As defined by Wikipedia, the Curse of Knowledge is a cognitive bias that occurs when an individual, who is communicating with others, wrongly assumes they have the background to understand the communication. Just because you have mastered a subject doesn't mean everyone you communicate with has also. I often assume that my audience has the prerequisite knowledge to understand the information I am presenting. I am often wrong, which leads to frustration on both ends. This doesn't mean they are low intelligence, or unable to learn, it just means we have different backgrounds, experiences, and professions. An orthopedic doctor trying to explain bone density to me is going to get the same response as me trying to explain Network Address Translation to her.

I recently participated in a ransomware tabletop exercise at a local business. Initially, I was disappointed in the simplistic scenario presented by the consultant running the exercise. Uhh, so basic, I can't believe they are getting paid for this, I thought. But as the exercise played out, I observed that even such a basic scenario led to very productive conversation. In fact, the participants couldn’t have handled much more. Many of the stakeholders were not in the business of security, or Internet technology, and needed to be brought up to speed.

The curse of knowledge got me again. I allowed my mastery of the topic influence my opinion of the exercise and assumed the other participants had an equal or better understanding of ransomware and the incident response process. I had been through the scenario so many times, in both exercises and reality, that I had the answers. I wrongly assumed the others would also.

I work for an accredited law enforcement agency. Dually accredited actually, holding sheepskins from both the Commission on Accreditation for Law Enforcement Agencies (CALEA) and the Pennsylviania Law Enforcement Accreditation Commission (PLEAC). We're one of the few agencies in the state that hold both the national and state accreditation titles. This an accomplishment to be proud of for sure, but it's expensive, burdensome, and at the end of the day may or may not make us better at policing.

The policy demands pushed down by various oversight organizations have been fast and furious in the aftermath of the death of George Floyd and the resulting focus on police. Particularly in the application of the use of force. Agencies that were accredited already met most of the policy demands called for by reformers but the need to look responsive is irresistible. Policies are tweaked, the language changed, “enacted dates” are updated to be current, and press releases touting agency reforms are issued. Some of these changes are badly needed, some are just policing reform theatre.

I'm a supporter of accreditation and believe that it's something every law enforcement agency should strive for. It's good for the leadership, it's good for the taxpayers, and at the end of the day, it's good for the individual officers. If the members of the agencies follow the policies as written they will be less likely to be questioned, disciplined, and end up named in a laws suit. And that is good for everyone. But it's not that easy. The policies are so vast, so broad, and some so complex, that compliance is difficult to achieve. Even for the best-intentioned officer. Many policy violations aren't because of deliberate intent, it is because the officer is making a split-minute decision while under extreme stress. The angle of his knee, on an actively resisting suspect's back, is the last thing on his mind. On the other hand, some are deliberately disregarded because they are complex, overly broad, and nearly impossible to comply with all of the time. Some officers believe, why even try?

Accreditation and compliance is also big business in the world of information security. And with ultimately the same result. Compliance is not security. If you believe that your organization is secure because it is deemed compliant you are going to be terribly disappointed. And look like a fool. Compliance models are a set of best practices that will lead the agency to a more productive and secure environment but you can't just enact the framework, declare yourself secure, and walk away.

Over the past year, “Dwell Time” has become part of the American lexicon. The term, when used in the scope of infectious disease, is the measurement of time a disinfectant needs to remain wet on a surface to properly disinfect. The quicker a disinfectant solution kills pathogens and sanitizes a surface the better it works. The Covid-19 pandemic has made most of us experts in disinfectants.

The concept of dwell time is also important in the field of information and computer network security. Dwell time is the length of time a threat actor is active, while undetected, within a network. It is the measurement of time from breach to detection. Obviously, the longer the adversary lives in the environment the more time they have to steal data and damage systems. The ultimate goal of every security team is to reduce adversary dwell time to the least amount of time possible. A dwell time of ZERO is the ideal.

Security software and threat prevention company Sophos released a report titled “The Active Adversary Playbook 2021”. The report is well written and has garnered some attention within cybersecurity media and practitioners. One of the more prominent and celebrated points made by the report is a median adversary dwell time of eleven (11) days. I immediately winced when I read this claim. I'm not an expert by any means, but that number seemed way off. Particularly since Fireeye estimated the average dwell time to be 56 days in their 2020 M-Trends report. Did the security industry get that much better in just a year?

My wife dropping her iPhone in the pool this week taught us two things. First, she learned how cold 64-degree water is as she had to get in to retrieve the phone. Second, regardless of what Apple claims, iPhones are not waterproof. To be fair, I suspect it was the salt more than the water that shorted out the device. Regardless, dropping your phone in a 64-degree saltwater swimming pool is going to result in negative consequences for both you and the device.

