New York battles botnets by testing employees from Mary Ellen Zurko on 2007-01-26 (public-wsc-wg@w3.org from January 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Thu, 25 Jan 2007 19:39:52 -0500
To: public-wsc-wg@w3.org
Message-ID: <OFE1967EC4.C2D201C4-ON8525726F.0000B9DF-8525726F.0003A6E8@LocalDomain>

More on education.

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect


http://www.gcn.com/print/26_2/42983-1.html?topic=security&CMP=OTC-RSS

New York battles botnets by testing employees

01/22/07 
By Patience Wait,


SPECIAL REPORT: The Next Steps for Security | The Empire State has been 
pioneering an ?inoculation? program as a cornerstone of its anti-botnet 
strategy. 
 
Dealing with computers that have become ensnared in botnets?networks of 
?zombie? computers that are being directed to launch waves of spam or 
distributed denial-of-service attacks?is next to impossible. The best way 
to block those headaches is prevention, and the state of New York has been 
pioneering an ?inoculation? program as a cornerstone of its prevention 
strategy. 
?There are many ways to get infected?peer-to-peer sharing, visiting 
malicious Web sites, opening e-mail that is malicious,? said William 
Pelgrin, chief information security officer for the state. ?We decided to 
look at how to change our [user] culture.? 

Pelgrin worked with AT&T Corp. and the SANS Institute of Bethesda, Md., to 
devise an inoculation program, a software training exercise that would 
imitate malware. 

In a pilot, Pelgrin?s office sent out notices about ongoing phishing 
activities to some 10,000 employees in five stage agencies, reminding the 
users of the risks in opening e-mail from unidentified senders or clicking 
on links embedded in unsolicited e-mail. 

?A month later we built an application that said, ?New York State is 
concerned about cybersecurity, and the policy requires you to have a 
secure password.? We purchased a password checker and each employee was 
required to put in a password,? Pelgrin said. ?Then we sent out an e-mail 
and it came from a legitimate source, but from outside our network.? 

Pelgrin?s office never told the users it was a test, but there were hints 
in the outside e-mail message that it was not legitimate. ?We gave clear 
signs this was a scam. We didn?t want to make it foolproof, but left some 
clues,? he said. 

If users activated the link in the message, they would be asked for their 
user ID and password. If they started to type it in, a dialogue box popped 
up and told them it was a security test and they?d failed it. Then there 
was a short video and a 10-question exam. 

Out of the 10,000 users in the pilot, 83 percent did the right thing; 
three percent took the appropriate action by typing in the URL to go to 
the site rather than click on the embedded link, while 80 percent either 
deleted the e-mail or reported it to the CISO?s office. 

Pelgrin was not satisfied with the 83 percent success rate, and two months 
later ran a similar exercise, targeting the same 10,000 users. 

?Eight percent failed this time,? he said. ?We did a survey to find out 
why the employees improved; we wanted to incorporate it into our ongoing 
training for staff.? He added that human error and human intervention 
still are major sources of botnet infections. 

Pelgrin said his office is planning another exercise over the next year to 
see how they are making progress in educating employees. 

Patience Wait

Received on Friday, 26 January 2007 00:40:25 UTC