning cycle in our training courses.
Many theories and models exist about how people, in particular adults, learn new concepts and skills. A good starting point is to look at a well-known and accepted model published in the 80s by educational theorist David Klob. This “experimental learning” model is based on the idea that learning involves cycling through four different stages:
This high-level concept will likely resonate: we all need to go through different stages to learn something new. At the same time, however, it is also apparent that not everybody learns in the same way. Different people may prefer to start learning from different stages and prefer to spend the majority of their time on certain aspects rather than others. Some tend to start by reading relevant literature and documentation on the topic, so that they can get accustomed with its fundamental principles. Others may start directly by experimenting and prefer a hands-on approach – as they progress and encounter questions/issues that they struggle with out, they can refer back to the documentation.
Based on the observation that people learn in different ways, Peter Honey and Alan Mumford later developed a model that identifies four distinct learning styles:
In order to go through the learning cycle and learn effectively, most people will be able to use all four learning styles, but they will normally have a natural preference for a subset of them.
Alongside these models is another interesting piece of the learning puzzle, represented by the VAK (Visual, Auditory and Kinesthetic) model. Visual learners prefer to absorb information by seeing pictures, diagrams and charts; auditory learners prefer to learn from a lecture or a group discussion; and kinesthetic learners prefer a hands-on approach where they can experiment practically. People will normally express a dominant style, but will be able to learn using all the other styles.
It is important to note that these models tend to be academic and have their own weaknesses, mainly in that they divide people into categories, whereas in real life people are normally more flexible and can express a plethora of traits in different situations and environments. However, the main take-away point from this research is that people learn by going through a varied cycle of activities and, although they may have one or two preferred learning styles, effective learning requires them to use all the styles to some degree. We could simplify the matter by saying that every person has a theorist, activist, reflector and pragmatist side to them and that training needs to appeal to each of those sides to be as effective as possible.
Based on these observations, you may want to use your own version of Klob's learning cycle to make your training courses more effective. At MWR, we use this simple adaptation of Klob’s model:
Let’s take a look at each stage of this cycle with some examples taken from our training courses.
At this stage, the instructor introduces a new concept, normally through a demo or an example. For instance, the instructor may introduce the key concepts around Cross-Site Scripting (XSS) by explaining a base scenario and, when possible, offering an example of the impact of that attack in real life. The instructor may then proceed by giving a quick demo of the vulnerability.
This should not last more than 15-20 minutes. The aim of this initial stage is to prepare students for the upcoming lab activity and ensure they get the most out of it by:
This stage addresses the theorist learning style.
This is a key part of the training, addressing the activist side of learners, where participants get a chance to experiment with the new concept. It is important that the activities and labs provided throughout the training are meaningful, engaging and have clear, measurable, learning objectives.
For example, for our Proactive Web Defense (PWD) training lab we have created a realistic scenario modelled after what we have observed across the years in our Security Assurance and Incident Response engagements. This scenario explored in the exercises revolves around hacking a fully-fledged web portal for a fictitious e-commerce organization called TheBazaare.com. This allows delegates to see vulnerabilities within context and fully understand their impact.
The guided labs section walks students through the common steps an attacker would take to discover and exploit a certain vulnerability. To ensure students are not simply following instructions, at the end of each lab they are required to perform some extra steps on their own to exploit fully the vulnerability, after which they will obtain a flag that they can submit to our CTF(Capture The Flag) portal. The addition of this mini CTF throughout the training challenges delegates and helps them to stay focused on an objective while offering us a way to measure how well they are performing in the labs.
After the exercise, the reflector aspect of the students is called upon, as they are given some time to think of what they have done and make notes on their own.
The reflection is typically guided by questions such as:
The answer to the last question is often surprising in that most IT employees discover they are not aware if the applications and systems they manage are vulnerable or not to a certain flaw. In this case, the training has been effective at raising awareness and creating a question in the delegates’ minds. Finding the answer to that question is part of the “Action Plan” that students will implement after the training. More on this later.
In the last stage of the learning cycle, the instructor prompts people to share the outcome of their reflection. This is a great chance for delegates to discuss what they have learnt and share their experience. The role of the instructor is to:
Finally and, most importantly, the instructor will help delegates draw conclusions about how to apply what they have learnt to their own environment. This normally results in delegates taking away not just knowledge, but also a “plan of action” with things to try out and further explore when they get back to their desks. This appeals to the pragmatist side of learners.
Returning to our PWD course, we can see an example of how this could unroll. Sample discussion points about the Cross-Site Scripting would include:
One final and important piece of the puzzle is the action plan that the learning cycle helps delegates come up with. Having an initial action plan empowers individuals to apply what they have learnt and start making positive changes that will help improve the overall security of their organization.
In PWD, this is what an action plan put together by the developers could look like after they go through the XSS module:
Sample Action Plan – XSS
These are mostly short term actions, as the XSS module focusses on a single vulnerability. Other modules of the course, such as the one dedicated to SDLC, usually yields wider-spectrum actions, such as:
Sample Action Plan - SDLC
There is strong intuitive evidence that many vulnerabilities could be effectively mitigated by simply providing security training to employees. To maximize the effectiveness of such training, at MWR we strongly uphold two core principles:
In our experience, a varied training approach which involves different activities (New Concept -> Guided Labs & Challenges -> Reflection -> Discussion/Conclusion) and shows participants the world from the perspective of the attacker has proven very effective in changing their attitude towards security. The hands-on, scenario-based labs section helps to engage and challenge delegates giving them a more in-depth understanding the attackers’ mind-set and methodology: this inspires them to undertake positive change in their everyday job and empowers them to ask the right questions and find the answers by themselves.