withoutfire » Passwords http://withoutfire.com helping you look after your data Fri, 26 Feb 2010 12:59:48 +0000 http://wordpress.org/?v=2.8.4 en hourly 1 Users divulge their passwords to strangers http://withoutfire.com/2009/05/users-divulge-passwords/ http://withoutfire.com/2009/05/users-divulge-passwords/#comments Mon, 11 May 2009 22:19:34 +0000 John http://withoutfire.com/?p=18 This won’t be a surprise to anyone who works in IT security, but last week the BBC reported how easy it was for an experienced security consultant doing some pretty basic ’social engineering’ to:

  • Walk into buildings unchallenged and steal data from a company
  • Get users to divulge their password over the telephone to someone who claimed ‘to be from IT’

The video is about 90 seconds long — and really worth watching.

What lessons we can learn from this?

All security programmes tell users not to divulge their password to anyone — not even people in IT. However this doesn’t work: when it comes to their computer systems, users see IT as ‘authority figures’ and so will divulge their password — especially if they are coerced.

What you need to do is:

1. Train the IT team not to ask users for passwords

Put a process like this in place so if an IT person needs to login as a user they should:

  1. Raise a ticket / case in the organsiation’s help desk — which should ideally to be authorised by someone else
  2. Confirm with the user that they are about to login using the user’s account
  3. Login as a system administrator and change the user’s password to something that only they know
  4. Now the IT person can login as the user (the time of the login and the activcity carried out whilst logged in should be logged with the original ticket)
  5. Once completed, they should login as a system administrator and set the user’s password to a one time password which is communicated to the user
  6. The user can now login and must be forced to reset their password to one of their own choosing

This is a long process, so it’s no wonder that IT people take a short-cut and just ask a user for their password, so you also have to:

2. Train all staff that if anyone “from IT” asks for their password, it’s a security incident

As part of your awareness training, emphasise that the only people who would ask for their password are:

  • Data pirates (criminals)
  • Rogue IT people

So if someone rings up and asks them for their password, they should refuse to give it and report it to the Information Security Manager (or their equivalent).

Of course it’s rare nowadays that IT should need to login as a user, there are better ways to diagnose a problem such as remotely sharing a user’s screen (once the appropriate authorisation has been given).

Here’s a little cartoon I’ve used in training and included in internal newsletters.

Data Pirates stealing a password

(if you want a print-quality version, or one customised to your company then just send me an email)

]]> http://withoutfire.com/2009/05/users-divulge-passwords/feed/ 0