Ask Slashdot: How Can We Create a Culture of Secure Behavior?

An anonymous reader writes "Despite the high news coverage that large breaches receive, and despite tales told by their friends about losing their laptops for a few days while a malware infection is cleared up, employees generally believe they are immune to security risks. They think those types of things happen to other, less careful people. Training users how to properly create and store strong passwords, and putting measures in place that tell individuals the password they've created is 'weak' can help change behavior. But how do we embed this training in our culture?"

This approach has gone nowhere for years

[Anrego]

Users are gonna do stupid things when it comes to security. Trying to fix that is a noble goal, but good luck.

The direction we need to keep going towards is idiot proofing. Assume the user will screw up and mitigate or eliminate the impact.

A Well-Informed Workforce is Key.

[Sight Training]

This is a great question, and one that plagues businesses of all sizes. Based on our experience writing security training and consulting companies on the best ways to plug the security holes in their organizations, it comes down to three things: 1) Spelling it out: A proactive approach to security awareness includes open lines of communication, telling employees exactly what sorts of things to look out for. One major mistake that corporations often make is assuming too much—mainly, assuming that their employees know how to identify malicious situations over the phone or through email. Instead, spell out the situations that may trip them up, either through policies or training. 2) Repeat, repeat, repeat: Even in companies that make a concerted effort to raise security awareness among workers, there is a tendency to backslide into comfortable complacency unless the danger is kept at the forefront of their minds. This doesn’t have to be onerous for management or irritating to employees, since there are so many effective ways to make security awareness a part of a worker’s daily experience. E-newsletters, security briefs, and clever, eye-catching security awareness campaigns are a few ideas. 3) Create a culture of teamwork: Often, corporate environments in large companies use impersonal policies to “teach,” hoping to generate desirable behaviors with a “Don’t think, just do” mentality. This approach makes employees feel like a tiny cog in a huge machine, a piece not worthy of more than minimal information. Smart employers give employees more credit. An attitude of inclusion should permeate every policy, every training campaign, and every common area. A real “good guys vs. bad guys” attitude makes everyone feel like part of a team that is working toward the common goal of security.

yeah, lemme see where was that in the requirments

[Anonymous Coward]

Sure, just was devs need, more users, who never requested a feature in the first place, coming in and demanding that a particular language be used in the implementation because the read an article about how its 'more secure'

Welcome to my nightmare, this rarely works out well

And for the inevitable, 'why didn't you make it secure in the first place' comment

fuck you, fuck you fuck you and your childish, 'I changed my mind, I don't want it fast, I don't want it cheep, I want you to read my mind and know the future and give me something that I can't break because I am a fucking idiot... and I need it tomorrow' attitude that makes everything somebody else's fault

You can't.

[bravecanadian]

As long as there is incentive to skip security and get things done.

ie. let the nerds in IT worry about security - I'll worry about selling/making/doing and getting my bonus.

So technically I guess you could do something to foster this sort of secure behaviour but it won't happen because the powers that be don't give a shit.

So yeah, you can't.

Re:Read what you wrote

[mlts]

If I had to give five general things a company could do, it would be similar to the following the parent stated:

1: First and foremost... separate and isolate. Finance should be isolated from everything else, with a Citrix or TS server so people working there can browse the web with the browsing well separated from critical assets. If a breach does occur, it will be limited in scope.

2: Laptop encryption is trivial. BitLocker [1] and the AD infrastructure to recovery is a must-have. Depending on level of paranoia, AD policy can be set to auto-encrypt USB drives, so a dropped thumbdrive doesn't mean a massive data breach. In fact, it would be wise to have BitLocker on all desktops as well, so repurposing of the machines is easy -- just a simple format or clean command in diskpart.exe.

3: Backups. Often overlooked, but a humble tape drive can mean the difference between a quick restore versus paying some guy out of Russia a lot of BitCoins. Disk arrays != backup because one command (blkdiscard for example) can render all backed up data gone in seconds.

4: A clear chain of command. This way, someone can't hack a VoIP connection, browbeat some lackey to get some critical access or knowledge about internal networking.

5: Active pen-testing from a guy running a script on boxes to actual blackhats using everything at their disposal including sending people on site in coveralls and fake badges to get in.

[1]: Yes, TrueCrypt is a good utility, but this is the enterprise where recoverability is as important as security.

Re:Good morale, perhaps?

[bhcompy]

Time consuming = won't do it. I've got enough things to worry about with all the bullshit administrative tasks I have to do to accomplish my non-administrative job. Give me security that doesn't force me to do more work, like encrypting my drive, single badge identification(no separate key fobs for doors I should have access to anyways), automatically encrypting my attachments, forcing me to change my password every 30 days, forcing me to have different passwords for different resources because password requirements are different(some requiring special characters, some not allowing special characters), forcing me to change my passwords for different resources at different intervals, etc.

Re:This approach has gone nowhere for years

[Anonymous Coward]

It's not that. Most people know that data breaches happen, like the Target one that was all over the news a bit ago.

The problem is that the security advocates make (seemingly) random behavioral demands that awkwardly often do not actually enhance security if followed. (I'm thinking of the entropy-neutral "strong password" dogmas)

When you make a system change that affects other employees, let them know why. When you propose a policy change for security purposes, defend it in front of a crowd of those affected. If you missed the trend, treat the other employees as equals (even if you don't believe they are) and explain why you are changing the firewall to block bittorrent at work or whatever change you have in mind.