This event also reinforced another concept that needs to be stressed when discussing crisis and security incident planning. Data stored on digital media, and in the cloud, is worthless if you can't access it. The loss of the phone created significant complications for my wife since she couldn't complete the two-factor authentication process required to access many of her work systems and data. We save data to cloud storage systems for safety, security, and redundancy, but it's all for naught if you can't access any of it.

This brings up a bigger issue when considering Disaster Recovery and Business Continuity plans for your business. They are worthless if you don't have a copy when a disaster strikes.

Email security company Mimecast released their annual “State of Email Security” report for 2021. The report is based on a survey of 1,225 information technology and security professionals from businesses around the globe. The survey participants were from businesses that spanned the industrial sectors including technology and telecommunications, financial services, manufacturing, and health care.

The report is well done and easy to digest. It is not easy to accept though. It's not that the data appears illegitimate or deceitful, but is a stark reminder of the uphill battle security practitioners face in trying to protect their organizations.

Some of the statistics are expected such as six out of ten organizations sustained a ransomware attack in the past twelve months. Threats delivered by email rose by 64% in 2020. 70% of respondents expect that their business will be harmed by an email-bourne attack in 2021 and of those 26% claim that such an event is inevitable. Of course, it makes you wonder about the 30% that don't believe they will not be afflicted by a damaging email attack this year. There is a fine line between confidence and lunacy.

In 2016, Dr. Zinaida Benenson of the Friedrich – Alexander University (Bavaria, Germany) conducted a study to measure the rate at which students would click links in messages received from unknown senders. Of course, they clicked links. There is little value in that finding. The true value of the study is the reason why they clicked the links.

Dr. Benenson’s study involved 1700 university students. They were interviewed to learn their self-assessed security awareness and understanding of phishing attacks. 78% of the students expressed an understanding of the dangers of clicking a link received from an unknown sender.

The students were later sent emails and messages through Facebook from sender names they would certainly not known since the accounts were fictitious. The messages referenced a New Year’s Eve party and the link allegedly went to an online photo album of photos taken during the party.

There is no doubt that small and medium business owners are caught between the proverbial rock and a hard place when confronting a ransomware attack on their network. Unlike large businesses and expansive corporations, they are unlikely to have a dedicated security team. In fact, they are lucky to have a person there just to keep the Internet-connected and the printers online. A dedicated IT security person is an abstract luxury. And back-ups? John the Office Manager copied an excel spreadsheet of the client listing to a USB thumb drive a few months ago. It is on his desk. Or maybe his winter coat pocket.

It is completely understandable why any business leader chooses to pay the ransom payment. In most cases, they are out of options and desperate. Obviously, they wouldn’t pay thousands or hundreds of thousands of dollars if they had some alternative choice. But they don’t, so there they are.

In some cases, an insurance company is in the driver’s seat and they have analyzed the options down to an actuarial decimal point. The decision is calculated on a cost to benefit analysis based on dollars and cents not right or wrong, or what is best for the business or society.

Why is paying the ransom so bad? Why are law enforcement and security professionals so adamant that ransom demands never get satisfied if it’s a quick and easy fix that is in the best financial of the business?

The FBI released a PSA through the Internet Crime Complaint Center (IC3) reminding the public that using open Wi-Fi networks, particularly at hotels, is risky. The Bureau reminds us that connecting our devices to open and unsecured wireless internet sources increase the risk of being victimized by those with malicious intent. The PSA specifically details the “Evil Twin Attack” where the bad actor creates a look-alike Wi-Fi network using their own equipment. In the absence of proper protection, they have full access to your data when you mistakenly connect to their network “0pen Hilton Wifi” rather than the legitimate hotel network “Open Hilton Wifi”. Notice the zero?

Guests accessing open Wi-Fi networks have no idea how the network is maintained or the health of the physical equipment. The results of an Internet search for “hacking a router” should give you a cold shiver. And most businesses have little financial incentive, nor the technical staff, to ensure that hardware devices are well maintained, updated, and patched.

Mandiant (Fireeye) recently released its report “Deep Dive into Cyber Reality – Security Effectiveness Report 2020”. The report details the effectiveness of security controls systems Mandiant clients utilize within their environments. Mandiant claims to have executed “thousands of tests” that simulate real attacks.

The authors of the report make a very important point that protecting an organization's computer and information systems is not entirely an IT problem. It is a business problem. Even more, it is an entire organization problem. Every single stakeholder that has access to the system has some responsibility to secure it. This is particularly true of the business executives who need to be more involved in security decisions. If the board does not have a CISO, it should. And that person needs to be viewed as an equal partner in the C-suite.

Of all the information provided by the report, the following stood out the most: