Awareness quiz on malware
Trawling through our back catalogue for content worth recycling into next month's awareness module, I came across a quiz we set in 2017. The challenge we set the group was this:
Aside from malware (malicious software), what other kinds of “wares” are there?
The idea was to prompt the group to come up with a few obvious ones (such as software), then start digging deeper for more obscure ones. Eventually they would inevitably start to improvise, making up 'ware' terms but, if not, here are our tongue-in-cheek suggested answers, provided for the quiz master in case the group needed prompting towards more creative, lateral thinking:
- Abandonware – software long since given up on by its author/support krew and left to rot
- Adware – software that pops up unwelcome advertisements at the least appropriate and most annoying possible moment
- Anyware - web-based apps that can be used while in the office, on the road, in the bath, wherever ... provided the Internet is accessible
- Beggarware – smelly, homeless software that periodically rattles its virtual cup, begging loose change "for a cup of tea"
- Bloatware – software that has grown fatter than a week-old beached whale with ‘features'
- Botware - software to stop the bots becoming bored and naughty
- Brochureware – over-hyped marketing, promotional or advertising copy about alleged new software (also known as vaporware, neverneverware and noware)
- Courseware – software for courses
- Coarseware – software for curses
- Crapware – software so badly designed and written as to be worth flushing away
- Crimeware – software used by criminals for various nefarious purposes
- Crippleware – cheap or free software with deliberately restricted functionality to coerce users into buying the full version
- Firmware – low level software burnt into microchips and embedded in hardware, or possibly Viagra spam
- Floppyware – software delivered on floppy disk, or maybe yet more spam about Viagra
- Freeware – software generously given away by its owners, some of it worth every penny
- Glassware – highly fragile software, likely to smash to smithereens with the slightest knock
- Groupware - software supporting group activities (work-related, not sex, oh no)
- Hardware – computer equipment, IT stuff, equipment, kit
- Houseware – IT stuff at home, including all those IoT things that have quietly snuck in while our backs were turned
- Malware – malicious software: viruses, worms, Trojans, ransomware, APTs and so forth
- Middleware – a layer of software linking applications to other applications, operating systems and hardware, not as sweet but just as messy as the jam in a sandwich
- Ransomware – malware that coerces victims into paying a handsome ransom for the safe return of their loved ones - their invaluable IT systems and data; may involve 'proof of life' in the form of decrypted content
- Scareware – scary malware that terrifies victims into needlessly paying a trumped-up “fine”
- Shareware – software shared among evaluators, cheapskates, skinflints and pirates
- Shelfware – policies and procedures that languish unread and unloved on the shelf, collecting dust
- Sneakerware – software delivered on foot e.g. on a potentially infectious USB stick
- Software – computer programs, apps and other fluffy stuff
- Spyware – sneaky, spooky, voyeuristic software that secretly spies on the user
- Tupperware – branded plastic containers carrying blank CD-RWs or lunch
- Underwear – undies, frillies, lingerie, pants, togs, daks, knickers, cheese-cutters, unmentionables ... offering a very personal form of privacy
- Warez – ripped-off software stolen and traded by pirates who evidentally cant spel
- Wetware – human beings, being mostly water and sometimes full of steam
- Ware's Wally? Malware is usually well hidden, although it doesn't wear stripy tops, attempting to blend in with massive crowds on stripe-day
- Workware – uniforms and clothes used by workers … plus intrepid social engineers
There was a genuine learning objective behind all that (familiarity with the terms of art) but to be honest the main purpose was for the group to loosen-up and have a laugh ... before pressing ahead with a second, more serious challenge:
Which of those “wares” could be used to exploit our organization? Think of realistic incidents or scenarios in which this has happened or might occur.
We provided no 'suggested answers' for the second part, hoping that the now relaxed group and quiz master would take it wherever they wanted to go, chatting on until they ran out of time or inspiration. The broad learning objective here was for the group to gain a deeper understanding of the terms and risks in this area, particularly around malware incidents that the organization had experienced: we have no idea what they might be, but hopefully those present would recount some interesting stories, real or imagined.
This informal, open-ended style of quiz or challenge is something we've developed into a routine part of our awareness service. Most months there are similar opportunities for the group to draw up lists of terms, incidents, risks, controls or whatever relating to the particular month's information security topic. Sometimes we've asked them to draw mind-maps, sketch out ideas or fill in the gaps on process flows: again, these are really just excuses to get the group chatting and having fun in the general area of information security, while hopefully learning things along the way. As I'm sure you appreciate, this can be a tediously dry, dull and boring topic area otherwise, so we'll grab any opportunity to lighten-up and get people smiling. Aside from anything else, it makes teaching the subject just a bit more enjoyable.
PS Leaving aside the very silly ones, there are at least 50 legitimate 'wares'.
PS Leaving aside the very silly ones, there are at least 50 legitimate 'wares'.