100

Hardened Servers, IPS, firewalls and all kinds of defenses cannot solve security problems if people leak information without knowing simply because they're misguided.

I already tried to instruct them but they simply don't care, they cannot see themselves as an important part of our intrusion prevention system.

The company deals with sensitive information, but they prefer not to think about it. Our policies are one of the best I have ever seen, but no one follows them except the security team.

What should I do? Should I throw in their faces the logs of how many attacks my team is dealing with because employees bypass all the security?

If my team fails the telecommunication system of my country can be completely affected. I thought it was a motivation to take care of security, but no one cares except us because it's our job.

Has someone already dealt with a situation like this? Should I give up?

RF03
  • 1,063
  • 1
  • 8
  • 12
  • 22
    I hate to promote my personal blog, but ... http://gophishyourself.co.uk/ – schroeder Oct 17 '16 at 16:45
  • 15
    Is the security team not in a position to dictate and enforce their policies? Isn't that their job? The good old carrot and stick approach works here! (stick being a reprimand, carrot being a congrats at the weekly meeting...) In the case of IT, the network admins should have the power to lock everything down as they please. Sure old timers are likely to moan and groan, but the perks of being in a security team is that YOU are the one that makes the rules. – Drunken Code Monkey Oct 17 '16 at 22:45
  • 5
    This might also be a good question for [The Workplace](http://workplace.stackexchange.com/) – Kaz Oct 18 '16 at 08:03
  • 6
    Often, folk respond better to disaster stories than to briefings about how to do it right. Try doing a briefing on 'things that go bump in the night and other hacks', 'How Stuxnet got through and other tricks', etc. If they are *Unskilled and unaware of it* (Kruger & Dunning) then you need to educate them a bit first, and humour is a good sneak route to that. – Philip Oakley Oct 18 '16 at 16:57
  • 3
    Watch Mr Robot or any movies about hackers at your workplace to incease awareness. Make sure to privide free food. – miva2 Oct 19 '16 at 12:48
  • 3
    Read this before judging your coworkers as uncaring http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf – Jared Smith Oct 19 '16 at 23:18
  • 1
    Another thought: does following procedures slow down their workflow? And do they get pressure to get things done quickly? If both are true: make sure managers know to ALLOW the extra time, and make sure employees know they will NOT be blamed for being slower! – Layna Oct 20 '16 at 06:08
  • The best designs are ones which perform their duty so well that you don't even notice it's there. I don't think people will ever truly care about security; you could throw the logs at them everyday and I doubt it would make much difference. So, the best option is to get out of their way - make your security so easy to use that the staff end up being secure by default. This of course depends entirely on the office but one example is if you use smart cards to go in and out then e.g. use them to login too. That's one less 123456 to remember.. – Luke Briggs Oct 20 '16 at 08:46
  • 1
    I was once an employee at a company like yours and we had strict policies with strict penalties if broken, same problem though, people didn't follow them and management couldn't fire everybody. Then we were all required to read Ira Winkler's book "Spies Among Us" after reading this book, I understood why my company had all these policies and began participating, as did many other employees. Education goes a long way and this particular book does a great job explaining corporate security to the common man. – clownfish Oct 22 '16 at 15:10
  • If your team is able to deal with the attack then why are they a problem ? Why is this even your problem ? If you are able to document that someone else didn't follow safety procedures your job is safe. How much fund are available and how much does security impede productivity? Does everyone have the necessary stuff to implement the measures ? Does your security involve people learning steps for anything by heart or knowing complex password requirement by heart ? Are people in anyway remotely able to understand why stuff has to happen and remember the reasons ? – HopefullyHelpful Oct 23 '16 at 04:25

10 Answers10

62

High Level Culture

In my experience, shifting a security culture takes 3 steps:

  1. Get management buy-in to do things differently
  2. Get personal management engagement to lead the way on what is important
  3. Set the tone through training, media, and in-person events that "people like us do things like this"

Here's the thing: management has to be leading the charge on this, with help with the security champions. Management has to want, and encourage, the technical controls to apply to themselves. If management gets special conditions, game over.

