How to teach employees to protect their passwords
| This article was a TechLink feature in the March 8, 2004 issue of The Business Ledger. |
 |
If you go into just about any office in America where passwords are required to access computer resources, odds are close to one hundred percent that you will find someone's password written on a Post-It note and stuck on the edge of their monitor.
If it's not there, there's a darn good chance that it's on a Post-It on the right or left of the inside of the top desk drawer. Go ahead, try it; walk through your office and see if you can find some passwords—we'll consider it a “preliminary computer security audit”. Even without a username, the password is dangerous, because, let's face it, odds are also pretty strong that the employee's username is his or her last name.
Non-technical methods of obtaining passwords such as this are so widespread and well developed that they actually have been given a name: social engineering . Some definitions: “hacker jargon for getting needed information (for example, a password) from a person rather than breaking into a system” or “An outside hacker's use of psychological tricks on legitimate users of a computer system, in order to gain the information (usernames and passwords) he needs to gain access to the system”.
| Ray Trygstad is the Assistant Director for Information Technology of Illinois Institute of Technology's Rice Campus in Wheaton. As an officer in the U.S. Navy, he was an Information Systems Security Manager and had the opportunity to create an information system security program from the ground up. He teaches information system security management, operating systems and virtualization, and information technology management in IIT's Information Technology & Management Degree Program |
Other common tactics used by social engineers involve calling users and identifying themself as “tech support” and requesting a user's password “to help resolve an issue on the system”, or calling tech support and claiming to be a user and requesting to have their password reset because “the one that's always worked doesn't want to work now...” Social engineering works because despite consciously knowing better, deep down people are generally trusting. And many social engineers are willing to do a copious research and invest a lot of time so they can be totally convincing in their role, thus gaining the trust of prople who should know better.
How do we stop the social engineers? It is necessary to have an computer security policy. By way of review, computer security has three primary elements: software, hardware and people , because pure hardware or software solutions don't address the human element. While there are technical solutions that can prevent people from behaving in ways that compromise your security, without policies in place you have not secured the human element of the equation.
Do policies stop social engineering? Not if they just sit on a binder on the desk! The key to countering this type of threat is education, education and more education. All the policies in the world are meaningless if employees do not know and understand the policies, so user education becomes the key element in the human side of your security system.
Password security is the single weakest link in this human element of computer security, so password policies have to be communicated to employees and must be clear, enforceable, and enforced.
Another important element is clearly established consequences for violation of the policy. If there are no clear-cut consequences for violations, the policy is, again, meaningless. Consequences must have some teeth to them; it's an unfortunate fact of life that it may be necessary to imperil peoples' jobs to get them to follow policy. Toothless consequences just won't do it.
Here's one of my favorite examples: when I was in the Navy, we used to park our helicopter on a ramp at a U. S. Naval Air Station in a foreign country. The Navy was required to employ a local citizen as a security guard for the ramp area at night. The consequence he faced if something was missing in the morning was that he didn't get paid for that night—this meant that if you wanted to steal something, all you had to do was pay him more that his night's salary! So consequences must be real, must be serious, and must be fairly and consistantly applied.
America's best-known hacker and author of The Art of Deception: Controlling the Human Element of Security , Kevin Mitnick, said “I used to do a lot of improvising...I would try to learn their internal lingo and tidbits of information that only an employee would know.”
He offered this advice to businesses who fear social engineering might be leveled against them: “On the corporate side, as an employee, it all comes down to user awareness and education.”
So just how do we get our employees to stop leaving their passwords on Post-Its on the monitor? Policies, policy enforcement, and above all, user education. It takes some effort, but you can build and maintain a secure computing environment—you just have to get everyone onboard.
References:
“Cracking a Social Engineer” by Al Berg at http://packetstorm.decepticons.org/docs/social-engineering/soc_eng2.html (archived at
http://web.archive.org/web/20030201204954/http://packetstorm.decepticons.org/docs/social-engineering/soc_eng2.html)
“Mitnick teaches 'social engineering'” by Robert Lemos at http://zdnet.com.com/2100-11-522261.html?legacy=zdnn
“Social Engineering Fundamentals, Part I: Hacker Tactics” by Sarah Granger at http://www.securityfocus.com/infocus/1527
“Social Engineering: What is it, why is so little said about it and what can be done?” by John Palumbo at http://www.sans.org/infosecFAQ/social/social.htm (archived at http://web.archive.org/web/20021019224538/rr.sans.org/social/social.php
Illinois
Institute of Technology is a private, Ph.D.-granting university.Document Last Updated by Ray Trygstad
Copyright 2004 Illinois Institute of Technology