IG Report Shows Need for Security Training
By Allan Holmes | Friday, August 03, 2007 | 01:31 PM
By Allan Holmes | Friday, August 03, 2007 | 01:31 PM
It shouldn't be surprising that 60 percent of IRS employees fell for a social engineering test scam, in which the employees gave up sensitive computer information to a caller posing as someone from the help desk, according to a report by the Treasury Inspector General for Tax Administration and reported by The Associated Press. This kind of social engineering "attack" is particularly hard to guard against because 1) someone is contacting you (either by phone or email) who knows your name and other personal information about you and 2) is posing as a representative of a legitimate office in your organization.
The only real way to fight this kind of spoof is through education, as Government Executive magazine reports in the upcoming Aug. 15 issue. Look for the issue in your mailbox soon. In the meantime, here's an excerpt from the article, which appears in the Managing Technology column:
The most effective defense [against social engineering attacks] is education, security experts say. Agencies must train computer users to spot fraudulent e-mails [and phone calls] and resist replying to them. Educating includes “inoculation,” intentionally setting a spear phishing trap by sending out a false e-mail to a group of employees to see who takes the bait, according to Alan Paller, director of research at the SANS Institute of Bethesda, Md., which manages the Internet Storm Center and tracks cyberthreats. IT managers contact employees who replied or opened an attachment and teach them what to look for in a fake e-mail. Mistakes sometimes are the best teachers, Paller says. He estimates that spear phishing attacks on government number only in the low hundreds, but says the threat should not be taken lightly. It takes only one successful attempt to create a lot of damage.
In its report, the Treasury IG office recommends the same course of action:
The Chief, Mission Assurance and Security Services, should continue security awareness activities to remind employees of the potential for social engineering attempts and the need to report these incidents to the IRS computer security organization, conduct internal social engineering tests on a periodic basis to increase employees’ security awareness and the need to protect usernames and passwords, and coordinate with business units to emphasize the need to discipline employees for security violations resulting from negligence or carelessness.
What's disconcerting about this particular approach is that training rarely gets the attention it needs to be effective. It's almost always one of the first line items to be cut from a tight budget, and agency IT budgets are tighter than they ever have been. Training also gets shortchanged when staffing is low, which means employees have little time to take off form regular work to attend training classes or even to read training materials. But training is the only defense. Firewalls and intrusion detection systems don't defend against social engineering attempts.
Do you see any efforts to increase information security training in your agencies?
Comments
Cyber/Infosec training is CYA for agencies. If some dope takes a laptop home with 26 million SSNs, first question out of a clueless reporter's mouth is, "Did this person have security training??" (One hour - PowerPoint)
If answer is, no, they did not look at slides for an hour then - gasp! - clown who took 26 million PII records home is: Not To Blame. They are somehow a "victim" because they weren't properly "trained."
So, Cyber/Infosec training is always verified and tracked but is strictly CYA.
IT person | Tuesday, August 14, 2007 | 03:15 PMWe do not need more security training. The users can not tell the good guys from the bad guys. Example: Most of us work in large work spaces with only fabric cubicle walls seperating each of us by mere inches. (I have people on 6 sides of my cube/office space. I can hear all of their conversations.) When I have an IT problem I call the "helpdesk." The "helpdesk" requires me to tell them my PIN over the phone (not enter via the phone pad, not use the keyboard) to verify who I am. I am required to give my PIN to all within earshot by the same people who threaten me with security violations. Calling for more training is a crutch to prop up ineffective proceedures.
IT user | Thursday, August 09, 2007 | 11:43 AMIt's not just the folks at IRS. Most agencies have recieved failing grades for IT security. I don't blame the users, but rather the IT managers for not doing their job. Thanks to people like Rep. Tom Davis we are starting to take steps in the right direction.
IT specialist | Friday, August 03, 2007 | 03:27 PMABOUT THIS BLOG
Allan Holmes on what's happening and what's being discussed in the world of federal information technology.
feed