I tell users all the time “Forget everything you learned in Kindergarten.”  It always gets a laugh, gets their attention and gets my point across.

It’s not nice to share (your password).  Secrets are really ok (your IP address).  Not only should you not take candy from strangers, you should not take strange candy from people you know (probably a phishing attack).

You CAN mess with other kid’s stuff (if your workmate leaves sensitive information on the printer, it’s ok to lock it up).  And if you do nothing else, for heaven’s sake, don’t be helpful (why does the stranger on the phone need that information?) or polite. (Answering that email with a polite “no thank you” just confirms to the sender that they got a valid email address.)

Early childhood lessons are the social engineers greatest advantage.  Nonetheless, there is one childhood primer that I insist everyone who works for me reads (I provide them with a copy when they start reporting to me).

Crockett Johnson’s Harold and the Purple Crayon is required reading for all security professionals as far as I’m concerned.

This is not because Harold responds to every incident with creativity, although being creative is helpful in incident response.  It is not because he is never too rattled to focus on the task at hand except that one time his hand shakes, teaching us that reacting badly can get you in over your head.  It is not even because he knows how to use tools (the crayon, the boat) or enlist help (the moose and the porcupine).  These are important lessons to learn, but this book is not unique in teaching them.

The book is uniquely instructive because the problems and their solutions are of Harold’s own invention.  He creates the environment that facilitates his success and by so doing creates his vulnerabilities.  And that is something that security professionals tend to forget.  Unless you are employee number 3 of a start-up, the chances are the environment you must secure was created prior to your being charged with protecting it.  And the vulnerabilities are part and parcel of the environment.

The environment was created by individuals who had business reasons for doing it.  As you introduce new components to the environment, it will not always go as planned.  In other words, the vulnerabilities were introduced by you and others.  So remember, that responding to incidents may be a matter of dismantling or modifying something that someone considers their own.  Never forget to address the ownership of the systems you need to fix. To put it bluntly: lesson one is that everything belongs to somebody.

This evolving environment that Harold draws himself into, created as it is by a crayon, has one characteristic that is not like the environments we secure: Harold cannot erase anything.  This is the  second lesson I discuss with teams.

Assuming oyu have contained the problem, before jumping to the long term solution in incident response (just turn it off) consider how you would solve the problem if you couldn’t remove the component causing the vulnerability (which after all is sometimes the case).

This focuses you on improving your protective controls rather than just eliminating one more alert from your detective systems.  In fact, I find offering to leave vulnerable systems on the network by defining what mitigating controls would be required to make them safe is the surest way to get a system owner to think about shutting it down.

Finally, and most importantly, the third lesson is the moon.  It is what gets Harold where he needs to be in the end.  But it is as with everything else, Harold’s creation even though there is no evidence that he drew it as a means to find his way home.

I could get “new age” at this point and say the lesson is that the answer always comes from within.  But that’s really not the point here.  The point that is stressed throughout the book and driven home most by how Harold uses the moon is that once something is in the environment, it can be used for multiple things depending on your goals.  You may not realize its use right away.

Therefore, we learn most from Harold when we consider that he is not us.  Our organization is more focused and methodical.  It does not meander through a landscape it defines; we have architects and  build structures through engineering, budget approval processes and change control.

Harold is not us. He is, in fact, the perfect image of the opportunistic hacker: trying things, leaving them around and using them as he needs to.  He’s not a representation of every type of cybercriminal to be sure, but he is the kind that thinks and acts least like your organization.  What would Harold do?  That’s not the right question.  The right question is what exactly would work as his crayon and how can you take it away from him before he uses it.

Leave a Reply