Get a manager, the higher up, the better, to personally and publically express their desire to participate in a properly secure environment. Get them to express the frustrations and inconveniences, too. But also communicate that the inconveniences are important for the health of the company.

"I grumble on the mornings when I'm prompted to change my password. I think, I changed it just [1|3] months ago! But, I know that when I do, I'm cutting off a hacker's route to using my credentials to harm me and this company"

[yes, I am aware of the controversy about frequent password changes, but roll with the example for a second]

Then, once you have this great foundation, then start bringing that message to the personal level to everyone.

Teach Them to Secure Themselves

It can be easy for people to see company policy as disconnected from reality (have you filled in your TPS reports?). So pushing hard on company security can be a losing battle. Instead, consider teaching people how to secure themselves and their families. Show how hackers have and do compromise home computers and mobile devices. By doing this, you get them to really see the dangers involved. Once you have this buy-in, then it is much easier to shift the focus to dangers at work.

Get Some Teeth

If everyone is getting along with the policies, then that's great, but you need to have some worst-case consequences for people who do not comply. This is a tricky subject and you need to work with HR, GRC, and management to make this work.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 22
    As a sidenote, as much as management needs to get involved, they also need to step aside and let the security team do what they have to do when the time comes, even if it means changing some long-standing company procedure. A lot of management tends to blockade any effort, valuing convenience over security, without necessarily being the best suited to take the decision. A good management will discuss the issue with the sec team, develop procedures, but then will take a step back, and bite the bullet like everyone else. – Drunken Code Monkey Oct 17 '16 at 22:49
  • 6
    I'd say the 'teeth' part of this needs some emphasis. Find a mid-range manager who's repeatedly in contravention of policy, despite numerous interventions on your part and work with management and HR to have them fired (assuming employment contracts have sufficient legal basis in them for such actions). – Ralph Bolton Oct 18 '16 at 09:49
  • 5
    I think the one thing thats missing is that security must be easy. If your password can't have a [Q or Z](http://security.stackexchange.com/questions/57909/why-would-you-not-permit-q-or-z-in-passwords) or a [digit at the end](http://security.stackexchange.com/questions/139795/why-would-a-password-requirement-prohibit-a-number-in-the-last-character), people aren't going to buy into the security culture. – David says Reinstate Monica Oct 18 '16 at 13:39
  • 3
    Learn from high-profile companies that have been victims of hacking, at least the ones who have worked hardest to recover. After the initial shock, they made top level changes. They changed their organizations from "Director of Security" or "VP of Security" to the C-suite. A CISO reports directly to the CEO, not the CIO, and can effect change corporate-wide in a way that a manager, director, or even a VP can't. This is neither easy nor cheap; but it's way cheaper to do it before the hackers cause damage rather than after. – John Deters Oct 18 '16 at 15:29
33

Think of your users as customers. You are helping them meet their business requirements to secure data. That means it's your job to keep the requirements placed on them as sensible, justified and limited as possible. It's UX engineering.

Examples:

  • if you make it hard to get a proper login on a system, workgroups will share passwords on post-its or whiteboards.

  • 'security theatre' will reduce trust in the concept that precautions are necessary (making people have 20 character passwords changed weekly just to read the corporate Intranet).

  • if the WW2 German Army couldn't make its operators follow security instructions (like changing Enigma rotor settings frequently), and given they could shoot people for disobedience, what chance have you got with mere hectoring?

James Bradbury
  • 2,027
  • 20
  • 27
Rich
  • 817
  • 6
  • 5
  • 5
    So much this. Security theatre makes it hard to be secure. Making the right thing easy, and the wrong thing hard is crucial. – James_pic Oct 19 '16 at 16:10
13

This is a really difficult issue, but if you have the chance to change things, you should give it all you've got.

You can't change a culture overnight. However, there are steps you can take to begin changing the culture for the better.


Policy enforcement

This is first on my list. I'm in full agreement here that you need to enforce security policies, and discipline those who don't follow them. That includes everyone from top to bottom.

