Security Awareness Programs: Now Hear This!

Awareness programs are the cheapest way to prevent costly problems, but the security message can be easy to ignore. CSOs and CISOs share their strategies for spreading the good word.

By Lew McCreary

Page 3

Teaching Tangible Lessons

Will Pelgrin?Director, Office of Cyber Security and Critical Infrastructure Coordination, State of New York

Awareness promotion strategy?Hands-on tests

Will Pelgrin says he was the kind of child who had to burn his finger on the hot stove before he understood his mother's warnings not to touch. "I'm sort of tactile in my approach to learning," says Pelgrin. "Until I touched it, I didn't really learn the lesson."

So, to recap: When it comes to learning lessons, listening is good, but experiencing is better.

Believing more people are like him than not, Pelgrin values the importance of a good tangible lesson. This led him to concoct an innovative awareness exercise in the spring and summer of 2005, when phishing was the scourge of the moment. "One thing I was concerned with was, you know, we send out advisories all the time, we send out alerts, we send out white papers. Were they resonating with the individuals I sent them to?"

Phishing's mechanisms were not as broadly understood then as they eventually became, and awareness defenses against it—the immune response to social engineering—weren't fully developed. Pelgrin's team had been working to spread the word in the usual ways. To test the effectiveness of his antiphishing campaign, he got permission to simulate a phishing attack and aim it at 10,000 New York state employees across five state agencies. "I wanted to see if we could make a bigger impact by demonstrating [the dangers of phishing] versus just [issuing] advisories saying here's what will happen if you fall prey to it."

In practical terms this meant crafting a phishing-style e-mail intended to trick recipients into surrendering their user IDs and passwords. The e-mail, purporting to come from Pelgrin's own agency, said that the state had just purchased a "password-checker" software program that could evaluate whether users' passwords were good or bad, and that it needed their access information in order to do its work.

"I figured this would be really blatant, but also somewhat enticing as well. It was a fake URL; it came from, allegedly, our [information security office] here, but the actual e-mail address was not the correct one. So if people were doing due diligence, we gave them absolute hints throughout. We didn't want to have it so foolproof that there was no opportunity for someone to sit back and say, Wait a second, something else is going on here.'"

The e-mail linked to a bogus webpage purporting to be an official state document. Pelgrin's team coordinated with the Anti-Phishing Working Group to make sure their design embodied the earmarks of a state-of-the-art phishing attack. The document included a form asking users for their IDs and passwords. As soon as a recipient placed his cursor inside either of the dialog boxes on the form, it was assumed he had fallen for the scam and the exercise automatically ended. "We didn't want anyone thinking we were [actually] going to capture secure or sensitive data."