- Helpful people are the first targets
- Provide simple security commandments to follow under pain of dismissal
The most compelling briefings at this year’s RSA Security Conference in London were focused on how companies can make the journey from their governance, risk and compliance process and the resulting security policy to actually making it work throughout their enterprise, where getting people aligned with security is a real sticking point. It’s not that employees actually want to spill company secrets – mostly, they just want to be helpful to ‘perceived’ colleagues. How many times do we actually read error messages or listen to security warnings? How often do we reflect on the veracity of a caller who seems really nice and obviously knows a lot about the company?
White hat ethical hackers just need one or two weeks to get into pretty much any commercial organization you care to mention. Tactics mostly involve conning people over the telephone to divulge information about the organization they work for and their corporate computer systems, but may also escalate to various forms of coercion, dumpster-diving for company directories, shoulder surfing to filch log-on information, theft of equipment such as mobile phones and laptops, and even applying for a job interviews to gather information about a competitor’s plans. These social engineering exploits are now being standardized and industrialized, and in the past year we’ve seen social engineering being tightly integrated with advance persistent threats and targeted spear fishing attacks.
So how do we as good corporate citizens respond? Relying on employees’ common sense is clearly inadequate. Much more direct and blunt is to stipulate a small number of activities (maximum five or six) that ultimately will get you fired from the company. Don’t provide usernames and passwords to anyone over the phone – not even if it’s the CEO, don’t leave your password on a yellow sticker on your desktop, don’t spread any company sensitive information across your social networks, etc. The threat of dismissal ensures that security gets enough attention to make you stop and think before divulging sensitive information to interested strangers no mater how nice and legitimate they may seem. Deploying log software (e.g., NetWitness) and data leakage prevention solutions only help with enforcement after the breach. Corporate management must of course also provide employees with insight into why security is important, but at that point your listeners and readers may already be half-asleep or discreetly checking their e-mails.