Would you rather endanger the company by letting those who continue to screw up repeatedly... well, continue to screw up repeatedly? Don't expose your company to unnecessary dangers.

People who are dishonest in little things are dishonest in bigger things, and aren't worth the time it takes to discipline them. These folks are at the top of my termination recommendation list. Anyone who is honest about what they did wrong would be suspended at worst, unless they keep making the same mistakes over and over again.

If someone has a disagreement, give them a place to voice their opinion, but don't just roll over for them. Gently explain why... some users need to know why, it's just how they think. Those users almost always ask questions about why they should do something. Be prepared to teach them.

If someone refuses to follow security policies, you need to find employees who will. It's really that simple.


However, ain't nobody got time for a giant list of rules

I'm of the opinion that having too many rules is detrimental to those doing their job. That's why you should have a few specific rules for everyone, and then create role-specific rules.

Bobby in accounting is not customer-facing. I don't need to teach him about buffer overflows, SQL injections, xss, csrf, whatever. Cathy down in Finance doesn't need to know about server hardening techniques.

Buff Markalo in engineering definitely needs to know, though. And he has to understand the policies he's being taught.


Make training easy to digest, and simple to understand

You need to know your audience before even starting, or you're doomed before you start.

Remember, examples are SUPER helpful to make people understand what they're reading. I'm going to list a few super basic topics to help you get started. Feel free to add to them, but don't make it overbearing.

  1. Developers.
    • Make it platform-specific, and give platform-specific examples.
    • You can make it short and simple. You can even develop easily-digestible videos that are only around 5 minutes long for each of the OWASP Top 10 vulnerabilities.
    • .gitignore, not storing the wrong stuff on GitHub, etc.
    • Anything relevant to your environment.
  2. Customer-facing employees
    • No to credit card storage, or you're fired.
    • Dos and donts.
  3. Everyone
    • Explanation of phishing / whaling / social engineering, and how they work.
    • Anything relevant to their role. Customer-facing? Don't touch cardholder data in any way.
    • Don't share your passwords / accounts
    • Don't set up unauthorized resources (servers, virtual machines, etc).
  4. Sys Admins
    • Proper hardening procedures
    • Urgency of upgrading vulnerable components
    • Anything relevant to their environment.

And always update every time you find an issue that didn't exist before. You'll never get everything, but you can get most.


New hire security orientation

This goes without saying. You need to ensure all hires undergo security orientation. If you make a digestible learning package that assumes everyone has a short attention span, you'll have much better success than 2+ hour videos of security with some guy droning on in a serious voice. I don't even want to watch that crap.


Quiz them

You'll need to see if they actually understand what they're learning. Make everyone take a yearly quiz, and don't allow those who fail to continue working unless they pass.

Reinforcement quizzes, and general competency quizzes help too.

Don't forget to know your target audience. If your target audience likes immature humor, use that in the quizzes.


Hunt down security issues, and confront those who cause them

Have a hunter? Have them hunt down the security issues on your own network(s), and explain them in depth to the teams responsible for these holes. Document everything they did wrong, and approach them and tell them it needs to be fixed.

If they refuse to fix or change, see the Policy enforcement above.

Don't believe anything users tell you. Always verify what they're saying. Honest people are the easiest people to work with in the world. Dishonest people create far more problems than they help with.


Recap

  1. Policy Enforcement
  2. No overbearing rules. Don't prevent people from getting their jobs done.
  3. Make it easy to digest, and simple to understand. KISS works really good.
  4. New hire security orientation.
  5. Quiz them.
  6. Hunt down security issues and confront those who create them.

Over time, people will change. It's sometimes an uphill battle, but one worth fighting for.

Mark Buffalo
  • 22,508
  • 8
  • 74
  • 91
  • 3
    This is pretty comprehensive. One issue that I see that I don't think you directly addressed is that sometimes there are legitimate rules that say: don't do X but there is no approved approach that allows a given business need to be addressed. In other words the point of these policies needs to be: 'how to solve busines problems without unnecessary risk' and not 'here are all the things you can't do'. Otherwise, "business necessity" will quickly become a master key for bypassing security policies. – JimmyJames Oct 20 '16 at 18:44
  • 1
    Buff Markalo, heh. – Petr Hudeček Oct 23 '16 at 20:53
5

I'll take little detour and answer the question implied by this part:

but they simply don't care

@shroeder's answer already covers the starting point which is to have the management on your side. And teaching people how to secure themselves is a very good take on how to perform the indoctrination, but I'll extend it. Let's ask how you can motivate the employees of the company to be more aware of security.

