Take control of your staff
- Posted:
- 16:04 08 Nov 2004
- Topics:
- Security | Network Security
How do you make staff aware of the
latest social engineering ploys, teach them to protect company data
and stop them leaving work addresses in chatrooms? Lindsay Nicolle
reports
Six out of 10 UK employees regularly and knowingly put their
employers' businesses at risk of viruses and security violations.
Most access their private e-mail from their work desktops and
habitually enter their work e-mail addresses into chatrooms,
newsgroups and e-commerce websites.
These research findings come from a survey just published by YouGov
on behalf of security specialist NetIQ. They confirm that users are
struggling to instill a culture of network security awareness
within their organisations, even though the majority of staff admit
to being well aware of where and how a hacker or spammer might
attack an organisation.
It is a nightmare scenario for chief security officers and
boardroom members. Managers are uncomfortably aware that their
necks are on the line if their companies transgress the latest
stringent and punitive data protection laws or industry regulations
on corporate governance.
Ed Macnair, content security business manager at NetIQ EMEA, says,
"There is a massive window of opportunity for criminals." In this
respect, he says, employees can be an organisation's biggest
liability.
So what is the best approach to raising awareness of the
increasingly sophisticated social engineering ploys used by those
who can compromise networks? How can users cultivate staff who care
about keeping the network secure?
Training staff on how to protect company networks and why it is
important to report all breaches of security policy is a major
cultural challenge.
"For most companies it is low on their list of priorities because
it is wrongly regarded as a cost, not a benefit," says Richard
Starnes, director of incident response at Cable & Wireless and
president of the Information Systems Security Association UK, a
membership forum for information security professionals and
practitioners.
"It is possible to develop a security culture, but you have to make
it worthwhile for staff to buy into it for it to be effective.
Money is the biggest incentive."
Starnes says that corporate asset protection should be written into
employees' job responsibilities and performances reviewed annually.
Adherence to the corporate security culture should influence
bonuses, salary rises - even candidates for redundancy.
At Cable & Wireless, the security message is drummed home from
an employee's first day in the company. All new employees attend a
security seminar covering physical procedures and information
security training.
Cable &Wireless also periodically holds security awareness days
where principles are put into practice. This may take the form of
an enhanced identity check at the front desk, a discussion about
the use of passwords for workstations or a full-blown evacuation
exercise.
"We also have mandatory online security quizzes and we are
developing a web-based 'security knowledge zone', where relevant
security information can be found using a simple point and click
method," says Starnes.
Training companies confirm that without such initiatives the
weakest link in the network security chain is staff, not
technology.
"Technology gets the finger pointed at it for failings, but it only
does what people tell it to," says Robert Chapman, co-founder of
The Training Camp, which runs accelerated learning courses.
"Awareness of the need for security has risen dramatically over the
past 12 months, but there are still some very large companies
struggling to implement strict security procedures and to educate
their staff.
"I predict that a FTSE 100 company will soon experience a very
large and costly disaster before everybody wakes up to the need for
greater security awareness."
Users already aware of their security responsibilities are the
military, IT suppliers and financial services companies. In
response to their demands, The Training Camp has just launched a
computer forensics qualification to help users train staff in
detecting computer crimes, including e-mail fraud, industrial
espionage and computer break-ins. The company also runs a certified
ethical hacking course which provides an insight into how criminals
use and abuse technology for their own ends.
As well as training staff, some companies are employing third
parties to test the robustness of their corporate security culture.
Securetest provides IT security penetration testing. It specialises
in acting out the kind of social engineering ploys adopted by those
attempting unlawful network access, revealing common areas of
corporate weakness and advising on ways to overcome them. One of
Securetest's favourite tricks is to dress up as printer engineers
to gain access to a network point. They are rarely questioned or
asked for identification.
Clearly, action is needed to protect networks from company
staff, be it from unwitting misuse or deliberate abuse."Tough
though it seems, it is the responsibility of employers to take a
hard line in protecting against offensive spam by educating
employees of the risks of introducing jokes, home e-mail and
non-work laptops into the work environment," says Macnair.
He suggests tackling rogue employees by creating a corporate usage
policy. Employees would be informed of appropriate internet use and
time restrictions. Setting this out in black and white helps reduce
the risk of legal liability if employees break the law and it also
increases staff productivity.
Companies should also implement an ID management system which makes
it clear who has access to which part of the network. This way
managers can view why changes have been made and by whom. They
should also make only a limited number of employees responsible for
setting group policies or end-user account information.
John Roese, chief technology officer at network security specialist
Enterasys, argues strongly for simplicity in selling the network
security message to staff to ensure it sticks.
"Keep it simple, communicate in English, make it relevant, educate
your staff about the risks and threats and keep your security
policy up-to-date," says Roese.
