Security training: A call to arms

SearchSecurity expert Neal O'Farrell explains why employees should be educated about security and why they often are not.

If your defense against hackers is beginning to feel as tech-heavy as the NASDAQ, then listen up. There's a growing consensus in both the hacking and the security community that your biggest vulnerability, and best defense, have nothing to do with technology at all and may, in fact, already be on your payroll. In my wanderings at various conferences this year, I asked a number of security experts and hackers to share their thoughts...

on this subject.

"Employees are a very good intrusion vector," says Nightstalker, a ten-year member of hacking group Cult of the Dead Cow, confirming a widely held view that company employees could be either your cheapest line of defense against an endless legion of threats, or the sleeping sentries that let hackers over the barricades. Nightstalker did some informal polling amongst the hacker elite at the annual DefCon hacker gathering in Las Vegas in July. "Pretty much all of them said that. Everything from [intruders] social engineering them to [employees] just plain doing dumb things," he says. Employees are a hot target for hackers for numerous reasons, and their willingness to help telephone callers makes them especially vulnerable to social engineering by hackers 

posing as legitimate employees. "It's pretty shocking to hear that the old, "Hi, this is Fred from accounting. What's the new password again?" call to the helpdesk trick still works so well these days," says Nightstalker. Poor password habits are also a favorite target among hackers, who can guess, steal, con, or crack the most commonly used passwords with little effort. According to the SANS Institute, a hacker running a password-cracking program on a 433Mhz PC can test 250,000 login/password combinations in less than 60 seconds. The growing population of home workers, telecommuters and mobile workers is easy pickings for hackers and virus authors looking for more vulnerable off-site or remote users, especially if these employees use poorly designed VPNs to access corporate networks. Employees should play a significant role in security, according to Roger Younglove, a senior consulting member of Lucent Worldwide Services--Information Security, in Southfield, Mich. "Each employee is responsible for their own work station and e-mail," he says. "They are the ones that allow the attacks to happen because of their lack of knowledge in security." Lucent has approximately 60,000 employees spread across more than sixty countries and knows first hand what a hack feels like. In November 2000, the company successfully fought off a hack attack launched by Pro-Palestinian hacktivists. Lucent credited lessons learned from the Melissa virus the previous March for raising the level of security awareness at the company. To train, or not to train
Security departments may be the victims of their own success. The more successful they are at defeating hackers on the network front, the greater the likelihood that hackers will be forced to attack the much weaker flank of the workforce. That reality has convinced many security professionals that employee education ranks just as high as the latest air gaps, honey pots or mantraps. "Technology is filled with flaws -- that's proven almost daily," says Stan Gatewood, Chief Information Assurance Officer for the Office of Information Assurance at the University of Southern California, in Los Angeles. "Logical security has its limitations as well and relies on policies. And we all know that enforcing policies is like pulling a rope. But awareness, training and education could prove to be the most solid of foundations for infosec, far more sturdy than technology or logical security." But when your workforce can be both a vulnerability and a defense, the training decision may not be an easy one. If your workforce is actually an army of sleeping sentries just waiting for a call to arms, what impact could this global force have on your fight against hackers and on your security budget? On the other hand, if each employee is little more than a weak lock waiting to be picked by a hacker, where are you going to find the money to guard tens-of-thousands of doors spread throughout offices around the globe? Sorry, but I've got a headache
Some security departments continue to take a rain check on employee security training because the solution is often a bigger headache than the problem. "Until senior management puts a verbal bomb over every employee's head, there will always be many employees who do not give a hang about security," says Jeffrey Lowenstein, principal consultant with Great Neck Computer Security & Controls in New York. Apathy apart, the biggest challenge may be finding room in the budget, especially for the cost of giving every employee a sufficiently large dose of security education to ensure that the vaccination takes. A June 2001 survey by Information Security magazine found that security budgets are not immune to cuts. Two-thirds of all respondents to the survey said their security budgets have either been cut (43%) or temporarily frozen (23%), according to the magazine. When budgets are tight, security pros may be tempted to invest the bulk of their budget in technology, on the premise that if an attacker slips past the perimeter, it's easier to blame the technology than their co-workers. At the other extreme, over training can also send the security department running for the Ibuprofen. Too much focus on employee participation in security could turn employees into freelance vigilantes, swamp the undermanned security department with a flurry of false alarms or cause employees to feel so paranoid or guilty they tremble at the telltale "ping" of a newly arrived e-mail. Working in the state of vigilance
GCHQ is Great Britain's ultra-secret electronic eavesdropping center. Nestled in the English countryside on the outskirts of the picture-postcard town of Cheltenham, the Government Communications Headquarters has long been a hot target for spies, terrorists and hackers. As employees of the spy center round the corner of Rabbit Warren Lane to the main entrance of the compound, they're greeted by a large sign above the security gate that warns "The State of Vigilance is ...," followed by a color that represents the level of security vigilance for that day. The sign is not intended to be a warning to attackers, but a daily reminder to every employee about the importance of constant vigilance in an environment of constant threat. I'm not suggesting that every corporate HQ in America place a giant neon warning sign next to their six-foot-high steel logo, but maybe the folks of Cheltenham could teach us a lesson. Security as a culture
Security can no longer be seen as a task, chore or set of rules. For it to really work security must become a culture, and there's never been a better time to evangelize that theme. Security as a culture strives to make all employees think about security all the time, for every decision and before every action. When security is as second nature as being polite to customers, it should kick in automatically without regular training and constant reminders. There's never been a better time to introduce a security culture. Even three years ago the very suggestion would simply have confirmed employee suspicions about the sanity of the security department. But today, almost every employee will have been exposed to the cybercrime bug and its impact on every aspect of their personal and professional business. About the author
Neal O'Farrell is CEO of Hackademia, a firm focused on security education. He's a twenty-year veteran of information security, former hacker and original Code Rebel.

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

 

This was first published in December 2001

Dig deeper on Windows Server Monitoring and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close