Rules and knowing them

[steve.milner]

Originally posted here by Tiger Shark
.... there is nothing that grabs the attention of the users like a quick "public" firing for breach of computer policies and a regular letter to everyone making it quite clear that you monitor and log their every move......

Another little tactic I really love.... .... is seeing someone doing something just a little out of line like getting blocked trying to get to their AOLMail and doing a little net send saying:-

Allow me to differ on both points.

Suppose you have draconian rules, which everyone has read & signed etc.etc.

Now we all know that people are going to break those rules:

Fred surfs to some dodgy sites, downloads & runs a 'fantastic new game' which infects his computer & begins spreading itself via email to addressed in the contacts list..

So a quick public firing happens & everyone is well behaved for a couple of months.

2 Months later John does something similar and realises that his machine is propagating viruses. Now he knows that if he says anything he's going to get fired - so he says nothing & waits for someone else to point this out.

This isn't what the security folks want, they want to know straight away a problem occurs so that they can shut down the mail server, pull the network cable from the problem PC etc.

The issue is about socail engineering: A good SE attack begins by gathering knowledge about the target and using this to best effect.

Bert, who has a problem with his Excel Spreadsheet, decides to post to a usenet newsgroup using his works email address - [email protected]

Joe, aggreived customer of HisCompany is plotting revenge and is searching the newsgroups for '@hiscompany.com' and then reads the article about the Excel problem. Joue begins the dialogue with Bert to fix his problems - which results in Joe sending Bert a spreadsheet with malware attached, thus gaining control of Bert's machine and wreaking havoc and bringing financial ruin to HisCompany

Encouraging employees to use AOL & Other external mail accounts for anything not directly work related reduces the risk of offensive material within the organisation and also helps to keep the information that can be gleaned about a company to a minimum.

So what does this mean for the rules:

It means rules, signed or otherwise, are not an answer to an organisations IT/IS Security.

IS/IT Security is a business issue, that requires the whole business to be involved in, and everyone to be educated to understand the risks they take every time they are using their PC.

But as far as the bosses are concerned it easier sending out the 'rules' to people & assuming that's the problem solved

Just my 2c

Steve (Consultancy fees are £750 per day if you want you business educating )

[disc0rd]

ack! 4 weeks of vacation...I'm truly jealous nihil...I heard that was the case in Germany, from some of our German vendors here at the company, but I didn't think the same in England.

Coming from a large corporation, its hard to get people enthused about being involved with the IT world. Most people are too busy with their own inter-departmental duties, and activities to give a h00t about what we're doing everyday in our little cubicles, looking at screens. In fact, just this morning I had a user come up to me and say, "Your server room sure has a lot of pretty lights!" and in fact, thats the most people from other departments care to be involved with us. (Its not that we're impersonal, in fact we're quite outgoing, its just that people don't understand what we're payed for.)

I however, like your idea TigerShark on the projector idea, then people might know what we have to to deal with everyday. People say that IT is a laid back department, and it can be...but it can be a battle zone some days. And I hate to say it, but even as good as the idea is, most people wouldn't even know what kind of attacks are coming through our networks, or even try to understand them (this is not always the case, we do have some starving minds here).

Maybe I'm just a grumpy netadmin, but I'm still a fan of taking the cake away, before they get a chance to eat it. That means, dictating password standards, blocking websites with ISA (and forwarding them to a quite scary message Just for show), and being very careful with who puts requests in for permissions. We even do a bit of profiling of users, as we do see the occassional denied access on places they shouldn't be, or on things they shouldn't be doing (ie, telnet, ftp...etc) We have our power-users, yes, as every company does, but then you have those little brats that you want to stamp out, before they can do any damage.

Long and short, I still say force the rules, and keep stern rules...with some consequences if they are not followed. (I know I sound like Kruschev, but like I said, I'm grumpy )

[Tiger Shark]

Steve: Writing policies is one thing..... But they still have to be backed up by the security apparatus......

downloads & runs a 'fantastic new game'

1. His user rights won't allow him to.
2. The firewall won't allow the content unless it is zipped, most users don't have winzip nor the rights to install it.

Now he knows that if he says anything he's going to get fired

He knows that he is supposed to report this, per the policy. He knows damned well that if he knows this and doesn't report it he doesn't have a chance of keeping his job. Furthermore:

1. The IDS' in my organization warn of activity like this, (scanning thresholds, SMTP transfers, virus activity etc.), so I'll know shortly.
2. Firewall only allows outbound SMTP connections from my mailservers, they block and instantly warn me of SMTP from other locations.

The issue is about socail engineering:

Yep, dead right - but where in the dictionary does it say that social engineering can only be accomplished with honey? SE is getting people to do what you want them to do. I fairly successfully achieve that with vinegar...... If it ain't broke, don't fix it.

decides to post to a usenet newsgroup

1. Blocked by the Web filter.
2. Using any email program other then the one set up by the IS dept. contravenes policy as does altering the way we set it up.
3. The malware's activity will either be picked up by IDS' or it's activity will be limited to Joe's account rights, which are limited.
4. Multiple backups of data take place daily and tapes are kept for each month of the year for a year and the Dec 31st tape is kept indefinitely.

