AWARENESS millions. The vulnerability arises when the server part of the application has not been revised to allow for the fact that the number of potential users has increased by a factor or 10,000 or more. This creates the potential for enumeration attacks that overload servers in an attempt to expose the raw data behind them and gain access as a result. The typical response is to perform vulnerability testing in order to identify

weaknesses, and amend the server code accordingly. However this only tends to identify vulnerability against known threats. Stress testing by bombarding the servers with various forms of enumeration attack chosen almost at random may help, but at heart the problem as so often lies with the password system as it operates in practice. It may be that the best approach lies with enforcing stronger passwords comprising both text

Enhancing the employee security awareness model J Andrew Valentine, Cybertrust’s ICSA Labs Traditional employee security awareness programs utilize a very “one-size-fits-all” approach. Usually, every employee within an organization attends the same boiler-plate training session regardless of job function or knowledge level. A more efficient and cost effective approach to implementing an employee security awareness model is to use a specific multi-phased methodology that addresses the specific needs of the organization. The three components to this methodology are the Assessment, Identification, and Education phases.

Enhancing the employee security awareness model It’s 8:30 a.m. and I’m introducing myself to the Assistant Store Manager at a national retail chain store location. I’m wearing a blue suit, red tie, and warm smile. I’m told that the General Store Manager, who I had made arrangements to meet, has left the country unexpectedly and cannot be contacted. I explain to the ASM that I’ve flown into town to perform a basic network assessment of this location’s systems, and that the GSM should have left a note detailing this. He tells me that there was no such note and that he wasn’t aware I was coming, but says “thank you” for my doing so nonetheless. He doesn’t ask me for any sort of identification, not a business card, not a driver’s license – not anything. Within minutes, I’m being escorted by an associate to the store’s server room. They even hand me the keys to the door.

June 2006

I pull out my notebook and quickly jot down the words “vulnerable to social engineering…” Several days later, as I am researching and preparing the final report for the network assessment, I discover that in 2003, this retail chain proactively implemented a mandatory information security awareness program for all of its employees nationwide. Rolled into a broader employee training package, this merchant required that all employees take a four hour, online information security awareness course followed by a ten-question multiple choice quiz that employees must pass in order to complete the training. Topics covered in this online course include malware, peerto-peer file sharing, basic networking, and social engineering. In the years following 11 September, the information security industry has seen a number of near catastrophic attacks. For example, the SQL Slammer worm exploited a vulnerability in Microsoft’s

and numbers, allied to use of a memorable name or date for recovery when users cannot remember them. Although that procedure itself constitutes a point of weakness, at least the website can take account of it knowing that a potential compromise has occurred after an incorrect password attempt. The alternative is a proper second security factor, such as a biometric, or smart card generating onetime passwords.

flagship SQL Server and MSDE database product lines, spreading across the world in 10 minutes, disabling a significant number of business critical systems in the process. The worm itself didn’t carry a malicious payload, but nevertheless disabled Bank of America ATMs, Continental Airlines’ online ticketing and electronic check-in systems, as well as the City of Seattle’s emergency 911 network. According to the London-based market intelligence firm Mi2g, SQL Slammer caused between $950 million and $1.2 billion in lost productivity in its first five days of existence. This is the problem that security engineers and systems administrators have faced for the last 20 years. First, they spend half their time struggling with end users who open every single attachment that shows up in their inbox. The other half of their time, they spend working to convince upper-management that information security is in fact an important issue – a business issue – and one that needs to be included in next year’s budget. These attacks and others like them, for better or for worse, forced organizations to adopt internal security awareness programs. For many organizations, the stakes are high, and they cannot afford to be compromised because of an uninformed employee or end-user. Just as the old adage proclaims, “knowledge is power,” and organizations felt that the best way to impart this power was to implement mandatory security awareness programs. Security awareness programs have been adopted by many levels of government as well. The official security awareness campaign for the United