Not passwords

[Todd Knarr]

First off, stop worrying about passwords. Most malware doesn't get into systems by way of an attacker cracking passwords. It comes in in ways that bypass passwords entirely, either by getting a user to run it or by getting the user to give the attacker their password.

Second, look at your management culture. Do you expect your employees to routinely click on links in e-mail? Look for things like HR or IT sending e-mails that instruct people to follow links they've provided, or "secure" or "encrypted" e-mail systems that store the messages on Web servers and expect your employees to use a link to get at the contents of the "secure" or "encrypted" message. If you find such things, realize that you're training your employees to be insecure, because you're training them to expect to do as a normal part of their job exactly what the malware will need them to do to infect their systems. Start by removing such things from your management culture. If you need encrypted e-mail, do it within your own e-mail system so that users never need to follow links to read encrypted or secured e-mail. Outlook and Exchange offer this directly. If you need to give employees links to internal web applications or documents, create a Web page or site with a directory of links and train your employees to use a bookmark in their browser to access that site and navigate to the appropriate section where you'll put all the new links they need.

Third, look at your IT policies. Not the ones you wrote, the ones you expect employees to follow. If your policy manuals say "No user-installed software." but your actual policies require users to get and install software from outside, you have a problem. It can be as innocuous as sending zipped archives while not having a program to handle them pre-installed on user computers. It can be as pervasive as not having your IT able to support the myriad of tools your developers need, most of which will by definition not be the kind of thing most desktops would need. But every time you have a situation where what you expect of your employees requires software you didn't pre-install on their systems and where it'd negatively impact an employee's job performance and more importantly their performance evaluations if they refused to install that needed software themselves, you're creating security problems. Sit down and decide how you're going to address this, then address it. It can be as simple as a page of "approved" links to sites you know are safe and where employees can get all that useful software that gets used every day.

Fourth, evaluate your software update policies and IT budget and staffing. If your IT department doesn't have the staff or the budget to monitor the vendors of all the software in use in your organization, test changes and push updates out to your desktops and servers, you need to re-evaluate your IT budget and staffing levels. You need to get most updates installed within 30 days of their release, and you need to be able to get major critical security updates analyzed, tested and deployed within 24 hours. Your IT staff can't do that if security updates are a side item they're expected to handle in between doing everything else. If management wants security to be a priority, they need to back up their words with the resources and budget departments need to make it a priority.

Yes, a lot of that comes back to management. Attitudes towards security come from the top. More importantly, they come from what those at the top do and expect rather than from what they say.

Re:when you start firing

[Anrego]

This requires security to be a priority over whatever that user is doing. In most cases, it's not. The job of IT is to keep the system running and support the people doing the things that the company actually cares about (buying widgets, making widgets, selling widgets, whatever). When IT folk get ideas of grandeur and images of violators of their well defined policy being given the boot, it never ends well.

Much as it sucks, I think the onus is on us to build software and systems that the user can't screw up. People clicking links and attachments.. filter out all links and attachments save for whitelisted senders. Careless with their password? Time for a 2 factor system where the hacker on the other end of the phone doesn't have easy access to one of the factors. Spearfishing becoming a problem? Implement something that makes it really obvious an email is from an outside source (and don't make it a big paragraph, just a simple large font "THIS EMAIL WAS SENT FROM SOMEONE OUTSIDE OF THIS COMPANY" at the top.

Re:You don't.

[Bonker]

An important caveat to this line of thought is that GOOD education DOES work to prevent risk behaviors.

A blanket 'Just Say No' campaign like the one ran by Nancy Reagan in the 1980s did more harm that good because, when a lot of the kids had it force-fed to them for a decade grew up and discovered that marijuana didn't immediately kill your or turn you into a junkie, many of them threw out the entirety of 'Drugs are bad, m'kay?' and went on their merry way destroying their bodies with harsher and harsher drugs.

However, kids who had explained to them what drugs really did to a person's body and which drugs were more addictive and which drugs were less were, and are, less likely to actually do those drugs.

The same is true of sex education. It's been shown with frequently tragic consequences that 'Abstinence Only' education usually makes the teen pregnancy and STD situation worse in places where it's taught. However, more complete sex education that explains pregnancy, STDs, and all the other associated risks that go along with sex causes a notable decline in teen pregancy, STDs, and an actual increase in the average age at which teens start having sex.

I have found the same line of logic to be true with IT security. If you make a point of explaining the whys and wherefores, perhaps going so far as to make an interesting, engaging education program, the people who are your 'risk vectors' decrease, as do the number of security incidents you have to deal with.

No, you never can completely eliminate the problem. However, by offering education that is interesting, complete, and that doesn't treat the recipient as an idiot, you can dramatically reduce the problem.

Re:This approach has gone nowhere for years

[Lotana]

Sharply limit password tries before account lockout

Let me introduce you to a very simple business plan:

1. Get the usernames of some company that is making good money. Not too hard, majority of them should be first/last names concatenated.

2. Keep logging in with the usernames and password as "password". Watch as the IT is brought to their knees trying to deal with hundreds of employees being constantly locked out.

3. Contact the company asking for good sum for you to stop it.

4. PROFIT!!!

In essence this is a very trivial DoS attack. This is the reason why login attempts get long pauses before letting you try again and why accounts don't get locked down.