How do you make staff aware of the latest social engineering ploys, teach them to protect company data and stop them leaving work addresses in chatrooms? Lindsay Nicolle reports
Six out of 10 UK employees regularly and knowingly put their employers' businesses at risk of viruses and security violations. Most access their private e-mail from their work desktops and habitually enter their work e-mail addresses into chatrooms, newsgroups and e-commerce websites.
These research findings come from a survey just published by YouGov on behalf of security specialist NetIQ. They confirm that users are struggling to instill a culture of network security awareness within their organisations, even though the majority of staff admit to being well aware of where and how a hacker or spammer might attack an organisation.
It is a nightmare scenario for chief security officers and boardroom members. Managers are uncomfortably aware that their necks are on the line if their companies transgress the latest stringent and punitive data protection laws or industry regulations on corporate governance.
Ed Macnair, content security business manager at NetIQ EMEA, says, "There is a massive window of opportunity for criminals." In this respect, he says, employees can be an organisation's biggest liability.
So what is the best approach to raising awareness of the increasingly sophisticated social engineering ploys used by those who can compromise networks? How can users cultivate staff who care about keeping the network secure?
Training staff on how to protect company networks and why it is important to report all breaches of security policy is a major cultural challenge.
"For most companies it is low on their list of priorities because it is wrongly regarded as a cost, not a benefit," says Richard Starnes, director of incident response at Cable & Wireless and president of the Information Systems Security Association UK, a membership forum for information security professionals and practitioners.
"It is possible to develop a security culture, but you have to make it worthwhile for staff to buy into it for it to be effective. Money is the biggest incentive."
Starnes says that corporate asset protection should be written into employees' job responsibilities and performances reviewed annually. Adherence to the corporate security culture should influence bonuses, salary rises - even candidates for redundancy.
At Cable & Wireless, the security message is drummed home from an employee's first day in the company. All new employees attend a security seminar covering physical procedures and information security training.
Cable &Wireless also periodically holds security awareness days where principles are put into practice. This may take the form of an enhanced identity check at the front desk, a discussion about the use of passwords for workstations or a full-blown evacuation exercise.
"We also have mandatory online security quizzes and we are developing a web-based 'security knowledge zone', where relevant security information can be found using a simple point and click method," says Starnes.
Training companies confirm that without such initiatives the weakest link in the network security chain is staff, not technology.
"Technology gets the finger pointed at it for failings, but it only does what people tell it to," says Robert Chapman, co-founder of The Training Camp, which runs accelerated learning courses.
"Awareness of the need for security has risen dramatically over the past 12 months, but there are still some very large companies struggling to implement strict security procedures and to educate their staff.
"I predict that a FTSE 100 company will soon experience a very large and costly disaster before everybody wakes up to the need for greater security awareness."
Users already aware of their security responsibilities are the military, IT suppliers and financial services companies. In response to their demands, The Training Camp has just launched a computer forensics qualification to help users train staff in detecting computer crimes, including e-mail fraud, industrial espionage and computer break-ins. The company also runs a certified ethical hacking course which provides an insight into how criminals use and abuse technology for their own ends.
As well as training staff, some companies are employing third parties to test the robustness of their corporate security culture. Securetest provides IT security penetration testing. It specialises in acting out the kind of social engineering ploys adopted by those attempting unlawful network access, revealing common areas of corporate weakness and advising on ways to overcome them. One of Securetest's favourite tricks is to dress up as printer engineers to gain access to a network point. They are rarely questioned or asked for identification.
Clearly, action is needed to protect networks from company staff, be it from unwitting misuse or deliberate abuse."Tough though it seems, it is the responsibility of employers to take a hard line in protecting against offensive spam by educating employees of the risks of introducing jokes, home e-mail and non-work laptops into the work environment," says Macnair.
He suggests tackling rogue employees by creating a corporate usage policy. Employees would be informed of appropriate internet use and time restrictions. Setting this out in black and white helps reduce the risk of legal liability if employees break the law and it also increases staff productivity.
Companies should also implement an ID management system which makes it clear who has access to which part of the network. This way managers can view why changes have been made and by whom. They should also make only a limited number of employees responsible for setting group policies or end-user account information.
John Roese, chief technology officer at network security specialist Enterasys, argues strongly for simplicity in selling the network security message to staff to ensure it sticks.
"Keep it simple, communicate in English, make it relevant, educate your staff about the risks and threats and keep your security policy up-to-date," says Roese.
Controversially, Roese supports single passwords, or even better, tokens, such as an RSA token, as credentials for all network, computing and application access as they reduce the incidence of infamous "password sticky notes" on monitors and keyboards.
