Site guide

My attempt at simplifying the Data Protection Act.

My blog updates

  • Grand Central: Great trains, terrible terms
    Feb 26, 2010
    Recently I travelled to York on Grand Central Railway. I really like their train service because you pay the same fare whether you buy your ticket in advance, at the station, or on the train. ...
  • Filling cabinet breaches
    Feb 1, 2010
    I like to analyse the ICO's undertakings and enforcement notices to see whether there are lessons you can learn from other people's unfortunate mistakes. ...
  • Data Sharing and the Blue Badge Parking Scheme
    Jan 13, 2010
    Back in 2008 the government announced that they were going to reform some of the ways the disabled parking / blue-badge scheme worked to reduce the amount of fraudulent use. ...
  • The future of privacy talk at ORG
    Dec 6, 2009
    Bruce Schneier spoke on the subject of The Future of Privacy at the Open Rights Group on Friday. ...
  • Abuse of radio buttons and check boxes
    Dec 5, 2009
    I’m particularly sensitive to interface design and I saw a real horror this week. ...
CISSP Logo
« What’s the connection between human rights and information security?  
 

Users divulge their passwords to strangers

This won’t be a surprise to anyone who works in IT security, but last week the BBC reported how easy it was for an experienced security consultant doing some pretty basic ’social engineering’ to:

  • Walk into buildings unchallenged and steal data from a company
  • Get users to divulge their password over the telephone to someone who claimed ‘to be from IT’

The video is about 90 seconds long — and really worth watching.

What lessons we can learn from this?

All security programmes tell users not to divulge their password to anyone — not even people in IT. However this doesn’t work: when it comes to their computer systems, users see IT as ‘authority figures’ and so will divulge their password — especially if they are coerced.

What you need to do is:

1. Train the IT team not to ask users for passwords

Put a process like this in place so if an IT person needs to login as a user they should:

  1. Raise a ticket / case in the organsiation’s help desk — which should ideally to be authorised by someone else
  2. Confirm with the user that they are about to login using the user’s account
  3. Login as a system administrator and change the user’s password to something that only they know
  4. Now the IT person can login as the user (the time of the login and the activcity carried out whilst logged in should be logged with the original ticket)
  5. Once completed, they should login as a system administrator and set the user’s password to a one time password which is communicated to the user
  6. The user can now login and must be forced to reset their password to one of their own choosing

This is a long process, so it’s no wonder that IT people take a short-cut and just ask a user for their password, so you also have to:

2. Train all staff that if anyone “from IT” asks for their password, it’s a security incident

As part of your awareness training, emphasise that the only people who would ask for their password are:

  • Data pirates (criminals)
  • Rogue IT people

So if someone rings up and asks them for their password, they should refuse to give it and report it to the Information Security Manager (or their equivalent).

Of course it’s rare nowadays that IT should need to login as a user, there are better ways to diagnose a problem such as remotely sharing a user’s screen (once the appropriate authorisation has been given).

Here’s a little cartoon I’ve used in training and included in internal newsletters.

Data Pirates stealing a password

(if you want a print-quality version, or one customised to your company then just send me an email)

  • Digg
  • del.icio.us
  • Facebook
  • Google
  • E-mail this story to a friend!
  • LinkedIn
  • Reddit
  • Slashdot
  • TwitThis
May 11th, 2009 | Category: Passwords, Security, Training | Leave a comment

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>