http://www.smh.com.au/articles/2003/08/25/1061663723910.html By Eric Wilson August 26, 2003 Next Is your IT security training up to scratch? Take this simple test to see ... "It's the IT department on the phone, and it's urgent. We've had a system crash and we've had this terrible MSBLASTER worm and your team is at risk. We need your password to remotely install a patch." At this point, many people will be hacked - not by the worm, but by the guy with the authoritative voice on the telephone. He's now been given a valid user name and password. Yours. By the time your real IT department detects and tracks down the intruder, he'll be long gone. In fact, the "terrible MSBLASTER worm" was probably zapped by your corporate firewall long before it could reach your machine. Steve Bittinger, Gartner Group's security research director, says this kind of "social engineering" hack happens every day because companies haven't trained their staff to know when they're being conned. "It's easy to point the finger at worms and firewalls, but in the end, the really big losses come from social engineering," Bittinger says. "They play sides of the organisation against each other, collecting more information each time around the loop." Here's another bit of social hacking, but this time the hack is made at the IT department's expense. "I've just joined the accounts department and the piece of paper you gave me yesterday - well, I lost it. Could you please give me my user name and password again?" The system administrator checks and yes, Bill McCoy did join the accounts department yesterday. But the administrator doesn't realise that he isn't talking to the real McCoy, but some outsider who hangs around the cafeteria, gathering information. Potential social hackers also include couriers, telephone installers or anyone else allowed to walk around your office. "The kind of training these ordinary non-technical people need is to know what these risks look like," Bittinger says. "People's notebooks disappear off their desks at lunchtime when a contractor or consultant-looking person walks off with them." Bittinger says companies are being told to spend 90 per cent of their security training budget on three groups - system administrators, software developers and senior management. For senior management, it's not the technical know-how that's needed but a knowledge of basic IT security principles to help them make wise decisions. But unfortunately, this formula only leaves 10 per cent of security training for everyone else. "Some organisations are using e-learning to keep costs down," Bittinger says. "One of the largest universities in Australia was telling me they had tremendous success identifying a security focal-point person in every department. They meet once a month, so they are not trying to train thousands of people." Whatever the method, people need to be trained to recognise suspicious activity. Then they need to be motivated to get involved. "Often people say 'Yeah, I did see a guy over there by John's desk, but I thought there must have been something wrong with his computer.' They need to know what to do. Does the secretary want to confront him or should she call someone?" For small businesses, social hacking is less of a problem -everyone knows everyone's movements and activities - but because small to medium-sized business do not have designated IT staff they are often more vulnerable to the usual forms of hacking, such as remote penetration through the internet. For Natasha David, IDC's research manager of infrastructure and training, the enemy of small business is business as usual. "When you look at small business training for internet security, there is no training," she says. "It's not because they don't want to - they have no time. They are more likely to be sent away on industry-specific training." David says that even in big companies, the IT security training budget is a grim-looking affair. And since good security involves implementing and sticking with prudent management procedures, as well as technologies, that's not good. "They don't have the budget," she says. "So it's falling more to the IT vendor to provide the training with the licence. In order to make the sale, they are saying 'OK, we'll provide training as well'." But the best training, which probably won't be vendor-specific, is all for naught unless the proper motivation is maintained. Both researchers say incentives need to be built in to keep people alert. "In case the slammer worm comes around, you need a fire-alarm-like training drill," David says. "In a fire-like situation, you have another set of rules that take over the normal operating environment. You need incentives and disincentives to make people aware of it." Of even more concern is data theft. Even small businesses have sensitive information to protect. Natasha David says a doctor's surgery is the prime example of where privacy is paramount, but the motivation for busy owner-doctors to train for IT security is poor. "The medical association might say, 'This is what you need to do to secure your private information', but will he have his licence taken away from him if he does not? I don't think so. At the end of the day, there just isn't the incentive for doctors to get trained unless they themselves become the victim a privacy breach." Human nature is the biggest IT security problem. It's human nature to keep ignoring a risk, especially one you can't even see - until it actually hurts you. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Sep 03 2003 - 06:26:02 PDT