Uncategorized

Dear readers,

During the last post (http://isqworld.com/2008/09/17/part-1-security-awareness-is-not-good-security-behavior/) I had mentioned about the difference between “Awareness” and “Behavior”. “Awareness” means, “I know”, “Behavior” means, “I know and I do”. The gap between “Awareness” and “Behavior” can reduced by “Enforcement”.

Let me explain with two case studies, where we used simple but powerful enforcement strategies that changed user behavior regarding information security.

Case study 1 – In this case the customer was an Offshore Development Company based in India that has a primarily young workforce. The challenges the company faced were as follows,

1) The workforce was downloading songs and videos and storing them on office systems
2) The company had strict policies that employees should not forward the jokes, porn content etc. that they receive. The justification was that, “what comes into the Inbox” is not in one’s hands, but what goes out, definitely is
3) Connecting external devices on the system was disallowed

We devised a simple audit strategy whereby we would do surprise audits of systems at random. But, there was a psychological strategy we employed. We would audit the system and corroborate the findings with the employee in his presence. We used a hard copy audit sheet and noted down the following,

1) Name of the employee
2) Employee ID
3) Time and date of the audit
4) Serial number of the computer or the laptop
5) Violations if any or if there were no violations that too was noted

Once this was done, the auditee was asked to corroborate the findings and SIGN on the document. Subsequently the auditor too would sign it.

Now, there were some instances when the auditee refused to sign the document. The auditor in this case would mention that the “AUDITEE Refused to sign” and inform the information security officer about the same. The information security officer, would then give a call to the employee or ask for a meeting to explore the reasons why.

Now, many readers may be thinking, “what’s so great about this strategy?”. The answer is, the greatness is not in the strategy, but in CONSISTENT REPETITION. To understand this, please view this graph before proceeding – http://www.isqworld.com/wp-content/uploads/enforcement.pdf

In the graph you will see that there was no major change in the “non-compliance” stats for the first 9 months. But, between the 9th and 12th month, there was a sudden dip in non-compliance (almost 35%). What was the reason. The answer is,

1) Employees understood that this audit was serious business and not a once-in-a-blue-moon activity
2) Employees realized that audit could happen anytime and there was no exceptions
3) When a few employees were called for a meeting with the information security officer, the news spread like wildfire (thanks to Corporate gossip culture )

So, there is no magic formula, but good old repetetion of enforcement strategies

Case study 2 – This is an interesting case study. The client is an electronic retail chain and pretty old fashioned. In fact the CEO of the company started using a computer only in 2007. The client has 22 branches that sells electronic goods and the sales system is powered by an ERP application. Each branch manager has a login and password using which he authorizes a sales and notifies to ship the item from the warehouse. As it often happens, the managers started sharing the passwords with cashiers because they wanted to avoid the hassle of inputting the passwords numerous times during the day. Soon an instance of fraud happened.

The solution the company found was simple. The company conducts financial audits every week for the branch office. They incorporated a simple information security audit with 4 check-points into the financial audit procedure.

1) Is the ERP system “logged-in and unattended”?
2) Are food items or drinks kept near the computer?
3) Has the manager changed the password as required?
4) Has the anti-virus been updated?

Any violation has a simple penalty. The first violation made the manager receive a “memo”. The second one meant that the manager lost 5% of his annual bonus. The annual bonus was an assured component equal to 2 months’ gross pay.

The system worked like a charm and there is hardly any non-compliance.

Now, I request you to go back to my document – http://www.isqworld.com/wp-content/uploads/enforcement.pdf and see page 2 and 3. I have explained the simple concept behind enforcement as a graph.

1) Graph 1 shows that people make security trade-offs (i.e. don’t give importance to security) if there is personal inconvenience. It is like jumping traffic signals if you are in a hurry

2) Graph 2 shows that if there is a “COST” attached to a trade-off, then the trade-off will reduce. The COST can be TIME, MONEY, QuALITY of LIFE etc. For example, in case-study 2, the electronic retail chain linked every security trade-off with loss of money for the nmanager. So, for every jumping of traffic signal, if there is a system of automatic fining of Rs. 5000/- then soon no one will jump traffic signals.

So, what is your enforcement strategy? What is the cost you plan to implement on employees for every security trade-off? And, are you prepared to be consistent and repetetive with the enforcement.

Good luck

Anup

www.himis.org (HIMIS – Human Impact Management for Information Security)

Hello Readers,

In continuation to my previous post (http://isqworld.com/2008/09/08/part-1-the-human-gap-in-information-security/), in this post I am exploring human behavior and it’s links to information compromise.

I have created a short PDF titled “Human Behavior Characteristics” (please download here – http://isqworld.com/wp-content/uploads/humanbehaviorcharacteristics.pdf). Based on my experience, I have made a simple list of human behavior characteristics and they are,

1 – Desire for recognition
2 – Obedience/ Fear
3 – Reluctance to change
4 – Curiosity
5 – Self preservation
6 – Desire to help
7 – Oppression to authority
8 – Low motivation

Please note that I am not a psychologist by profession and the above list is a simple listing of behavioral traits, the way I understand it.

