Day 11: Stupidity School (I mean Education)

Though distasteful, security professionals will be forced to undertake a structured and comprehensive education program to stop employees from doing stupid things. Given the sophistication of attacks and the difficulty in stopping them at the perimeter, educated personnel may be the only defense.

Newsflash: Social Engineering still works. I get that at times I tend to be the master of the obvious. Recently IBM research did a survey that pinpointed the user as the weakest link in the security chain. There is still large economic incentive to gathering user’s private information, but like in seemingly every other business, margins are decreasing as competition increases. Urban legend has it that as recently as 24 months ago, it cost over $5,000 to buy 1000 stolen credit cards. Now that costs less than $500. I don't spend time trying to buy these things, so I haven't actually confirmed the pricing, but nonetheless it shows that the economics of hacking aren't much different than everything else. Competition brings commoditization.

In the face of decreasing margins, the hackers must become more efficient in how they steal information. I know it’s strange to think about the economic pressures on hackers, but it will be influencing their tactics. They need to find the path of least resistance, that that is the user.

Another way to look at the issue is to get a feel for what you are potentially up against. I recently read Ira Winkler’s write-up of a two-day penetration testing engagement (I'll update the post when I can find the link). It’s fascinating (and downright scary) to read about the tactics his firm uses to compromise “secure” environments. The thing that struck me is how easy it was for the consultants to get access to anything they needed (and lots of stuff they didn’t).

Both IBM's survey and the penetration testing article reinforce the same fact. There are lots of exposures, but none more dangerous than your own employees. In a second, they can compromise the security that you spend millions on.

So, if you don’t already have one, your first priority needs to be a structured, formal and mandatory security-training program for all employees. Your Internet and email usage policies must be updated and every employee needs to sign them, preferably in blood. Finally you need to enforce the policies.

Let’s start with the training program. This is probably a couple hour session that describes the typical threats employees will face on a daily basis. They need to clearly understand the risks of unknown attachments, phishing messages, social engineering, spyware, etc.  Use lots of examples. Make sure they don’t stick passwords on their monitors. You know, stop the silly stuff like that. Tell a horror story. Shock the crowd and get their attention.  Also make sure employees understand the consequences of violating the usage policies.

Clearly receptionists, help desk and customer support workers need more specific training to deal with social engineering tactics. They are on the front line, which is usually the first point of attack. If an attacker can get physical access to your network, you are cooked. It’s very very difficult to stop them once they’re on the inside. It’s critical that they learn to recognize those techniques and know how to respond if something does occur.

I know this is not fun for security professionals. Most are resigned to the fact that users will always do stupid things, so why even bother to train them? Fact is, you can’t give up the ghost. There are too many holes to plug. Too many attack vectors. Too much risk. You can’t totally solve the problem with technical measures.  Don’t be too proud to ask for help. Your employees can help by learning not to do stupid things.

How do you make it stick? Policies are usually not worth the paper they are written on because when it gets down to it terminating a good, productive employee for exercising poor judgment is hard. Get over it. If you want your policies to have teeth, you need to bite something. Or wait for the employment lawyers to bite you when some situation becomes messy.

That’s right, I’m recommending you hold a public execution for the next reasonably serious policy violation. Yes, it’s heartless and yes, it’s necessary.

I used to be in the email security business and you’d be absolutely amazed at the things people would put in an email to be sent both inside and outside of the organization. Messages depicting sexual trysts between employees very graphically. That’s only the tip of the iceberg. Buy me a beer at RSA and I’ll tell you a million of these.

These people need to be fired. You need to take them into the public square and make an example out of them, so the rank and file know you are serious. Sort of like the penalty for robbery in Saudi Arabia is the removal of a hand. Not sure if that is still the penalty, but I’m sure that got a lot of folks attention. But it’s critical that this is enforced equally. A VP (or above) cannot be exempt or again, the policy has no teeth.

I get that you don’t have time to get into the education business, but there are plenty of folks that can bring packaged programs and implement the training curriculum for your organization. Drop me a note and I can point you in the right direction. Also make sure to work closely with HR on this process, maybe even having them drive it since ultimately they clean up the mess when something goes down.

But, don’t forget about it. Under a full fledged social engineering attack, an educated user may be your only defense.

That’s Day 11. The next and last Incite deals with a tectonic shift about to occur in vendor-land. Nothing less than the security architecture of the future is at stake.