When IT Forgets Its Own Rules

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
This past month, I witnessed a strange occurrence that I thought I wouldshare with you. No, I didn't see a UFO or go through an entire workdaywithout an issue arising -- nothing that strange.

It happened when I was onsite at a contractor facility -- and as strangeas that can be, that wasn't the strange occurrence either.

Here's what did happen... An email with an attachment was sent to some ofthe senior engineers. The email was from the ''support team'' statingthat they had to change their passwords and the new password was in thezipped file attached.

Now, I found this very strange as, first off, the support team neversends out generalized password emails, and personnel always get a noticewhen it's time to change their passwords. On top of that, the noticedoesn't come from the support team. And lastly, why on earth would a newpassword be in a zipped file? Certainly the new password could not bethat long. Even if the message included a password and the directions tochange the password, the file would not be so large that it needed to bezipped.

Sadly, however, nine out of 10 of the engineers who received this emailopened the zipped file.

I am sure you are already ahead of me on this, and you are right -- thezipped file did not contain a new password, but rather a virus.Surprise, surprise!

I was seriously amazed at the number of people who would open somethingthat had so many obvious red flags. These are the same engineers whoinstall firewalls and Intrusion Detection Systems (IDS), update andmaintain the anti-virus software, and architect security features intosystems and networks. They, of all people, should know what new worms,viruses and Trojans have been released.

And still, they opened a suspicious email attachment.

As a security community, we tend to concentrate on the latest andgreatest --like new security software, hardware, firmware. We tend toassume that everyone knows and remembers basic security foundation rules.

So, maybe its time to go back to the basics.

  • Attachments -- Any attachment that comes with an email shouldbe thoroughly identified prior to opening. If there is any doubt as towhy it was received, who the sender is or what the attachment is, checkwith the security office prior to opening it. Once opened, any virus willbe executed.
  • Suspicious Emails -- Although it seems to be a matter ofcommon sense, suspicious emails should be reported to the securityoffice. What makes something suspicious? Look out for emails that mayinclude an unknown sender; general junk mail; a return address that looksvery similar to one you're familiar with but is slightly different, or anemail sent by a known entity but triggers a red flag. Also watch out foremails that request information that should be on file, or asks forinformation that is not normally passed via email or attachments.
  • Passwords -- Passwords should never be shared. If they areshared for emergency reasons, they need to be changed as soon aspossible. Passwords should not be something common to the user, like aspouse's name, birthday or children/pet names. Additionally, passwordsshould be alpha-numeric, with special characters to make it harder tocrack. Most experts agree that passwords should be changed every 90 days.IT managers will not have your password. They should always beencrypted.
  • Security Software -- Security software needs to be kept updatedand current. This is done through updates of the virus software andinstallation of security patches or upgraded software versions. Mostusers rely on their security office to push any changes to the system.However, it is in the best interest of the individual user to ensure thathis/her system is current. A great example is the latest worm -- if thesecurity patch put out by Microsoft had been installed, then the wormwould have been stopped.
  • Security Policy -- Contrary to popular belief, security policiesare not written to make the user's life miserable. Security policies areput into place to protect the user. It is each individual user'sresponsibility to read and understand the policy. Once read, the policyshould be implemented, followed and, most of all, enforced. These basicsecurity policies can include rules of behavior, contingency planning,security feature user guides, and security operating procedures.

    One of the best ways to get back to basics is through security training.This training should be given annually or to a new employee upon hire. Itshould educate users on the policies, where to find the policy, and howto implement it. Training should also include reminders on how toidentify and report suspicious emails.

    By making employees aware of the consequences of bad security practices,and the pain that can be saved by using good security practices, theorganization will have a much more secure baseline.

    With today's ever-changing technology, fast pace, and securityvulnerabilities, maybe it is time to go back to basics. This should neverbe an overlooked as an aspect of protecting not only the system, but theemployees, as well.

  • Submit a Comment

    Loading Comments...