Security Training is Hard
I recently had to go through the mandatory annual training around ethics, security, and handling sensitive data. Like many companies, this training comes in the form of pre-built SCORM courses. I received the following question from KnowBe4, specifically in handling sensitive data.
I was going to answer this question by choosing "Find a location with greater privacy and communicate using encrypted messages on a secure connection". I was so close to clicking the Submit button. Then at the last moment, I changed my mind and chose "Tell the office that for security concerns the call will have to wait until you get to your hotel room." I clicked the Submit button and waited for the result.
Incorrect.
I was shocked. It must have been my original choice, but why?
I had to put my tail between my legs, redo the quiz and choose the answer I was originally going to choose. I got everything correct and passed the quiz.
But where did I go wrong? Well, let's go down the rabbit hole of my thought process and how difficult it is to do security training, especially if you come from a security background.
Find a location with greater privacy and communicate using encrypted messages on a secure connection.
This answer sounds logical. That's why I first chose it. It contains all the right words. "Privacy". "Encrypted". "Secure". For the average person, that would end it right there, but there's something wrong about the answer and the question. Here are some knocks against the "correct" question.
Greater Privacy Doesn't Exist in an Airport
First, you are in an airport and you receive a call containing sensitive information. If this is an average person, how will they know where in a public airport will there be greater privacy? Is the person even in a country where there is a reasonable expectation of privacy?
Are you coming or going?
Next, are you coming or going from the airport? Is your flight about to leave and now you need to stop responding to the office? Or are you arriving from a flight and need to get through customs, grab your luggage or just leave the airport and go to your destination.:w
Switching Mediums and Creating an Evidence Trail
The question was about you receiving a call. Yet, the correct answer talks about switching to secure messaging. Now, how many people realize that standard text messages (GSM) is not secure? Probably none. My guess is KnowBe4 is assuming people use iMessage with iPhones. I doubt they're thinking about using Signal or other end-to-end messaging apps. And I hope that they don't mean switching to email.
But the main problem I have with this is the answer requires you to switch mediums. So instead of talking, you have now found a place with greater privacy and switching to messaging. Right here we have a potential failure. We don't know what the sensitive context was about, but it could be potentially damning. At this point we need to ensure that employees realize that when they switch to any kind of messaging (email, text messages, iMessage) you are potentially creating a paper trail that can be used in discovery of an audit or other legal investigation. There's a reason why people choose voice calls or in person conversations when they want to ensure there is no paper trail.
What about the Incorrect Answer?
Tell the office that for security concerns the call will have to wait until you get to your hotel room.
This doesn't tell us much. What it does do is say that the conversation is put on hold until you are in a better place to speak about confidential information. This sounds about right. You may not trust the airport, the federal government that runs it, or the cell and wifi towers that provide wireless connectivity. And you'd be right.
So what does a person do? They go to the nearest place where they will feel private and safe, and then continue their conversation.
The question didn't state whether the call's sensitive content was time-dependent. In this case, there's no reason you should feel obligated to speak to the other person versus making them wait. They can wait until you are in a more private place. Since we don't know if you were coming or going from the airport, it is very possible that your hotel is only 5-10 minutes away. This is a good enough time to ask someone to wait while you get into a safe place.
Once you are in your hotel room, you can continue the call without fear of eavesdropping. Or you can ask to switch to secure messaging. Or use your laptop. All wireless communication features (cellular, WiFi) will be available to you and the likelihood of a rogue network or federal wiretap goes down drastically.
Conclusion
Obviously I'm biased here, but the "incorrect" answer is the more secure answer. It requires someone to have a good security awareness and threat model, which while we all do to some extent, not everyone is full educated to think about it all the time. But since it is my job to do threat modeling and handle sensitive information, of course I would choose to wait until I can verify that I'm actually in a private situation.
So, which is the right answer? What would you choose, knowing what you know now about security?