In general, regarding changing work habits, you will encounter three kinds of people. By providing incentives to each type, you will increase your chances of successful implementation of a culture of security. You may encounter:

  1. The career man: Most often represented by middle managers or project managers. Their focus is on documenting their capabilities, and you shall explore that. Provide the security training for them in official sessions with completion certificates.

    A certificate means little in terms of actual knowledge, but you can perform an examination to actually give out the certificates. You can make them study, by themselves.

  2. The geek: Technical staff, operations staff (depending on the company), and often other staff members that may be trying to evolve their career. Their focus is curiosity. To a geek, you can show an example of debugging a piece of malware or explaining a buffer overflow and from there extend the policies you want to implement. Give them curious facts and then link them repeatedly to the company security.

  3. The drone: Some people just do not want to change. They simply want to be told every detail of what they need to do, and never do more than that. They can be found at every place and level within a company. And there is no magic rule here, you need to make them face consequences if they do not comply with the policies. Often you need to enforce these consequences very ruthlessly to make sure that other drones adapt to them.

grochmal
  • 5,757
  • 2
  • 19
  • 30
3

This is a difficult situation to remedy if you're already set up to have an antagonistic relationship with the other departments.

There are going to be a whole mess of assumptions in this answer. These are just some thoughts based off of my own experiences. YMMV.

Driving cultural change is hard, and most typically you will need to change several groups to care about Security differently:

  • Security department:
    • Will need to get Security to care less about Security for Security's sake.
    • Informed "acceptable risk" discussions may need to happen. There will be times when Product will take precedence.
    • Stop presenting a culture of "no".
    • Make it easy to test for "basic" security compliance. (Incorporate security testing in CI/CD pipelines, for instance.)
  • Development teams:
    • You will need to convince other teams to consider Security up-front, as a core product feature.
    • It will need to be a continual consideration; time needs to be allocated up-front on a recurring basis (sprint, week, month, etc) to evaluate platform / framework / plugin versions for security patches. Make it a relatively small amount of time, but make sure that say 4 person-hours every sprint is pre-allocated for hygiene.
  • Systems/Operations
    • Remind them that you're there to help them. (Stick and Carrot doesn't work if you don't have a carrot.)
    • Work with Systems/Ops to automate security patching, compliance reporting.
    • That takes time, so do your best to not surprise them with a slap-down notice without heads-up if possible. Sys/Ops teams don't appreciate getting thrown under a bus when, say, a Security review report goes to executive leadership.
    • Help them to incorporate security testing with Operational monitoring
    • For instance, they may have a https monitor that goes off before the cert expires, but they are less likely to have one for weak ciphers.

Finally, there's a lot of insight to be gained from Ben Hughes' DevOpsDaysMSP 2014 talk "Handmade Security at Etsy", where he discusses this very topic.

gWaldo
  • 131
  • 3
2

Okay, you should only try this if NOTHING ELSE WORKS. You have been warned.
Here's the thing, humans often won't realize the importance of something until they lose it, the same way that people don't start taking backups of data until they first lose something important to hardware failure.

Showing them how many attacks you prevented won't help. They'd just get even more sure that you can withstand any attack. What you need is a successful attack. Or at least make it look like one got successful.

So... On a holiday or something, pretend that your network was targeted and compromised. Make it convincing. Take the network drives offline for an hour or two. And then say that you managed to recover everything, but the attacked was caused because someone left important confidential credentials lying around or their account logged in on a public PC. If this doesn't work, nothing else will. I once did this to my team, and trust me, they lost all their carelessness. The shock of having possibly lost the project that they'd been working on for months made them really serious about security.

