Re: Security Operating Procedures and beating people overthe head (fun fun fun)

[craig bowser <reswob10 () gmail com>]

I suggest using the global policy to force a log out between midnight and 1
am or some other late night hours.  Locking out accounts will a: tick off
the help desk who will be taking all those calls and b: further antagnize
the users that you really want on your side not as permanent enemies.

I'm not saying that users will always rally to you or be supportive of
security policy, but I think that purposely antagonizing them will not help
the situation.

Craig

On Thu, Jul 15, 2010 at 2:44 PM, k41zen <k41zen () live co uk> wrote:

> I particularly like the account lockout too and agree that talking, emails
> and security awareness training really don't drive the point home. I don't
> think embarrassment would work too - getting them to stand up in front of
> 100 people to recite the area of SOP's they didn't follow really isn't going
> to happen. However inconvenience and financial penalties do seem to work
> though.
>
> I may even use the boring security awareness training as a weapon and
> insist that before their accounts get unlocked, they have to attend the
> training again BUT the other part of me knows that the training is failing
> and could be much much better. I don't own this element but will try to
> assist in making it educational and, more importantly, useful.
>
> I guess we have to do all that we can and that could mean a collection of
> approaches all of which some covered off so far.
>
> I have the buy in from my management but I work for an on-site supplier who
> wish to protect themselves from client-side breaches. It's a good thing but
> I also have to tread carefully.
>
> Thanks to for your replies. I'm still driven to find an out-of-the-box
> approach though. Something that has the "ahhhhhhh" moment. It must be out
> there.
>
> On 15 Jul 2010, at 02:06, Andrew wrote:
>
> > "Also, it would be a shame if their passwords quit working everytime
> > they forgot to logout and had to be reset..."
> >
> > I particularly like this bit. All the talking in the world isn't going
> > to hit _every_user_, because some just don't care/won't pay attention.
> > What people do seem to notice is inconveniences. If you have to go
> > through the process of getting a password reset every morning,  you're
> > a bit more likely to spend 2 seconds locking your computer at the end
> > of the day.
> >
> > On Wed, Jul 14, 2010 at 6:46 PM,  <d4ncingd4n () gmail com> wrote:
> > > Although beating people over the head can be satisfying, I would
> encourage you to do it as a last resort. I would view the situation you
> described (failure to logout) as an education issue first. If the users
> don't comply, they don't understand the need for the security. You may also
> need to win over management. ultimately, if the business is willing to
> accept the risk of users not logging out, there is little you can do. If you
> alienate the business units, you may reduce your training money in the
> future. ;)
> > > I have explained to users that if I was going to commit a computer
> crime, I would use their login so *they* would be arrested instead of me so
> I have to assume criminals would do the same.
> > > I would encourage you to look into joining the local Infragard chapter.
> You might be able to get an FBI agent to give a computer crime / identity
> theft presentation. What they say carries far more weight than what you or I
> say. When the FBI says the same thing you've been saying, you gain
> credibility.
> > > If that doesn't work, you can send a wake-on-lan signal to all the
> computers to make them shutdown or startup. Also, it would be a shame if
> their passwords quit working everytime they forgot to logout and had to be
> reset...
> > > good luck!
> > >
> > > Bart
> > > Sent from my Verizon Wireless BlackBerry
> > >
> > > -----Original Message-----
> > > From: k41zen <k41zen () live co uk>
> > > Sender: pauldotcom-bounces () mail pauldotcom com
> > > Date: Wed, 14 Jul 2010 22:46:54
> > > To: PaulDotCom Security Weekly Mailing List<
> pauldotcom () mail pauldotcom com>
> > > Reply-To: PaulDotCom Security Weekly Mailing List
> > >        <pauldotcom () mail pauldotcom com>
> > > Subject: [Pauldotcom] Security Operating Procedures and beating people
> over
> > >        the head (fun fun fun)
> > >
> > > I'm curious as to what technical or physical measures you put in place
> that work to ensure people adhere to Security Operating Procedures (SOPs).
> > > For example, we have a policy in place that states you must log off at
> the end of your working day. It could be any policy that they have to follow
> but lets play this out. Currently my team conduct a manual physical check
> noting desk, workstation, domain and user information before switching off
> or shutting down the machine when found. We are testing tools to automate
> this but are still in early stages.
> > > Now this isn't the only area of SOP's that is currently not being
> followed. However I'm more interested in what you do with the result and
> what you've found that actually works. Does rewarding work better than
> punishing or does a combination of both work better?
> > > I love beating people around the head to drum home the point BUT I
> wanted to take a step back and understand what this failed. In particular I
> wanted to know:
> > >        1) Have people seen/signed SOP's?
> > >        2) Have they actually read it?
> > >        3) Did they understand it and did it make sense?
> > >        4) Are SOP's too big/badly written to get the information across?
> > >        5) Do they simply disagree with SOP's?
> > >        6) Have they attended the security awareness/inductions courses?
> > >        7) Did they fall asleep half way through?
> > >        8) Have they forgotten SOP's?
> > >        9) Can they remember to security awareness training?
> > >        10) Did they sign it too long ago?
> > >
> > > After questioning someone, I did actually find that he did disagree with
> SOP's. Although he had signed it he was immediately escorted offsite.
> > > One failing is that SOP's is too much of a mess. In fact, there are 8
> documents that you have to sign depending on what you do and what kit you
> have. This is a mess and probably a big cause and even though I didn't write
> them am all over them taking them apart and re-writing.
> > > To simplify matters I decided to email out little important snippets of
> SOP's and removed the dull crap around the actual point in an attempt to
> spice them up a bit. More of a "do this and you'll be fine" approach BUT we
> still found tonight that 20% of people left their machines logged on. So my
> immediate thought is to implement a technical power off switch because
> people are very busy and they do forget right?
> > > I even spoke in person to a manager of an area we audit this morning to
> make sure he was happy for us to carry out this work. He replied with "I
> better make sure I log off tonight then" and laughed. Turns out that he
> didn't log off and he was only reminded 8 hours ago!!!!!!
> > > So I'm back to what to do about it:
> > >
> > >        1) Do I name and shame those that do not comply?
> > >        2) Do I praise those that do?
> > >        3) Do I get them to by cakes?
> > >        4) Do I get each team to look out for themselves with the last
> man/woman in to check the team machines?
> > >        5) Do I get them to stand in the room naked and recite, as a town
> cryer would, the area of SOP's that they failed on?
> > >        6) Do I get them to hand over a digit of their PIN for every
> breach they conduct?
> > >        7) Do I follow the breach and points system to punish?
> > >
> > > We operate a point system and after 12 points you are physically removed
> off site. Do I punish individuals and then after 6 points bring them in with
> their manager and warn that after another 6 they are off? I do believe that
> if it hurts people, if it really makes a difference to their take home pay,
> then they would listen. I'm personally in favour of this option. If people
> just get an email again reminding them to power off they maybe do it for a
> little while and then they stop - after all everyone is busy.
> > > But before I go down this route I wanted to check if there was an
> approach I was missing.
> > > So apologies for the long email but I throw this out to you and ask is
> there anything else I can do and ask for suggestions.
> > > I really do appreciate any advice/guidance you can offer.
> > >
> > > Regards,
> > >
> > > k41zen
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> >
> > --
> > Andrew
> > http://blog.psych0tik.net
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com