Controversially, Roese supports single passwords, or even better,
tokens, such as an RSA token, as credentials for all network,
computing and application access as they reduce the incidence of
infamous "password sticky notes" on monitors and keyboards.
He also believes that staff are turned off by security because the
language used to describe it is too complex. Instead of using terms
such as authentication, authorisation, authenticity, credential and
others, users should write security policies in basic English.
These should be created as a high-level and intuitive set of "10
commandments" rather than as booklets of security regulations which
only end up unread and gathering dust.
Imposing a security culture in this way provides some system
protection, but total staff buy-in to the need to be personally
responsible for corporate assets may only come when the message is
championed by top management.
"The only way you really raise security awareness is by changing
peoples' behaviour, which means changing the corporate culture,"
says Andrew Wilson, project manager with the Information Security
Forum, an independent organisation with some 260 international
public and private sector members.
"You cannot do this by sending around security booklets and
messages on mouse mats. It has to be driven from the top of the
organisation by the chief executive.
"When a chief executive puts out a strong message that system
security is important, it can instigate behavioural change within
an organisation and create a strong security awareness
culture."
Maxine Holt, senior research analyst at Butler Group, agrees. "All
security must be based on policy, which in turn must be determined
at board level," she says.
"If there is no commitment from the top, security is very difficult
to implement. Policies are the glue that holds everything together
and any security product is only as good as the policy enables it
to be," she says.
Further advice on network security awareness
www.sans.org/rr/papers/47/1179.pdf
www.issa.org/gaisp/gaisp.html
www.securetest.com
The evolution of social engineering ploys
Social engineering describes a non-technical kind of network
intrusion which relies heavily on human interaction. It involves
tricking people into breaking normal security procedures, typically
appealing to their vanity, authority, or naive willingness to
please.
Old methods of social engineering include:
- Shoulder surfing (watching keystrokes)
- Calling unsuspecting key personnel to gain unauthorised access
and information
- Appealing to authority with urgent problems that need to be
solved right now
- Playing dumb to gain privileges
New methods of social engineering include :
- Peer-to-peer networks (Trojans and worms disguised as music,
movies, and software)
- Instant messaging and chat (bots, backdoors, zombies)
- Malicious websites (embedded links to sites)
- Phishing websites
- Spyware/keyloggers (disguising applications to collect information).
Case study: Northcliffe Newspapers Group
Protecting your company against external network threats is just one half of the security equation.The South East section of regional newspaper giant Northcliffe Newspapers Group has long had system protection against external network threats, such as malicious mobile code, spyware and bandwidth-intensive streaming media. (The company uses Websense's security software, Enterprise Premium Group 3.)
However, Northcliffe was acutely aware that it needed to do more to safeguard its network from an internal company perspective. "Although we had protection to prevent unwanted visitors coming in via our e-mail system, we were unable to monitor whether any desktops on the Lan might already have spyware on them as a result of end-users inadvertently downloading malicious applications and hacking tools," says Antony Wiltshire, IT manager for the South East region of Northcliffe.
To underline to staff the importance of system security awareness at all times, Wiltshire took the step of blocking all modem connections on laptops, preventing external access to potentially harmful applications which could affect the network.
The Websense Enterprise package already controlled system access to the internet by the region's 320 staff by blocking certain websites deemed inappropriate or non-business related. Wiltshire then bought 300 licences for Websense Client Policy Manager, a product which extends the web filtering capabilities of Websense Enterprise to corporate desktops.
Client Policy Manager increases security by blocking unauthorised applications and can boost employee productivity by preventing the unauthorised installation of inappropriate and non-business related applications.
"Client Policy Manager helps us deal with the worry of employees inadvertently disclosing information," says Wiltshire. "An employee might not even know they have downloaded and installed a piece of spyware onto their system. Meanwhile, it could be giving out their keystrokes and other confidential information to an external party.
"All it takes is someone with a CD to load a programme onto the network and we might not necessarily know about it. As there might be thousands of programmes we do not know exist, we have decided to take the approach of telling employees they are only allowed to run authorised applications."
To ensure full employee co-operation in locking down the systems, Wiltshire kept everyone involved at every stage of the policy implementation through e-mails and management meetings.
"At the end of the day, for a network security roll-out to be effective, you need employee co-operation," says Wiltshire.
"It was important they understood the policies that were being put in place, the reasons why, and that this would benefit them all individually by making their working environment a safer place."
Today, the network security systems and improved end-user awareness of the need for a strong security culture has brought control over network access back to the IT department. The network is now fully protected, from the internet gateway to individual desktop machines.
The success of Client Policy Manager within the South East region for Northcliffe has encouraged the group to roll out its network security ethos nationwide. The company's 20 daily titles, 27 paid-for weeklies and 23 regional news and information portals are now protected by Northcliffe's 5,000 plus network security-conscious employees.
This article is part of Computer Weekly's Special Report on
network security produced in association with Microsoft
www.microsoft.com/uk/security