However, there are a few things that you should keep in mind:

  • Your boss/seniors should know about this staged attack. Tell them that this is the only way to protect the organization from a serious attack later in the future. BUT TELL THEM. You really don't want to get fired because you tried to teach someone the importance of being careful with their passwords.

  • Your colleagues might not react well if they realize that the whole incident was staged. Please think before disclosing this to them. My team understood why I did this. Your's may not.

PLEASE THINK A LOT BEFORE GOING AHEAD WITH THIS.

undo
  • 2,085
  • 2
  • 13
  • 18
  • 7
    When they find out it was a fake, you will lose any trust they might have had in you. There is always something else to try. – schroeder Oct 18 '16 at 18:58
  • 5
    This is an awful idea. If you need to threaten and lie to your staff to get them to follow company policies, your company has serious management problems that need to be addressed before worrying about InfoSec. – whitehat101 Oct 19 '16 at 02:54
  • @whitehat101 Fair enough... – undo Oct 19 '16 at 03:05
  • @Schroeder Maybe giving up on friendship/trust is a suitable compromise in exchange for a secure environment if you're going to be handling very sensitive information? IDK, that's for the OP to decide. I think I included enough warnings? Also, the OP doesn't *have* to tell them... Sometimes you need lie to get things done. That's just the way it is. – undo Oct 19 '16 at 03:09
  • 1
    It's not about friendship, its about being able to communicate at any point in the future to your colleagues. Without trust, you can forget about building any type of culture or leading your organization to a more secure environment. – schroeder Oct 19 '16 at 06:18
  • 1
    While I'm a strong believer that trust is the ultimate value in safe communication (especially in an interconnected society), I see that this may work if made on a smaller scale. What I mean is that do not make people lose work, you may accidentally compromise the network in a very critical moment for some (and you may hold on your conscience that someone was fired because he did not deliver something on time). Instead work around this as a friendly prank. Infect the machines and then one day just tell your colleagues: do you want to see me shutting down all your personal devices right now? – grochmal Oct 19 '16 at 09:05
  • @schroeder - You can communicate this as a "drill" instead of a "fake" and there's no loss of trust. Analogy: I expect your office does periodic fire drills - yet you've not lost trust in your fire warden because of these "fakes". – paj28 Oct 20 '16 at 07:57
  • @paj28 that's... A pretty good idea – undo Oct 20 '16 at 07:59
2

The problem you're describing also applies to drug and bomb sniffing dogs.

It doesn't matter how much you yell at them and threaten them, drug and bomb sniffing dogs can lose interest very quickly if they can't find what they're looking for despite all the work they're doing.

That's why the trainer needs to constantly hide fake drugs or fake bombs to keep the dog engaged in its activity. And yes, the trainer will use treats initially, to associate with finding something, and to reinforce the reward, but what ultimately keeps the dog engaged is the element of play and the idea that the dog is looking for something that is very likely to be found (even if the found object has to be faked most of the time to keep the dog interested).

This is why your company should implement a regular regimen of penetration testing and social engineering attacks, and then regularly review its results afterward with everyone involved. There is really no substitute for this kind of thing.

The fact is, your servers may be getting hammered by port scanners all the time, but that doesn't matter to your executives or your receptionists. What they need to see is actual attacks that affect them, or that they haven't thought about, and the best way to do that is to attempt those attacks on them in the environment that they're used to.

This also lifts the burden of social awkwardness when confronting or blocking someone of perceived higher or equal authority. At my workplace, we had a strict policy of not letting anyone we didn't know follow us through the door after we used our RFID card to enter. But of course, the college interns and the night janitors would never demand the credentials of someone who appears like (s)he could be working there. For them to do something like that, they needed to think there was a reasonable chance that it was test or a drill, since the actual probability that it's a bad guy/gal was actually very low comparatively speaking.

And please don't think that I am just blaming janitors and interns, they're not the only one who may break protocol just because they're too nice, or because they're going for the most convenient solutions. Employees, executives, and many others will do the same thing.

1

The biggest security problem is actually the user pool.

No security can defeat user stupidity (like clicking on a script received by a random e-mail).

