Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: Security Operating Procedures and beating people overthe head (fun fun fun)
From: craig bowser <reswob10 () gmail com>
Date: Fri, 16 Jul 2010 15:14:27 -0400

I suggest using the global policy to force a log out between midnight and 1
am or some other late night hours.  Locking out accounts will a: tick off
the help desk who will be taking all those calls and b: further antagnize
the users that you really want on your side not as permanent enemies.

I'm not saying that users will always rally to you or be supportive of
security policy, but I think that purposely antagonizing them will not help
the situation.

Craig

On Thu, Jul 15, 2010 at 2:44 PM, k41zen <k41zen () live co uk> wrote:

I particularly like the account lockout too and agree that talking, emails
and security awareness training really don't drive the point home. I don't
think embarrassment would work too - getting them to stand up in front of
100 people to recite the area of SOP's they didn't follow really isn't going
to happen. However inconvenience and financial penalties do seem to work
though.

I may even use the boring security awareness training as a weapon and
insist that before their accounts get unlocked, they have to attend the
training again BUT the other part of me knows that the training is failing
and could be much much better. I don't own this element but will try to
assist in making it educational and, more importantly, useful.

I guess we have to do all that we can and that could mean a collection of
approaches all of which some covered off so far.

I have the buy in from my management but I work for an on-site supplier who
wish to protect themselves from client-side breaches. It's a good thing but
I also have to tread carefully.

Thanks to for your replies. I'm still driven to find an out-of-the-box
approach though. Something that has the "ahhhhhhh" moment. It must be out
there.

On 15 Jul 2010, at 02:06, Andrew wrote:

"Also, it would be a shame if their passwords quit working everytime
they forgot to logout and had to be reset..."

I particularly like this bit. All the talking in the world isn't going
to hit _every_user_, because some just don't care/won't pay attention.
What people do seem to notice is inconveniences. If you have to go
through the process of getting a password reset every morning,  you're
a bit more likely to spend 2 seconds locking your computer at the end
of the day.

On Wed, Jul 14, 2010 at 6:46 PM,  <d4ncingd4n () gmail com> wrote:
Although beating people over the head can be satisfying, I would
encourage you to do it as a last resort. I would view the situation you
described (failure to logout) as an education issue first. If the users
don't comply, they don't understand the need for the security. You may also
need to win over management. ultimately, if the business is willing to
accept the risk of users not logging out, there is little you can do. If you
alienate the business units, you may reduce your training money in the
future. ;)

I have explained to users that if I was going to commit a computer
crime, I would use their login so *they* would be arrested instead of me so
I have to assume criminals would do the same.
I would encourage you to look into joining the local Infragard chapter.
You might be able to get an FBI agent to give a computer crime / identity
theft presentation. What they say carries far more weight than what you or I
say. When the FBI says the same thing you've been saying, you gain
credibility.

If that doesn't work, you can send a wake-on-lan signal to all the
computers to make them shutdown or startup. Also, it would be a shame if
their passwords quit working everytime they forgot to logout and had to be
reset...

good luck!

Bart
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: k41zen <k41zen () live co uk>
Sender: pauldotcom-bounces () mail pauldotcom com
Date: Wed, 14 Jul 2010 22:46:54
To: PaulDotCom Security Weekly Mailing List<
pauldotcom () mail pauldotcom com>
Reply-To: PaulDotCom Security Weekly Mailing List
       <pauldotcom () mail pauldotcom com>
Subject: [Pauldotcom] Security Operating Procedures and beating people
over
       the head (fun fun fun)

I'm curious as to what technical or physical measures you put in place
that work to ensure people adhere to Security Operating Procedures (SOPs).

For example, we have a policy in place that states you must log off at
the end of your working day. It could be any policy that they have to follow
but lets play this out. Currently my team conduct a manual physical check
noting desk, workstation, domain and user information before switching off
or shutting down the machine when found. We are testing tools to automate
this but are still in early stages.

Now this isn't the only area of SOP's that is currently not being
followed. However I'm more interested in what you do with the result and
what you've found that actually works. Does rewarding work better than
punishing or does a combination of both work better?

I love beating people around the head to drum home the point BUT I
wanted to take a step back and understand what this failed. In particular I
wanted to know:

       1) Have people seen/signed SOP's?
       2) Have they actually read it?
       3) Did they understand it and did it make sense?
       4) Are SOP's too big/badly written to get the information across?
       5) Do they simply disagree with SOP's?
       6) Have they attended the security awareness/inductions courses?
       7) Did they fall asleep half way through?
       8) Have they forgotten SOP's?
       9) Can they remember to security awareness training?
       10) Did they sign it too long ago?

After questioning someone, I did actually find that he did disagree with
SOP's. Although he had signed it he was immediately escorted offsite.

One failing is that SOP's is too much of a mess. In fact, there are 8
documents that you have to sign depending on what you do and what kit you
have. This is a mess and probably a big cause and even though I didn't write
them am all over them taking them apart and re-writing.

To simplify matters I decided to email out little important snippets of
SOP's and removed the dull crap around the actual point in an attempt to
spice them up a bit. More of a "do this and you'll be fine" approach BUT we
still found tonight that 20% of people left their machines logged on. So my
immediate thought is to implement a technical power off switch because
people are very busy and they do forget right?

I even spoke in person to a manager of an area we audit this morning to
make sure he was happy for us to carry out this work. He replied with "I
better make sure I log off tonight then" and laughed. Turns out that he
didn't log off and he was only reminded 8 hours ago!!!!!!

So I'm back to what to do about it:

       1) Do I name and shame those that do not comply?
       2) Do I praise those that do?
       3) Do I get them to by cakes?
       4) Do I get each team to look out for themselves with the last
man/woman in to check the team machines?
       5) Do I get them to stand in the room naked and recite, as a town
cryer would, the area of SOP's that they failed on?
       6) Do I get them to hand over a digit of their PIN for every
breach they conduct?
       7) Do I follow the breach and points system to punish?

We operate a point system and after 12 points you are physically removed
off site. Do I punish individuals and then after 6 points bring them in with
their manager and warn that after another 6 they are off? I do believe that
if it hurts people, if it really makes a difference to their take home pay,
then they would listen. I'm personally in favour of this option. If people
just get an email again reminding them to power off they maybe do it for a
little while and then they stop - after all everyone is busy.

But before I go down this route I wanted to check if there was an
approach I was missing.

So apologies for the long email but I throw this out to you and ask is
there anything else I can do and ask for suggestions.

I really do appreciate any advice/guidance you can offer.

Regards,

k41zen






_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




--
Andrew
http://blog.psych0tik.net
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault