Use Deterrents, Not Detergents

The use of deterrents to help enforce and highlight IT security controls never seems to get much attention, even though they can be an easy, cheap and effective way for security staff to reduce security risks.

Here are a few of my favourite deterrents:

On Monday morning, check your Windows Security Event log for login error messages and call whoever has the most number of login/password errors. Ask them if they’re just returning from vacation and having finger problems or if there is some security issue you can help them with. Don’t threaten or reprimand them - you’re not doing this to be a jerk; you are doing this to let the person know that the security of the company’s systems is being taken seriously and is being monitored. After you hang up the phone, the person you just quizzed is going to turn to the person at the nearest desk and say: “Huh. Guess who I just spoke to!” Soon everyone in the department will be whispering that the (benevolent) all knowing, all seeing eye of IT Security is watching them. This is an active deterrent to any future potential disgruntled employee. If an employee thinks there’s even a small chance they will be caught, then it is much less likely they will act against your organization.

Do staff leave confidential work papers on their desk after hours? Are file cabinets left unlocked at night? Are keys, password notes, USB memory sticks and access fobs left on desks for you to record and collect? Time for Robin Hood to rob from the careless and give to the department manager. Perhaps it’s also time for some extra security awareness education for the staff.

Are there any rogue (unauthorized) WiFi access points to be found by doing a sweep in the evening after everyone has left the office? Disconnect and remove them. How long does it take for the owner to report it missing?

Set up and send a custom spearphishing email to a select number of employees and see if anyone bites the bait. If they do, then they need some remedial email security training.

Set up a honeypot server inside your network and call it HumanResBackup01, and make it hard to get in. If anyone does try to get in, capture their network ID and address. They need some remedial security training (or perhaps some disciplinary action for snooping where they should not be going). This passive deterrent is also going to hopefully trip an alarm for you if hackers have infiltrated your network and are on the prowl for valuable data assets to copy, since no one should be touching this server in the first place.

“Borrow” any non-company laptops and USB memory sticks you see laying around in the sensitive departments of your company. As Hacker/Administrator, see if there’s any confidential data that’s not encrypted and shouldn’t be present on a non-company laptop. Do you encrypt all your laptop hard drives and is this device set to company specs, or should it ever be hooked up to the company LAN? Is there sensitive data left unencrypted on USB memory sticks? How long does it take for the owner to report it missing?

Dumpster diving behind the data centre is a time-tested way of either finding confidential information that hasn’t been properly disposed of, or perhaps getting apprehended by your local police force if the centre’s security guard sees you on CCTV!

Walk through a company department where you’re not well known during office hours, looking like you belong there, and pick up something of value that you see laying around unattended. Does anyone challenge you and ask for identification or call Security to report an intruder? If not, it sounds like they need some extra security awareness education.

Needless to say, you must get permission from management before testing security controls. However, it’s powerful seeing a security problem ‘acted out’ and the message sent can raise security awareness in a productive manner. No harm is done. You're also getting some valuable feedback on how well (or poorly) your staff security awareness program is going. The use of deterrents is a proactive means of enforcing security controls, rather than resorting to the heavy-handed use of ‘detergents’ to clean up the mess after a security incident occurs.

Use deterrents, not detergents!

Please tell me about any good deterrents that you use in your organization.