Now, let us look at 2 simple Social engineering tests and answer a few questions.

Instance 1: This test was conducted 4 years back in an organization that has just begun it’s ISMS implementation. Till then information security was not present in the management’s or the employees’ radar. The test was conducted as follows.

The tester, with the permission of the CFO initiated a call from the CFO’s office deskphone. This organization had deskphones for all employees with a display unit that identified the source of the phone call. The tester called 5 employees in random and repeated the following dialogue.

“I am calling from the CFO’s room and I am your ERP consultant. We are implementing a new system to process your salaries next month onwards. We need your user name and password to integrate this to your User Directory Entry”

5 out of 5 employees revealed their passwords. One employee even had the courtesy to call back and confirm that we had noted the password down carefully!

So, what are the behavioral characterestics that were exploited by the tester. From  my perspective it could be,

1 – Obedience/ Fear
2 – Self preservation

There could be other characteristics too…as there are no hard and fast rules. The reader may want to ask, “What is Self Preservation?”. The answer to this is in the form of a question – “Why do you look both sides when you cross the road?”. It is because, inspite of what you may be doing (speaking on the phone, listening to your iPod, lost in thought….) when you come to the road your subconscious mind makes you look both sides. This is because your body and mind is trained to protect you.

Instance 2: An organization hired us to test the resilience of the perimeter security team (security guards) to penetration attempts. The test was done as follows.

We asked the organization to create for us a fake employee ID card without access credentials enabled, whereas the regular employee card works as an access card as well. On a rather busy Thursday morning, at 11 am the tester wore the card around his neck and approached the door. He pretended to swipe the card and expressed his disappointment that it was not working. He shouted out across the floor for the security guard who came running. The tester questioned him rather curtly as to why the card was not working. The security guard apologized and requested the tester to approach the guard station. There the tester was asked to write his name and phone number in a register. Following this, the tester was asked to follow the security guard back to the door, where the securty guard politely opened the doors by swiping his own card and let the tester in. Further the tester was able to tailgate and approach the production area on the 4th floor, take some photographs and exit the building throuh the route he came in.

Again, what were the behavioral characterestics that were exploited ? From my perspective they are,

1) Obedience/ Fear
2) Self preservation

So, the learning for me here is that you can have the best technology and the best information security policies, but there is a gap in information security. This gap is the “human gap”.

In the next post I will talk more about dealing with end-users (read…the non-security guys) and how wonderful an experience it was. In fact how often have you listened to your employees  before drafting your security policies??

More about this in the next post.

Warm regards,

Anup

HIMIS (Human Impact Management for Information Security – www.himis.org)
 

Hello Readers,

I would like to start this post by narrating a social engineering test that my organization was hired to do once for a large IT company. The test was designed to test the “human resilience” towards information disclosure attempts.

The test began by initiating a telephone call to the front office executive. We politely informed the executive that we were calling from a large network equipment manufacturing company. Our research had shown that this client of ours was a major buyer of equipments of this network equipment manufacturer. We informed the executive that the network equipment manufacturer publishes a monthly magazine which profiles their best customers’ and this month the company that was chosen was hers. We congratulated her and requested her to connect us to the network monitoring team. She eagerly did so.

We repeated the same story with the engineer from the network monitoring team and requested them to answer a few questions so that we could publish them. We also requested the engineer whether we could “quote” him and use his name. He was eager and agreed. Next we started asking questions, some of them which are listed below, in the form of the actual questions asked during the dialogue.

Question – Can you tell us some of the higher end range of the equipments that you have purchased from us?

Question – I am sure you must be using our high end VPN facility. Can you tell us to how many client locations you have VPN connectivity?

Question – …and what would some of these clients be ??

Question – ….and are you happy with the speed at which we solve bugs in the RTOS (Real Time Operating System)?

Question – …and did you install the last updated RTOS version that we released on…?

Question – …and what would the version No: of the RTOS be ?

At the end of this conversation, we had collected the following information.

1 – The version no: of the RTOS running on the equipments
2 – The last date of update
3 – The clients the organization has
4 – The list of clients to whom VPN connectivity was established
5 – The model no: and list of equipments used by the organization

Based on the above information, we could draw out a fairly detailed network architecture of the organization. We also knew the VPN tunnels running out of the company. We queried existing information security vulnerability databases to identify the current security issues with the RTOS used in the equipments.

We submitted the reports to the client. The client was obviously not pleased with the way information was disclosed. What displeased the client most was that the employee disclosed the names of their customers’ which was considered sacrosanct. As per the official policy of the company, such information should be disclosed only through the PR (public relations) department of the organization.

So, what is the learning. From my perspective, the fact is that inspite of the best technology available to protect information, people will still disclose information.

In the next part of this post, I shall be exploring behavioral factors that are the root cause for people committing information security errors.

Warm regards,

Anup

http://www.firstlegion.net