Prepping the front-line troops

Agencies enlist end users in the fight against computer saboteurs

Consider it a sign of the times that one of the most visible slogans atthe Social Security Administration has nothing to do with retirement checksor supplemental income. Throughout the agency nowadays, people routinelycome to work wearing a large button that reads: "Social Security Administration:Security is Our Middle Name." This new agencywide push is meant to reinforce the notion that withoutall employees taking the proper security measures, the organization remainsvulnerable to premeditated attacks on its information systems. With a large majority of agency employees now using computers in theirjobs and increased connectivity to the outside world via the Internet, thefederal government has been aggressively escalating its efforts to educateend users on security best practices. "Security doesn't just belong in one office in the organization, itbelongs everywhere," said Tom Staples, associate commissioner for financialpolicy and operations at SSA. The agency attacks the problem on a numberof fronts, offering not just computer-based training and classroom instruction,but a poster-of-the-month program, regular e-mail messages, screen banners,mouse pads and bookmarks, all lauding the best practices in everyday security. "To have an effective security program, awareness of it and sensitivityto it has to permeate throughout your organization," he said. "And thatmeans constant, never-ending and different approaches that catch people'sattention." Although security awareness training has been an annual requirementfor federal agencies since the passage of the 1987 Computer Security Act,agency officials are boosting their programs in light of new threats andvulnerabilities that have surfaced in recent years. "It is far more critical today to have computer security awareness amongall employees and related training for employees," said Shirley Malia, apolicy analyst for the Critical Infrastructure Assurance Office. "And thereason is that systems are so open today. They're connected to the Internet,they're connected to partners and they're connected to outside constituents." To add to the problems, employees frequently don't realize they havea critical role to play. "The attitude still largely within the rank andfile is, "Well, somebody is taking care of security for me,'" said RandyRichmond, program manager for Verizon Federal Network Systems. And as agencies have tightened overall information technology security,hackers have looked for new ways to breach the IT fortress and found thatemployees often unwittingly provide an easy point of entry. Among hackers' strategies is something called "social engineering,"which does not involve sophisticated programming skills but rather preyson human weaknesses. A hacker simply picks up the phone and, posing as,say, a member of the security office, cites a problem and asks for the employee'spassword or computer setup. Federal employees, trained to be increasinglyhelpful with customers and colleagues, tend to take the caller at his wordand comply more often than agencies like to admit. "Employee practices concerning security can be very lax if there isn'tan overall understanding and reinforcement of the issues," Malia said, addingthat scenario-based training can help employees learn how to respond insuch situations. But, she said, education must go hand-in-hand with goodpolicies. "Agencies need a policy that says very strongly: "Don't ever give outyour password, even if you know for a fact who the person is on the otherline,'" she said. Security experts note that the combination of increased vulnerabilityand employee naivet& Egrave; or lethargy can be disastrous for an agency. "All ittakes is one mistake," said Terry Antonacci, director of the governmentservices group at Netsec, a Herndon, Va.-based information security companythat specializes in training computer users. "All it takes is one employeeto decide not to use proper procedures, and that's where we hear the storiesof hackers getting in and shutting a system down or manipulating data orstealing data." Varied Tactics To combat the new threats, agencies are using a number of approachesto build security awareness. For example, the Treasury Department is developinga Web-based awareness course that addresses handling passwords, virusesand other critical topics. The agency will make the course available onboth the Internet and TreasNet, the agency's intranet. The Internal Revenue Service and the Customs Service also have developedonline training modules to help reach a highly distributed workforce. TheAir Force relies heavily on classroom instruction and, like many agencies,has turned to a third-party provider, in this case Secure.Info Corp., SanAntonio, to bring the latest and greatest knowledge about threats and practicesto end-of-line employees. Most agencies use a mix of computer-based training, classes and seminars,and one-on-one sessions between employees and a security officer or manager.Still others are incorporating a few of their own creative ideas. George Bieber, a security specialist at the Defense Information SystemsAgency, has developed a simulated scenario program called CyberProtect thatallows both security specialists and regular employees within DISA and otherDefense Department agencies to try their hand at combating security threats— before being forced to confront them in the real world, with its realconsequences. The Commerce Department holds a security awareness fair once a yearin its headquarters lobby. At SSA, a banner citing different practices andtips runs across the computer screens of employee desktops throughout theday. And the National Security Agency regularly tests its employees on securitypractices. Those who fail lose their computer access privileges until theycan pass the test. All of the efforts are solid and effective, say observers. But theyalso state that the "hows" of a good security awareness program don't matterquite as much as the policy behind it. For starters, the effort requirestop-down buy-in; otherwise, employees won't think it important enough togive it their full attention. In addition, managers need to lay out a soliddescription of the goal "in order for employees to understand the articulationand description of what they should be learning," Malia said. Carmen Logan, a telecommunications specialist in security at DISA,said that although individual offices can create and oversee awareness trainingand programs, the effort itself must be centralized. "It is important tohave at least one single voice that works with other organizations," shesaid. As part of DISA's Information Assurance Division, Logan's group managesthe internal information assurance program for the agency, but also specifiesrequirements for information assurance training for all DISA employees,certifies employees in security training and writes policy. Mike Lombard, IT security manager for Commerce, said an effective programneeds to be tied to the agency's mission and business requirements, andthe training needs to build knowledge. "We find that most employees are much more willing and cooperative onceyou explain the situation to them," Lombard said. "So in an awareness trainingprogram, it's not enough to simply say that your password has to be of theseparticular constructs. They need to understand why." He added that awareness measures also require enough variety to accountfor the different roles that each employee plays in the agency. A data-entryclerk may simply need the underlying reasons for a password explained, whilea Web developer might be better served if he or she can view an actual demonstrationof a hacker attack on a password and see how easy it is to break a weakpassword. "A lot of the vulnerabilities stem from the fact that you've got peoplein the program areas who have assumed IT responsibilities, and while they'revery good in the program area, they're not always as knowledgeable in theIT area," Lombard said. "And if we're going to use people in that fashion,we have no choice — they have to have the appropriate level of trainingto do the job in an appropriate fashion." Finally, a security awareness policy needs to address the fact thatafter initial training, employees often forget or fail to incorporate thenew practices. This is one reason that many agencies are incorporating constant,ubiquitous marketing efforts such as newsletters and e-mail bulletins thatkeep awareness measures constantly at the forefront of employees' minds. Hayes is a freelance writer based in Stuarts Draft, Va. She can be reachedat .

NEXT STORY: Firms share intell, school markets

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.