If you read just about any column or article on the topic the universal answer appears to be training. I beg to differ. Are quarterly, half-day training sessions really the best way to get employees to use screen savers and passwords? Is customer education the way to counter phishing attacks? Should you invest in security awareness training?
|Other Articles by Richard Stiennon|
Network Admission Control is a Blind Alley
Spyware: 2004 Was Only the Beginning
The Economics of Cybercrime Do You Need a CSO?
Take for example the concept of pretexting. This has gotten a lot of press recently because top executives of HP hired private investigators to obtain phone records of board members and journalists in an over zealous attempt to determine who was leaking information about board discussions.
The PIs would masquerade as these individuals and call the telephone companies requesting their phone records. I am at a loss for how you could train a CSR to recognize a pretexting attack. Rather the phone companies should take two steps. One is policy: No customer information given out over the phone, phone records only mailed to the address of record, etc. Second, technology can be deployed to identify and alert when these types of attacks are underway.
In the just published Enemy at the Water Cooler, Matt Contos relates an incident where call center operators at a phone company were actually in league with the PIs who were going beyond pretexting to outright bribery. Activity monitoring alerted management that operators were getting direct calls to their stations instead of being routed through the call dispatching system.
They were then accessing multiple accounts during a single call. Definitely suspicious behavior. In this way the phone company was able to track down the dishonest operators and fire them.
Screen Savers and Passwords
What about screen savers and passwords? In years past, employees had to endure quarterly training sessions where they were berated for not using screen savers and strong passwords. They were taught how to pick passwords at least eight characters long and with special characters.
They would go back to their desks, set their screen savers to pop up every five minutes, and change their passwords from Yankees to f%^7!38o. And after about two days they would turn off their screen saver and revert to abc123 for their password. Today, screen saver and password quality are set in policy and enforced with technology. No need to train anyone, just enforce policy.
The same goes for other forms of security awareness training. If you determine a need for awareness training you probably have a hole in your defenses that needs to be addressed.