Andy ITGuy – Information Security Blog

OK, maybe that’s a little extreme but you get the point. First, I’m breaking one of my cardinal rules and blogging about something that is a “hot topic” on the blogosphere right now. Yes, the IPhone worm that has the masses running for cover.

Why do people jailbreak their IPhones? Lots of reasons but for the vast majority of people it’s so they can either tether it for full internet access on a laptop or to run apps that have not been blessed by Apple. For this very reason it’s not surprising that lots of them don’t change the default SSH password. I’d venture to guess that most of them don’t know what SSH is or what it is used for or that it has a default password. Rafal Los thinks that they should read the manual so that they are aware of these things but I think that is asking a bit much of them. 90% or more of them have never unwrapped their manual and don’t even know where they put it. The problem with this is the same problem that many enterprises have with such issues with their employees.

APATHY!!!

That’s right they just don’t care. They aren’t concerned about security or ethics just getting the latest toy on their IPhone or PC. They could have read the manual and if they got so far as to reading about changing passwords they wouldn’t have thought enough about it to actually go through with it. It’s not a lack or reading problem so much as it’s a lack of understanding and caring problem.

Enterprises and SMBs have been dealing with this for years and it is one of the biggest problems that we face daily. If we can figure out how to effectively combat user apathy and their lack of understanding then we will be able to take a huge bite out of the poor security posture of many organizations.

User education is one of our best arenas for combating things such as this at work and at home. Companies have got to start implementing real awareness programs that do more then bore their employees. I’ve long been a proponent of quality awareness training but my good friend Michael Santarcangello has taught me much and (IMHO) has the answer to much of our awareness problem. We need to interact with them and get an understanding of what they need to do their jobs and how we can support them and not hinder them. We need to help them understand the importance of what they are doing and of doing it securely. They need to know that the company wants to help them do their job and that what they do and how they do it matters. I also firmly believe that if we will help them understand the dangers of the internet and how it can affect them personally then that will go a long way in doing the right thing and thinking about the possible ramifications of their actions before doing them. If they understand that surfing porn is likely to infect their PC with virus’ and keystroke loggers then they may not do it, at least not on the same PC that they do online banking with.  If they understand how file sharing programs can open up your whole PC to the world then maybe they will lock down (or turn off) their file sharing apps at home. If they understand the importance of keeping patches, AV and applications up to date then they are more likely to do it at home. If they are aware of the dangers and understand how they affect them personally then they are more likely to act more responsibly at work.

Engage, Enlist, and Empower your employees to work (and play) more securely with quality user awareness training.

You can stop with the snide comments now.

It seems that every week we read about another insider who has done something to damage the company. Sometimes it is physical (postal shootings, Coke document theft), sometimes it is digital theft, planting of a virus or logic bomb, unauthorized access after termination of employment, etc… It seems to me that there are two common themes in most of these:
1) Disgruntled employee.
2) Human error. This ranges from a lack of implementing proper controls or procedures, lack of following proper controls or procedures, laziness, apathy, or carelessness.

This morning I read this story on FoxNews.com about an inside job where an employee of AT Systems (an armored money delivery service) stole 8.5 million dollars. He was able to pull it off by being smart and observant.

He used another employees security code to gain entry to the building after hours. The story doesn’t say how he got the code. Did the other employee give it to him? Did he get it by "shoulder surfing"? Did he find it written down somewhere? Let’s look at each of these and see what went wrong.

• It was given to him. I would imagine that a company that handles large amounts of cash would have a policy against sharing your access code with others. So the human error of laziness, apathy or carelessness comes into play.
• He "shoulder surfed" it. I would think that the company teaches their employees to be careful when entering security codes to ensure that others do not find out what their code is. So again laziness, apathy, or carelessness comes into play.
• He found it. I also imagine that they have a policy that forbids you to write your code down. Most of these codes are fairly short (4 to 6 digits) and are easy to memorize. So what went wrong here? Again, I have to point to human error.

Regarding this I have a couple of questions. Why did the code give 24/7 access (I’m assuming) to the building in the first place? Was there a legitimate business need for full and unfettered access? I doubt it and if there is when access to that much cash is involved I would think that dual access control would be called for. This is where policy and procedure needs to step up. Never should any one person be allowed to gain access to that much cash or even the facility that houses that much money.

The other thing that the article mentions is that he "watched and listened".

 "I decided to steal money from AT Systems’ vault," he wrote. "I set about learning codes and watching and listening."

One thing that I preach in User Awareness is that you have to be careful what you talk about and where you talk about it. Even if you are at work. There are things that not everyone need to know. Don’t discuss procedures around people who don’t need to know them. Again, when entering passwords, access codes, combinations, etc ensure that no one else can see what you are doing. In my opinion those who were careless in what they discussed and how they didn’t protect the information to gain access to the money are partially to blame for the loss. 

Ok, maybe they aren’t evil, but they are pretty scary. I arrived at work this morning after a 3 day weekend to discover that an employee had sent an e-card to lots and lots of our users. We have about 5000 employees most of which have an email account. The user doesn’t have access to the global email group but was able to send it to a lot of people by selecting different groups that they did have access to plus individual accounts.