He also believes that staff are turned off by security because the language used to describe it is too complex. Instead of using terms such as authentication, authorisation, authenticity, credential and others, users should write security policies in basic English. These should be created as a high-level and intuitive set of "10 commandments" rather than as booklets of security regulations which only end up unread and gathering dust.
Imposing a security culture in this way provides some system protection, but total staff buy-in to the need to be personally responsible for corporate assets may only come when the message is championed by top management.
"The only way you really raise security awareness is by changing peoples' behaviour, which means changing the corporate culture," says Andrew Wilson, project manager with the Information Security Forum, an independent organisation with some 260 international public and private sector members.
"You cannot do this by sending around security booklets and messages on mouse mats. It has to be driven from the top of the organisation by the chief executive.
"When a chief executive puts out a strong message that system security is important, it can instigate behavioural change within an organisation and create a strong security awareness culture."
Maxine Holt, senior research analyst at Butler Group, agrees. "All security must be based on policy, which in turn must be determined at board level," she says.
"If there is no commitment from the top, security is very difficult to implement. Policies are the glue that holds everything together and any security product is only as good as the policy enables it to be," she says.
Further advice on network security awareness
The evolution of social engineering ploys
Social engineering describes a non-technical kind of network intrusion which relies heavily on human interaction. It involves tricking people into breaking normal security procedures, typically appealing to their vanity, authority, or naive willingness to please.
Old methods of social engineering include:
- Shoulder surfing (watching keystrokes)
- Calling unsuspecting key personnel to gain unauthorised access and information
- Appealing to authority with urgent problems that need to be solved right now
- Playing dumb to gain privileges
New methods of social engineering include :
- Peer-to-peer networks (Trojans and worms disguised as music, movies, and software)
- Instant messaging and chat (bots, backdoors, zombies)
- Malicious websites (embedded links to sites)
- Phishing websites
- Spyware/keyloggers (disguising applications to collect information).
Case study: Northcliffe Newspapers Group
Protecting your company against external network threats is just one half of the security equation.The South East section of regional newspaper giant Northcliffe Newspapers Group has long had system protection against external network threats, such as malicious mobile code, spyware and bandwidth-intensive streaming media. (The company uses Websense's security software, Enterprise Premium Group 3.)
However, Northcliffe was acutely aware that it needed to do more to safeguard its network from an internal company perspective. "Although we had protection to prevent unwanted visitors coming in via our e-mail system, we were unable to monitor whether any desktops on the Lan might already have spyware on them as a result of end-users inadvertently downloading malicious applications and hacking tools," says Antony Wiltshire, IT manager for the South East region of Northcliffe.
To underline to staff the importance of system security awareness at all times, Wiltshire took the step of blocking all modem connections on laptops, preventing external access to potentially harmful applications which could affect the network.
The Websense Enterprise package already controlled system access to the internet by the region's 320 staff by blocking certain websites deemed inappropriate or non-business related. Wiltshire then bought 300 licences for Websense Client Policy Manager, a product which extends the web filtering capabilities of Websense Enterprise to corporate desktops.
Client Policy Manager increases security by blocking unauthorised applications and can boost employee productivity by preventing the unauthorised installation of inappropriate and non-business related applications.
"Client Policy Manager helps us deal with the worry of employees inadvertently disclosing information," says Wiltshire. "An employee might not even know they have downloaded and installed a piece of spyware onto their system. Meanwhile, it could be giving out their keystrokes and other confidential information to an external party.
"All it takes is someone with a CD to load a programme onto the network and we might not necessarily know about it. As there might be thousands of programmes we do not know exist, we have decided to take the approach of telling employees they are only allowed to run authorised applications."
To ensure full employee co-operation in locking down the systems, Wiltshire kept everyone involved at every stage of the policy implementation through e-mails and management meetings.
"At the end of the day, for a network security roll-out to be effective, you need employee co-operation," says Wiltshire.
"It was important they understood the policies that were being put in place, the reasons why, and that this would benefit them all individually by making their working environment a safer place."
Today, the network security systems and improved end-user awareness of the need for a strong security culture has brought control over network access back to the IT department. The network is now fully protected, from the internet gateway to individual desktop machines.
The success of Client Policy Manager within the South East region for Northcliffe has encouraged the group to roll out its network security ethos nationwide. The company's 20 daily titles, 27 paid-for weeklies and 23 regional news and information portals are now protected by Northcliffe's 5,000 plus network security-conscious employees.
This article is part of Computer Weekly's Special Report on network security produced in association with Microsoft
This was first published in November 2004