What you need to do:

  • present the risks to management

  • present examples of bad things that happened

  • present a countermeasures plan (technical)

  • request to have rules that are mandatory for everyone and enforce your security policy (create one if you do not have already)

  • request a penalty system to be created for those proven to break the rules several times

  • make the management organize training with the users - this is the most important - training must contain everything from more complex security issues that can be prevented by user compliance to simple what not to do list (i.e. do not click links in e-mails)

Overmind
  • 8,829
  • 3
  • 19
  • 28
  • While technology can't defeat all user security, it can defeat a lot of it, and there are numerous solutions to the issue you mention - Mail gateway filtering, hardened email client config, desktop sandboxing, etc. – paj28 Oct 20 '16 at 07:58
  • No e-mail filter from this world can deny a link to a website that is not yet at least blacklisted somewhere. And anti-viruses will not block what looks like a legit e-mail send form (which it actually is, from a tech perspective - it's the destinations and rates of use that do the damage). – Overmind Oct 20 '16 at 08:01
  • Your example was a script attached to an email. Mail gateways can filter on content type, blocking all scripts. Links to malicious websites: you can configure the mail client to not display links. But maybe you want them. Desktop sandboxing like Bromium runs the browser in a disposable VM. Really, there are good solutions. You've picked a couple of examples that don't live up to their marketing hype. But good solutions do in fact exist. – paj28 Oct 20 '16 at 08:05
  • No, the script in on the destination website. The e-mail only contains the link to that, which the cowox user clicks and runs the script, which was my initial point. Sandboxing and such thing are near impossible to implement due to the exact same problem: the users. They can barely compose e-mails, how do you expect them to use VMs ? – Overmind Oct 20 '16 at 08:08
  • What sort of script did you mean? You can configure browsers/Windows so users can't download and run executable files. Bromium does the sandboxing transparently, users aren't aware. I'm not involved with them, but it is cool stuff. Also, you seem to have ignored my point about configuring the mail client to not display links, that is a useful defence. – paj28 Oct 20 '16 at 08:17
  • I'ts not an acutal .exe, just a VB or JS or many other variants. It reads the user password from outlook and then auto-sends e-mails. Antiviruses do not detect anything. I can't ignore link because there are a lot of official e-mails that communicate links to client pages, client configurations or offers, so I can't deny those. – Overmind Oct 21 '16 at 09:58
  • Software Restriction Policy can stop users executing vb/js. If you want more info, open a new question and notify me here. – paj28 Oct 21 '16 at 10:30
  • Can't do that either because users need vb/js for their daily work. They have various applications that use vb and js. – Overmind Dec 28 '16 at 08:48
  • Hi Overmind. I previously offered to explain all this in more detail if you ask a separate question. The offer still stands. – paj28 Dec 29 '16 at 12:51
1

Simplicity & Consistency

The security policies need to be easy for people to follow. Many organisations have policies that do not reflect reality, are self-contradictory, and that people need to break to do their job. The solution is to make policies simple and to accept feedback from users.

Enforcement should be consistent. If some people break policies and nothing happens, this encourages others. Use technology to enforce policies as far as possible, relying on individual users as a security control should be a last resort. Also, the best way to stop people leaking information is to not give it to them in the first place.

Others have mentioned needing an enforcement "stick" for people who don't comply. I think that is counter-productive and discourages people from talking openly.

Classification

You need to work out which bits of your operation are critical. Everything in business is important to some extent, but some bits are "regular important" and other bits are "super critical".

The super critical bits you need to have very strong controls for. And the regular bits you have controls that are a balance between security and usability.

I think a lot of problems in Corporate security are the failure to do this. The security department try to get the whole company to work to the "super critical" level - which isn't realistic.

paj28
  • 32,906
  • 8
  • 93
  • 130
1

Show the WHY

There are already very good answers to this but allow me to contribute this little detail:

To get your users on your side show them WHY all these policy requirements are vital!

Here is a very basic example: Give them examples of how quick bad passwords can be exploited.

G.Sch.
  • 11
  • 2