Computer Fraud & Security

17

AWARENESS Kingdom, dubbed Information Technology Security Awareness for Everyone (ITSafe) was launched in February of 2005. The United States has the federally funded US-CERT initiative, while state and local governments have issued programs of their own. Miami-Dade County in Florida, for instance, implemented a full day eight hour security awareness seminar as mandatory for each of its 37,000 employees. NIST, the National Institute for Standards and Technology offers a full array of customizable awareness materials and resources that can be utilized by any company or organization. Additionally, a number of private sector firms offer security awareness curricula as fully formalized product lines with live seminars, online courses, videos, and what they call “Pre-Packaged Awareness Programs.” Organizations took this approach to increase security awareness at a grassroots level: tell their employees what threats existed, what they can do to increase cyber security, the countermeasures they can implement, and how to do so. This training was designed to provide a blanket of very basic knowledge across a diverse employee pool. Everyone gets trained, from administrative employees through to senior management. By imparting this training to all employees ubiquitously, organizations felt they were establishing a solid baseline from which to build their internal security policies. Expectations were clearly set; employees understand not only the “what” relative to policy, but also the “why.” Furthermore, the “assembly line” nature of the traditional security awareness model allows for large-scale uniform training of hundreds of employees without being limited by geographical boundaries. That is, hundreds, even thousands of employees can all receive the same standardized training at a relatively low cost. Changes to the courseware can be implemented easily across the board. Overall adaptability and implementation is extremely cost effective. The minimum base line of security knowledge can be heightened at a minimal price. 18

Computer Fraud & Security

While this model had its successes over the last few years, the approach is beginning to show its age and is quickly becoming obsolete. Organizations recognize the shortcomings as employees and managers continue to fall prey to the same social engineering techniques. From a budget perspective, how can an organization continue to fund an awareness program if it doesn’t appear to be efficacious in any way? As both public and private organizations hurriedly adopted these programs, no one ever stopped to consider how to determine whether a return would be made on their investment. Unfortunately, there is no true metric that can gauge effectiveness of a security awareness program.. And when the training is based on mandatory attendance, many employees, specifically those that do not interact with sensitive information, just don’t care about information security or social engineering – and they don’t care to sit in an eight hour seminar or take a four hour online course. Additionally, should an organization really bankroll a security awareness program across the board – even for employees who never come in contact with sensitive information – if they can’t even guarantee attendees will listen or care about information that isn’t directly relevant to their job performances? Any organization, public or private, needs to examine how the traditional security awareness model affects bottom line profitability and efficiency. They need to determine if it is truly cost-effective to maintain the current security awareness curriculum they have established if they can’t even measure if it’s working. They need to decide how their security awareness program fits into the organization in the long run. That is, should employees be required to take the training once a year, once every two years? Technology changes over time – and so do security threats. The problem is that the traditional employee security awareness model provides a static solution for a fluid problem. Information security is an ever-evolving field, with new threats, techniques, countermeasures, and

philosophies born each day. The best that any security awareness course can hope to accomplish is to provide a static cross-section of information security as it currently exists – and that’s only if the curriculum is perfectly up-to-date. As information security professionals, we are continuously chasing the curve, trying to keep up with the bad guys. It is unreasonable to expect any organization will require its employees to re-take a security awareness course every time a new significant threat emerges or a new countermeasure is introduced. What security awareness programs have lacked since their inception are fully realized methodologies based on the organizations they are designed to serve. On the contrary, a major selling point of many security awareness programs has been their distinct lack of any pre-defined methodology. Organizations are as varied as the individuals within them, and to purport that a one-size-fits-all approach could fully address the awareness problem underestimates it completely. Employee security awareness programs need to begin growing out of their infancy and be treated with as much attention to detail as any other information security engagement. That means a fully realized multi-phased approach that follows a specific methodology that can be tailored to meet any organization’s specific needs, paying close attention to specific security weak points. This multi-phased methodology incorporates three key components: • Assessment Phase • Identification Phase • Education Phase

