Re: Security Operating Procedures and beating people overthe head (fun fun fun)

[d4ncingd4n () gmail com]

Although beating people over the head can be satisfying, I would encourage you to do it as a last resort. I would view 
the situation you described (failure to logout) as an education issue first. If the users don't comply, they don't 
understand the need for the security. You may also need to win over management. ultimately, if the business is willing 
to accept the risk of users not logging out, there is little you can do. If you alienate the business units, you may 
reduce your training money in the future. ;)

I have explained to users that if I was going to commit a computer crime, I would use their login so *they* would be 
arrested instead of me so I have to assume criminals would do the same.  
I would encourage you to look into joining the local Infragard chapter. You might be able to get an FBI agent to give a 
computer crime / identity theft presentation. What they say carries far more weight than what you or I say. When the 
FBI says the same thing you've been saying, you gain credibility. 

If that doesn't work, you can send a wake-on-lan signal to all the computers to make them shutdown or startup. Also, it 
would be a shame if their passwords quit working everytime they forgot to logout and had to be reset... 

good luck!

Bart
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: k41zen <k41zen () live co uk>
Sender: pauldotcom-bounces () mail pauldotcom com
Date: Wed, 14 Jul 2010 22:46:54 
To: PaulDotCom Security Weekly Mailing List<pauldotcom () mail pauldotcom com>
Reply-To: PaulDotCom Security Weekly Mailing List
        <pauldotcom () mail pauldotcom com>
Subject: [Pauldotcom] Security Operating Procedures and beating people over
        the head (fun fun fun)

I'm curious as to what technical or physical measures you put in place that work to ensure people adhere to Security 
Operating Procedures (SOPs).

For example, we have a policy in place that states you must log off at the end of your working day. It could be any 
policy that they have to follow but lets play this out. Currently my team conduct a manual physical check noting desk, 
workstation, domain and user information before switching off or shutting down the machine when found. We are testing 
tools to automate this but are still in early stages.

Now this isn't the only area of SOP's that is currently not being followed. However I'm more interested in what you do 
with the result and what you've found that actually works. Does rewarding work better than punishing or does a 
combination of both work better?

I love beating people around the head to drum home the point BUT I wanted to take a step back and understand what this 
failed. In particular I wanted to know:

        1) Have people seen/signed SOP's? 
        2) Have they actually read it?
        3) Did they understand it and did it make sense?
        4) Are SOP's too big/badly written to get the information across?
        5) Do they simply disagree with SOP's?
        6) Have they attended the security awareness/inductions courses?
        7) Did they fall asleep half way through?
        8) Have they forgotten SOP's?
        9) Can they remember to security awareness training?
        10) Did they sign it too long ago?

After questioning someone, I did actually find that he did disagree with SOP's. Although he had signed it he was 
immediately escorted offsite.

One failing is that SOP's is too much of a mess. In fact, there are 8 documents that you have to sign depending on what 
you do and what kit you have. This is a mess and probably a big cause and even though I didn't write them am all over 
them taking them apart and re-writing.

To simplify matters I decided to email out little important snippets of SOP's and removed the dull crap around the 
actual point in an attempt to spice them up a bit. More of a "do this and you'll be fine" approach BUT we still found 
tonight that 20% of people left their machines logged on. So my immediate thought is to implement a technical power off 
switch because people are very busy and they do forget right?

I even spoke in person to a manager of an area we audit this morning to make sure he was happy for us to carry out this 
work. He replied with "I better make sure I log off tonight then" and laughed. Turns out that he didn't log off and he 
was only reminded 8 hours ago!!!!!!

So I'm back to what to do about it:

        1) Do I name and shame those that do not comply? 
        2) Do I praise those that do?
        3) Do I get them to by cakes? 
        4) Do I get each team to look out for themselves with the last man/woman in to check the team machines? 
        5) Do I get them to stand in the room naked and recite, as a town cryer would, the area of SOP's that they 
failed on? 
        6) Do I get them to hand over a digit of their PIN for every breach they conduct?
        7) Do I follow the breach and points system to punish?

We operate a point system and after 12 points you are physically removed off site. Do I punish individuals and then 
after 6 points bring them in with their manager and warn that after another 6 they are off? I do believe that if it 
hurts people, if it really makes a difference to their take home pay, then they would listen. I'm personally in favour 
of this option. If people just get an email again reminding them to power off they maybe do it for a little while and 
then they stop - after all everyone is busy. 

But before I go down this route I wanted to check if there was an approach I was missing.

So apologies for the long email but I throw this out to you and ask is there anything else I can do and ask for 
suggestions.

I really do appreciate any advice/guidance you can offer.

Regards,

k41zen






_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com