Ellipsis

Two recent news items in “SANS NewsBites:http://www.sans.org/newsletters/newsbites/ had me thinking about the fun (and profit) from working to ethically “inoculate” one’s staff against phishing and social engineering attacks.

To quote:

—NY “Inoculates” Employees Against eMail-Borne Malware (22 January 2007) Will Pelgrin, New York State’s chief information security officer (CISO), worked with AT&T and the SANS Institute to develop an “inoculation” program to protect state agency computer systems from malware infections. First, approximately 10,000 state agency employees received email messages alerting them to ongoing phishing activity and encouraging them to be aware of the risks of opening email from unknown users and clicking on links in unsolicited email. The next month, the employees were told that in keeping with a tightened security posture, all employees were required to have passwords. That was followed by an email that came from outside the network containing a link that if clicked on, would prompt users for their user IDs and passwords. The email contained some clues that it was not legitimate. If the users provided the requested information, they got a pop-up telling them they had failed the test and then were shown a video and given a 10-question exam. Eighty-three percent of the recipients did not fall for the scam. When a similar test was run two months later, that number rose to 92 percent. http://www.gcn.com/print/26_2/42983-1.html?topic=security&CMP=OTC-RSS [Editor’s Note (Kreitner): This is an excellent example of good security management supported by a security metric that quantitatively measures actual progress toward a specific security goal, in this case a particular change in human behavior. (Pescatore): A good effort as long as it is continuous. If they measure a month later, the number will likely drop quite a bit. If the process continues, they will likely find that the 11% improvement drops off quite a bit.]

And

—Half of Finance Managers Put Unsolicited USB Drive in Computers (25 January 2007) As a research project, a consulting firm sent USB sticks to finance directors at 500 firms in the UK. The memory devices purported to be invitations to “the Party of a Lifetime” with an anonymous sender but were actually part of an experiment. Nearly half of the finance directors inserted the stick into company computers. Media companies fared the worst in the experiment, with 65 percent putting the memory stick into computers. At technology, retail and transportation companies, the figure was between 38 and 39 percent. The devices could be used to plant malware on computer systems. http://www.vnunet.com/computing/news/2173365/uk-firms-naive-usb-stick [Editor’s Note (Liston): While this test seems somewhat contrived, you really can’t argue with the results. Human curiosity is an incredibly strong motivator that will, more often than not, overwhelm common sense. If you found a USB key laying in the parking lot outside your workplace, what would YOU do? What would the majority of your co-workers do? (Schultz): The results of this research study further underscore the great need to reach management in security training and awareness efforts, something that is much too often completely overlooked. (Honan): This story illustrates how depending on your perimeter defences alone are no longer sufficient. Comprehensive security awareness programmes coupled with technical controls such as locked down desktops and USB port management are needed in the battle against ever increasingly sophisticated attackers. Using resources such as those provided by the Centre for Internet Security, http://www.cisecurity.org/, will help. For example, a simple registry entry on Windows machines will disable autoplay from any disk type, regardless of application HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun.]

I can’t just bookmark an email in del.icio.us, so I’ll just have to quote this little gem from the SAGE list.

Theodore Tso writes

In another real world example, the security office set some obnoxious password policy that caused passwords to be impossible to remember, and then required changing said obnoxious passwords every 30 days. But this was at a company where the traders were making bazillions of dollars every day, and rule #1 was “thou should not piss off the traders, for they make your company rich and can go find a job with the competition”. So the company hired a set of runners who were given the traders’ passwords, and every morning before the traders came in, the runners would run around to all of the trading workstations and log in the traders so they wouldn’t have to.

Which elicited from Dan Geer, “for the record, I can corroborate the above.”