Encouraging employees to use AOL & Other external mail accounts for anything not directly work related reduces the risk of offensive material within the organisation

Yes, if they use it from their home computer. Otherwise, wrong. The fact that Joe is using his AOL account to view the pron his buddy sent him when Joann walks into the room make it no less of a "hostile environment" when she takes you to court. You lose because you should have prevented it - which we do, (blocked at the firewall, monitored by web filter).

and everyone to be educated to understand the risks they take every time they are using their PC

Yep, and that's why whenever something new or "interesting" raises it's ugly head I put out a kind of alert bulletin explaining what it is, what it looks like, how you get it and the consequences - a lot of the this this will be warnings about a new scam or similar.... Judging by the feedback from the users, they love it and ask for more.......

So you see, I don't just carry a big stick and wave it around looking threatening. I back up my policies with good sense security measures. Furthermore - I am procative and communicative with the user base as to both the organization's security and their own and how the two may often be intertwined.

There isn't always a technical solution for an administrative problem - but the administrative solution has got to be effective in dealing with the problem or it is a waste of time and the paper it is written on.

Tiger Shark: (Consultancy fees $150/hour, $1200 for a 8 hour day........ )

[AlkAzAA]

Ahh, more thoughts on the subject. Like you said nihil, I never said my line of work. The truth of it is – I have none! I’m currently studying the last year of an education that would translate to ”Information security”. We read everything from computer security to alarms, guards and so on. I’m currently doing my second intermship (think that’s what it’s called, when you practise what you have learned on a company instead of just reading about it?) and just wanted to know what all you guys with more experience than me think of these ideas. Some I have piced up from lecturers, some I have come up with myself.

I understand the need of education to get the employees to understand why this is an important subject and how they should behave to prevent an accident, and when it happens, why they should report it as soon as possible. My idea was to try and make it seem an interesting subject while encouraging people to follow the rules. In my opinion one of the most important things when making rules is to make them so simple that everyone understands them. No one wants to look like a fool so if they dont understand the rules/policy they are afraid to ask thinking that the big, scary security manager will laugh at them or look down at them for not understanding. As I imagine it, it must be quite the other way, that you feel pretty good when an employee stops by to ask you something because you have managed to raise his/her curiosity and understanding concerning security!?

[steve.milner]

Tiger -

I'm not going to disagree with your technological enforcement of the rules.

In my business we don't have the luxury of the time or the resources to control the environment to that degree - Obviously a certain amount of firewall/ids is employed.

But in the race between the technology to enforce sensible behaviour vs the technology to get round the enforcement I don't have the resource to be a front runner and I must find other methods.

The employees of my business need to post to usenet - I am happier that they do that with their AOL account.

Many of my users need to download & execute drivers etc. and to test them. I don't have the resource to police this on a asn and when basis.

As a result my security model is obviously some what different to yours and hence the differing policies.

Are my users educated, do they beleieve that IT/S Security is their responsibility - No probably not. But the education continues and we have very few problems.

Steve

[Tiger Shark]

Steve:

I have to admit I have a pretty "easy" environment made up of social workers for the most part. On the bright side of that - a "driver" is something that manoevers a car or bus so for the most part exe's etc. can quite safely be blocked out. OTOH, they can be incredibly gullible, stupid and vocal and think that they know what's best for them because they know what is best for "everyone else".....

Competence around here is measured by the knowledge that the box is the box and the monitor is the monitor - not the Hard drive/CPU and the computer.

Gifted around here is measured by the users ability ro remap their own drive when they lose it......

I understand the difference in the security models but, as a whole, the model has to do what it can where it can within the needs of the users. Where either the technology or the time/resources fail to fulfil the security requirements within the model is where the policies fit in. Just like an AV app. whose signatures are out of date is nearly useless so are policies with no teeth or no intent to enforce. The policies fill the gaps however the gaps come to be there, if we aren't going to truly fill the gaps then there is not much point in the security model in the first place.

[ric-o]

Lot of great info here that can help me in my constant "battle" to win the hearts and minds of my users to protect the company.

I agree that it's more a business issue than technological one, although I have tackled security issues using both "tools" or justification if you will.

Some things I've had success with...

* Get upper/executive management support for all security policies: While this wont solve all your problems it provides the mandate you need to have to carry through the ranks of employees

* Frame it that "security is availability": I ask the business leaders how much it would cost them if one or their entire deptment was "down" due to virus outbreak - has been very successfull!

* Protection of company assets, intellectual property, and public perception (re.; customers,etc)

* And lastly while it's not a "tool" I use often I have used the "...you need to protect the company to protect your job!": If you dont protect the company, business could potentially suffer and thus result in job losses; again, dont use it unless you really need to

Just some thoughts. Good discussion here.

[libertie]

I am still in High School, but I sometimes journey with my mom to her place of work. She works in a major credit union so the security there has to be good, but I have noticed when I went in that ALL of the workers passwords are taped to their monitors. I told my mother that this was bad and she slowly got everyone to at least lock them in their desk. Poor password choice is another thing I am trying to get her to work on. My mom uses close to 20 different programs that all require authentication of some sort and she routinely uses the same easy to guess password. One thing that they do with namebadges is that it is the key to get in their offices. If you don't have you badge you are unable to work and as a result you are repremanded. On a side note...my mom has been with her company for 20 yrs and I think she just now is able to take 6 weeks of vacation.

-libertie