Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
How to Spot a Spy
Welcome to this week in Federal Times:
It’s not a parody. That’s what I thought, too, but nope: You paid for the production of that video.
For realz.
Published in General
Most of the security training videos are cheesy. Unfortunately, the security training materials that are not cheesy are snooze-inducing. If the goal of the security training materials is to get people to think, a bit, which do you think is preferable: that trainees are laughing about the silliness, or that trainees forget the training immediately?
The other thing you know, but have forgotten momentarily (yes, I’m assuming, bear with me, grin) in your amusement: it’s one thing for people who are dealing with high-level sensitive stuff on a regular basis to remain vigilant. It’s a different (and difficult!) thing to maintain security awareness among the many people who only deal with the day-to-day little stuff that is not sensitive in isolation (info bits that can potentially be put together to create more valuable pictures).
So you think the ODNI screenwriters were sitting there with their feet up and a bunch of empty pizza boxes on the floor and one of them says, “Okay, so the way we deal with this embarrassing thing where we lost everyone’s data is we cast the world’s dweebiest closet case in the role of the ‘economic analyst,’ right? And then we get “Boris the Foreigner” to run into him by accident, we can show him wrestling with his conscience as he struggles between his libido and reporting this to the security office … they’ll be rolling.”
So what’s the video that makes people think about who should run the OPM? I guess they need a really cheesy video to make everyone laugh and think closely about that kind of hiring decision, because obviously that lesson was a snoozer.
It’s true. The training videos are either boring, cheesy, or haven’t been changed since at least 2005. I know I just had to do a few mandatory ones and they were exactly the same as they were when I joined the Navy in 2005.
Yeah, Claire. This is corporate life right here. Have to watch stuff like this all the time.
This is what college prepared us for.
These videos are usually shown in a group setting. After it ends, the moderator, usually a lawyer, stands and says something along the lines of “ok, that was totally cheeseball, but lets talk about the issues at hand.” Good discussions usually follow.
Remember, when we took down the Iranian reactor a few years back with the Stuxnet virus, we got the virus into their network by hacking the suppliers. The Iranians bought the malware. Which is kinda cool. (an earlier theory was that we had left thumb drives in cafe’s all around the area, where eventually an employee picked one up, took it to work, and stuck it in the USB port of his computer.)
Employees are ALWAYS the weakest link in any cyber security plan. People do profoundly dumb things. All the encryption in the world doesn’t help when your password is: password.
And speaking of taking down Iranian reactors, ladies and gentlemen, AC/DC !
Après CCCP, the security department of the company I was working for was more worried about the French than they were about the Russians. They weren’t shooting for world domination; they were poaching contracts. We were treated to a video of Suzette slinking up to an engineer in a bar, telling him that “your work – eet eez so –fascinating. Tell me more about zee radar ….” My initial impression was that when it comes to cheese the French have nothing on us.
And twenty five years later, I still remember it. I still laugh at it, but I guess it works.
I doubt it.
Such videos are almost always produced by envious contractors from the private sector who sell them to the government to torture federal employees.
How to Spot a Spy
You are a techie and/or data analyst. An attractive woman shows interest in you. Of course she’s a spy.
Who told? I sure didn’t tell anyone that was my password.
The bit I saw looks just like similar videos produced by Boeing and NOV I had to sit through . . . annually . . . while employed at those companies. Cheesy and sleep-inducing. And mandatory. Did I mention there is a test at the end?
Seawriter
Did Hillary miss this training?
I’ve found myself in situations where I’ve been told by a client to make a communications piece less attractive because they want it to be more memorable. “Making it look good is less important than getting people to read it.”
It is cheesy because we want our federal employees to leak. We want the Chinese to blackmail regular federal employees for stored data. We will then fill their data centers with solitaire scores, kitten/puppy pictures and porn links. If they actually get any economic forecasts or other federal work product from these federal PCs, the joke is on them because that stuff is almost always wrong.
I remember when the “I love you” email-malware was roaming around. Some guy who worked at the help desk said “I knew it was a trap as soon as I saw the subject line. Now if it had said ‘I hate you’, I would have clicked on that right away!”