The assessment phase It goes without saying that ultimate goal of implementing an organizational-wide employee security awareness program is to protect company systems and resources, including proprietary and otherwise sensitive data. Consequently, it stands to reason that an organization should fully assess what it intends to protect before the implementation of a security awareness program. For instance, Company “A”

June 2006

AWARENESS may be retaining important consumer information and have a strong interest in protecting it, whereas Company “B” may be protecting authentication information that could be used to access business critical systems. In fully scoping what they intend to protect in the first place, organizations can more efficiently tailor a security awareness program to meet those needs. This scoping exercise can also take into consideration possible attack vectors. If only 10 employees, for instance, work at the company Help Desk, it may be of particular benefit to train those individuals on social engineering techniques and countermeasures. An employee who does not interact with the public, and who has no specific access to sensitive information would not necessarily be required to undergo such rigid social engineering training. However, they might benefit from a training course relative to malware using email as an attack vector. Organizations may further consider informing employees of the full risk of compromise to make sure they are aware of the potential effects of a successful attack against the organization. Employers cannot expect their workforces to diligently protect the best interests of the company if they aren’t even sure what they are protecting, much less the consequences of failing to do so. Although he had likely attended a security awareness course at some point, the Assistant Store Manager described earlier clearly had no understanding of social engineering as an attack vector. More importantly however, he didn’t understand the full scope of potential harm that could be caused by granting a stranger full access to his store location’s server room. Many organizations already undergo regular assessments for PCI, HIPAA, SOX, and other mandatory regulations. As such, they can incorporate

full scoping for security awareness programs with assessment exercises already underway.

The identification phase After fully scoping what it intends to protect, an organization looking to implement a security awareness program needs to determine which employees regularly interact with that data and any specific security related controls – these employees are truly the gatekeepers for an organization’s data security. For many organizations, this may only be a handful of people. By doing away with the ubiquitous “Security Basics” model, an organization can more appropriately offer specialized training to these gatekeepers paying specific attention to their specific roles and security controls. In terms of cost effectiveness, the specialized approach guarantees not only a reduction of seats needed during a security awareness program, but also that training provided has specific long term value for attendees. Drastically reducing the number of program attendees reduces general overhead in terms of both course materials and time away workplace productivity. Furthermore, it completely removes the nebulousness of a security basics program that causes general disinterest in security awareness in the first place.

The education phase Lastly, after an organization has fully scoped what an internal employee security awareness program should be designed to protect, as well as identified the specific gatekeepers of that information, the education phase can move beyond mere awareness to specific knowledge transfer. As organizations have fully taken into account their internal data structure, training can be partly scenario based, putting employees in test

situations with specific problems and potential attacks relative to their specific security controls. For example, one scenario might include a face-to-face social engineering attempt much like the situation at the retailer. With a specific goal in mind of what an organization’s employees are meant to protect, attendees can come away from an awareness session with specific knowledge of attack vectors they might face in the workplace as well as response procedures relative to those attacks. As they currently exist, employee security awareness programs do not generally include incident response procedures. Organizations more often choose to reserve that level of training to their internal incident response teams, if they have them. From a security standpoint however, including incident response in regular security awareness training is critical. By moving away from the traditional model, organizations can begin to incorporate employee-specific and incident response information into their courseware without threatening bottom-line training costs. Just as any other complete information security model, employee security awareness is another layer in a firm and robust security posture. However, should an organization wish to increase bottom line efficiency, productivity, and profitability, custom tailored security awareness programs are a better means to that goal than the traditional model. Employee security awareness programs are still in their infancy, and just as any other facet of information technology and data security, they are a continually changing and evolving entity. As organizations move away from the traditional employee security awareness model, and begin to use a fully realized multiphased methodology, those programs will become increasingly beneficial, as well as cost effective for the companies implementing them.

Correction Bryan Sartin, who authored the article on Anti-forensics last month was wrongly attributed. The correct author attribution is Bryan Sartin at Cybertrust’s ICSA Labs.

June 2006

Computer Fraud & Security

19