PaulDotCom mailing list archives
Re: Security Operating Procedures and beating people overthe head (fun fun fun)
From: k41zen <k41zen () live co uk>
Date: Thu, 15 Jul 2010 19:44:08 +0100
I particularly like the account lockout too and agree that talking, emails and security awareness training really don't drive the point home. I don't think embarrassment would work too - getting them to stand up in front of 100 people to recite the area of SOP's they didn't follow really isn't going to happen. However inconvenience and financial penalties do seem to work though. I may even use the boring security awareness training as a weapon and insist that before their accounts get unlocked, they have to attend the training again BUT the other part of me knows that the training is failing and could be much much better. I don't own this element but will try to assist in making it educational and, more importantly, useful. I guess we have to do all that we can and that could mean a collection of approaches all of which some covered off so far. I have the buy in from my management but I work for an on-site supplier who wish to protect themselves from client-side breaches. It's a good thing but I also have to tread carefully. Thanks to for your replies. I'm still driven to find an out-of-the-box approach though. Something that has the "ahhhhhhh" moment. It must be out there. On 15 Jul 2010, at 02:06, Andrew wrote:
"Also, it would be a shame if their passwords quit working everytime they forgot to logout and had to be reset..." I particularly like this bit. All the talking in the world isn't going to hit _every_user_, because some just don't care/won't pay attention. What people do seem to notice is inconveniences. If you have to go through the process of getting a password reset every morning, you're a bit more likely to spend 2 seconds locking your computer at the end of the day. On Wed, Jul 14, 2010 at 6:46 PM, <d4ncingd4n () gmail com> wrote:Although beating people over the head can be satisfying, I would encourage you to do it as a last resort. I would view the situation you described (failure to logout) as an education issue first. If the users don't comply, they don't understand the need for the security. You may also need to win over management. ultimately, if the business is willing to accept the risk of users not logging out, there is little you can do. If you alienate the business units, you may reduce your training money in the future. ;) I have explained to users that if I was going to commit a computer crime, I would use their login so *they* would be arrested instead of me so I have to assume criminals would do the same. I would encourage you to look into joining the local Infragard chapter. You might be able to get an FBI agent to give a computer crime / identity theft presentation. What they say carries far more weight than what you or I say. When the FBI says the same thing you've been saying, you gain credibility. If that doesn't work, you can send a wake-on-lan signal to all the computers to make them shutdown or startup. Also, it would be a shame if their passwords quit working everytime they forgot to logout and had to be reset... good luck! Bart Sent from my Verizon Wireless BlackBerry -----Original Message----- From: k41zen <k41zen () live co uk> Sender: pauldotcom-bounces () mail pauldotcom com Date: Wed, 14 Jul 2010 22:46:54 To: PaulDotCom Security Weekly Mailing List<pauldotcom () mail pauldotcom com> Reply-To: PaulDotCom Security Weekly Mailing List <pauldotcom () mail pauldotcom com> Subject: [Pauldotcom] Security Operating Procedures and beating people over the head (fun fun fun) I'm curious as to what technical or physical measures you put in place that work to ensure people adhere to Security Operating Procedures (SOPs). For example, we have a policy in place that states you must log off at the end of your working day. It could be any policy that they have to follow but lets play this out. Currently my team conduct a manual physical check noting desk, workstation, domain and user information before switching off or shutting down the machine when found. We are testing tools to automate this but are still in early stages. Now this isn't the only area of SOP's that is currently not being followed. However I'm more interested in what you do with the result and what you've found that actually works. Does rewarding work better than punishing or does a combination of both work better? I love beating people around the head to drum home the point BUT I wanted to take a step back and understand what this failed. In particular I wanted to know: 1) Have people seen/signed SOP's? 2) Have they actually read it? 3) Did they understand it and did it make sense? 4) Are SOP's too big/badly written to get the information across? 5) Do they simply disagree with SOP's? 6) Have they attended the security awareness/inductions courses? 7) Did they fall asleep half way through? 8) Have they forgotten SOP's? 9) Can they remember to security awareness training? 10) Did they sign it too long ago? After questioning someone, I did actually find that he did disagree with SOP's. Although he had signed it he was immediately escorted offsite. One failing is that SOP's is too much of a mess. In fact, there are 8 documents that you have to sign depending on what you do and what kit you have. This is a mess and probably a big cause and even though I didn't write them am all over them taking them apart and re-writing. To simplify matters I decided to email out little important snippets of SOP's and removed the dull crap around the actual point in an attempt to spice them up a bit. More of a "do this and you'll be fine" approach BUT we still found tonight that 20% of people left their machines logged on. So my immediate thought is to implement a technical power off switch because people are very busy and they do forget right? I even spoke in person to a manager of an area we audit this morning to make sure he was happy for us to carry out this work. He replied with "I better make sure I log off tonight then" and laughed. Turns out that he didn't log off and he was only reminded 8 hours ago!!!!!! So I'm back to what to do about it: 1) Do I name and shame those that do not comply? 2) Do I praise those that do? 3) Do I get them to by cakes? 4) Do I get each team to look out for themselves with the last man/woman in to check the team machines? 5) Do I get them to stand in the room naked and recite, as a town cryer would, the area of SOP's that they failed on? 6) Do I get them to hand over a digit of their PIN for every breach they conduct? 7) Do I follow the breach and points system to punish? We operate a point system and after 12 points you are physically removed off site. Do I punish individuals and then after 6 points bring them in with their manager and warn that after another 6 they are off? I do believe that if it hurts people, if it really makes a difference to their take home pay, then they would listen. I'm personally in favour of this option. If people just get an email again reminding them to power off they maybe do it for a little while and then they stop - after all everyone is busy. But before I go down this route I wanted to check if there was an approach I was missing. So apologies for the long email but I throw this out to you and ask is there anything else I can do and ask for suggestions. I really do appreciate any advice/guidance you can offer. Regards, k41zen _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Andrew http://blog.psych0tik.net _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Security Operating Procedures and beating people over the head (fun fun fun) k41zen (Jul 14)
- Re: Security Operating Procedures and beating people over the head (fun fun fun) Alex Herrick (Jul 14)
- Re: Security Operating Procedures and beating people overthe head (fun fun fun) d4ncingd4n (Jul 14)
- Re: Security Operating Procedures and beating people overthe head (fun fun fun) CP Constantine (Jul 15)
- Re: Security Operating Procedures and beating people overthe head (fun fun fun) Andrew (Jul 15)
- Re: Security Operating Procedures and beating people overthe head (fun fun fun) k41zen (Jul 15)
- Re: Security Operating Procedures and beating people overthe head (fun fun fun) craig bowser (Jul 16)
- Re: Security Operating Procedures and beating people overthe head (fun fun fun) Pommerening, Jeremy (Jul 16)
- Re: Security Operating Procedures and beating people overthe head (fun fun fun) Brian H (Jul 16)