FIGHTINPHILLY,
How did you know my password is password?
Curses, foiled again!
Basil, the contractors are also required to view the cheesy videos. (sad face)
Front Seat Cat, Hillary in her Magnificent I-Am-Woman Wonderfulness did not need the training, obviously! [/end sarc]
This dates back to at least WWII when Frank Capra discovered that soldiers retained information from a training film much better if the lessons were embedded in a story, which is how you got the classic tail of Sergeant Rock, who drilled the soldiers on how, if they were ever in (enter appropriate tactical situation here), they should immediately (take appropriate tactical action), and all the soldiers thought the Sergeant was being way too serious, but then one day they were patrolling in Germany when it happened, and just like they were trained, they did what they were supposed to do, and they all lived, except for poor Jimmy, who didn’t do what they were trained to do, and bought the farm. And now we all remember the lesson.
As recently as the 1980s I have recordings of AFN public service announcements on operational security that were not too dissimilar from this, except they were 30 second spots with a bunch of soldiers sitting around the table, chatting about unclassified stuff, while a Russian spy eavesdrops and fills in a crossword puzzle with clues from the conversation, figuring out that the US is going to deploy a new weapon in the Middle East (which was classified). Been 30 years, I still remember it.
I had to watch the time study video something like 4 times because some folks couldn’t pass the test, made me want to jump off a balcony.
Claire,
Well, that’s it then! HRC hadn’t seen this video. If only she had watched she would have been more careful. The poor thing just didn’t understand this fancy espionage mumbo jumbo stuff.
Maybe Huma can put the video on the iPad after she draws a nice warm bubble bath for her. Then Huma will be able to tuck her in by 8 pm. She needs her sleep. It’s so exhausting having to fight the vast right wing conspiracy all day long.
We must all be more considerate of her feelings.
Regards,
Jim
My posts are all listening devices for Van Eck phreaking. I know all the Ricochet passwords.
It would have been better if they’d cast Steve Buscemi as the “federal employee.”
It really is counterproductive though, isn’t it? If there is a spy among you then any good information conveyed becomes a seminar in how not to get caught. Because we’re going to tell you exactly what we’re looking for!
Duh.
Keep in mind that this stuff has to be tailored to the audience. Keep in mind, too, the state of modern public education. The military’s regulations and manuals have to be written to the eighth grade level, not the adult level, in order to achieve broad understanding.
These training videos might not seem all that cheesy to the eighth grade mentality at which they’re aimed. Even the Hillary Clintons, Cheryl Mills, Bill Burtons, and Marilyn Mosbys of the world need help in understanding things normal people take as common sense with an occasional reminder.
Eric Hines
No sure if the initial complaint is about the acting or the script or the scenery … but it doesn’t really matter. If that is the complaint, it is short-sighted IMHO. People, particularly inside people , are the weakest link. Social engineering is a topic that it is difficult for people to consistently be aware of as they go through their daily activities — simply because it is natural for people to be trusting and curious. Just look at what people share on Ricochet.
In my opinion, if, as someone else already pointed out, cheesy gets the intended target audience of the video to think and talk about the art of human hacking, the video is a success. No?
When I was working on a BS in Network Security social engineering was focused on a good bit of the time. “Hacking” people is often the best way in for the very reason TempTime mentions. Most people in work environments (not all of course, we all know who they are) tend to be at least somewhat helpful to people they work with. They are also either unaware of or willing to break procedures for people they want to help to either be nice or save time.
Gee if only some State Department employees had run to the IG when they noticed all those emails to and from that Clinton.com domain.
Maybe they can do a video for that.
They almost certainly have a video on how to report problems to the IG. And I am sure after taking it merriment ensued among those who knew about Clinton.com.
Seawriter
That actually sounds interesting and clever. Why can’t the public university I work for show us scenarios like that? No, we get the eye-rolling videos of the stupid schlubs whose passwords are “password” and “123456789.” I honestly can’t remember what was in my last cyber-security training. I only remember it was obnoxious and the answers were obvious.