As I said, when I saw the e-card in my inbox and noticed that it had also gone to lots of other users I got that sinking feeling in the pit of my stomach. My initial reaction was to send out an email to everyone telling them not to click on the link to view the card. Then I noticed that the card was sent Friday afternoon around 3:30. Too late. If this was malicious then the damage was already done. The good news was that I had not heard of any thing going awry over the weekend. Of course, since lots of people cut out early on Friday there was a good chance that this morning would be the time to fear.

Before I reacted rashly I decided to check out the link to see if it was malicious or not. I did a search on the e-card company. It was one I was not familiar with. Nothing bad came up. I then went to the site and looked around. It looked OK. Then I took the next step and put in the e-card number to view it (all of this was done in a safe environment). Whew, nothing evil appeared. It was a Thank You card for something that the company had done for her.

Of course there is a “dark” side to this. We don’t state in our email policy that it is against the rules to send e-cards but we do state that email is to be used for “business purposes”. So the user did “break policy”. What is really bad though is this.

• By doing this the user (who has a supervisory role) has told their subordinates and others that it’s OK to do this thus increasing the likelihood of others doing the same.
• By doing this they are teaching the users that clicking on an e-card that seems to comes from someone you know is OK, even at work.
• By doing this they are reducing the effectiveness of company policies. (Unless something is done which is out of my realm of responsibility).

Something so seemingly innocent and nice really has a negative effect on information security. A simple email saying thanks would have sufficed and would have been much less damaging.

The good thing is that this will give me opportunity to ensure that this and similar issues are addressed in a way that ensures that all understand the importance of following policy and practicing safe computing. Plus it will add to my UA Training listing.

User Awareness is one of my favorite topics (like I had to tell you that). There are a couple of different camps when it comes to this. Those who think it is a vital part of a Information Security program and those who think it is a waste of time. I fall in the first category (again, like I had to tell you that).

In my opinion the problems with UA is that many programs are close to useless. They cover the topics but they do a poor job. Even if the information is correct the delivery is bad. Poorly written, delivered, boring, etc… This is the challenge in creating an effective UA program for your company. I have been a participant in a few UA classes in the past. They all have lived up to their reputation of being a waste of time. Now I’m in the process of designing a UA program for my company. I’m excited to have the opportunity. Now I will be able to put into practice some of the things that I truly believe will make UA effective. I’m going to work with some good friends who have been doing UA for a while and have created successful programs. Depending on budget and such I will possibly enlist them to provide content and counsel or possibly just allowing me to bounce ideas off of them. Then of course I have the resource of the Security Catalysts Community to draw from. Between their participation in programs and creating or having input into them I will have a rich pool of information and creativity to draw from.

Why do I bring this up now? Well, my thoughts turned back to here when I saw these two posts from Tom Olzak on the ITT Blog (here & here). The first one talks about how the bad guys are starting to turn their focus from firewalls, servers, etc to end users. Why? Because of a couple of reasons. There are lots of new attack vectors that work well and are easy to do. They attack the browser or other popular applications that are used frequently on the Internet. Java, Quicktime, Windows Media Player, JVM, JRE, Adobe Acrobat, Silverlight….. This is just a small sample. Many of these attacks require nothing more than the user visiting a web site that has a malicious add on it. This article from Brian Krebs at Security Fix has a good example of this.

The second post by Tom talks about how we need to start teaching Security Awareness in high school. Start the education before the users get into the workforce. I like that idea. Not only will it help when they do enter the workforce but maybe it will help at home. Maybe what they learn they will then teach to their parents. Hopefully by doing this we can spread the word outside the work place and get it into the homes where it needs to be.

I’m not sure if all of you are aware of how easy things are for the bad guys now. Hopefully you do, but if not I’d like to point you to a couple of good posts that Jeremiah Grossman pointed us to a few days back. They are here and here. Check them out to learn more about some of what is going on or at least what is possible.

Also if you want to learn more about putting together a good Security User Awareness Program you can talk to Michael Santarcangello, Rebecca Herold, or The guys at NoticeBored.com. All of them can help you with your program.

I had to go to a training session yesterday for an app that is used for special purposes within my new company. It is used by several different groups some are regular computer users and some are not so savvy. The training went pretty well for all concerned up to the point where he was trying to explain the password policy for the app. It uses complex password requirements. You know Uppercase, Lowercase, number, special character. The problem was that it was explained poorly.

This is the problem with user awareness training that I’m always harping about. We take a subject that may be somewhat confusing for many people and make it even more confusing. Then we blame it on the user and call them stupid. These users aren’t stupid. If they were they wouldn’t be in the positions that they are in at work. They are very competent at their jobs. Also this goes back to poor security policies over many years. Users are accustomed to simple passwords. Having complex passwords that are poorly explained compounds the situation.

So what’s the answer? First, when we plan our training (or explaining) talks we need to make sure that our examples make sense to not just us and others who are technical and regular users. We need to have someone who isn’t so computer literate give us their input on how we explain the concept. Secondly, we need to work to change corporate culture on passwords and security. It may take a while and we may have to take “baby steps” but that is better than nothing or better than going from simple to complex and having the help desk flooded with calls because we took too big a step too quickly.