Tag Archives: Awareness

IT security projects fail because people are not affected personally

 4 April 2015

In the past weeks I had a lot of discussions with system operators about services running as real users, very often as domain users, if not as domain administrators. In some cases these accounts are used to run services on workstations as well.

From a security point of view this is a nightmare. Once an attacker got the login data of one of the service accounts, he can move across the network and collect credentials. The game is over when he gets access to a workstation where a user signs in with domain administrator credentials.

Executing the service as a local defined account with individual passwords would be a good choice to tackle this problem but, from an operations point of view this is the nightmare because the administrative effort will go straight through the roof.

This clash of interests is a really big challenge for the change manager. ADKAR is a often used model to guide activities during a change processes. But how could a change manager create Awareness in this case? Just telling the system operators to do things differently will not help. You must touch people’s minds with good stories and pictures.

Seeing is believing’ is my recipe: Find a workstation where a globally defined service account is used to run a service and extract all passwords from the LSASS process with MIMIKATZ. MIMIKATZ extracts the password hashes and the WDIGEST and Kerberos passwords in plain text.

Mimikatz Output

MIMIKATZ Output

The MIMIKATZ output contains the passwords for the service accounts and, if applicable, for the domain administrator. Store this output encrypted in a file, highlight the service accounts and use the file as eye-opener in the next awareness session.

In my experience this  creates the necessary emotional involvement which is required for the next steps in the change process.

There is nothing left to say but …

Wishing you an Easter
that touches your heart
and lives in your thoughts
as a sweet reminder of
just how special you are.

Advertisements

Why IT security programs fail

 31 July 2014

If it is about IT security, business people have every confidence in the ability of IT departments that they do the right and important things. To be honest, sometimes I have the feeling, that they do not want to be involved in this security stuff.

‘Just let the nerds add some new high sophisticated technology – and all will end well.’ But, please without any impact on our daily work and to low additional costs.

This ‘not involved here’ syndrome is the main reason why information security programs fail. And, combined with blind trust in technology, things could end worse.

Some weeks ago I read a remarkable statement in post ‘Security Think Tank: Consider security Training before high-end technology’ by Mike Gillespie:

Encryption is not the solution to security, it is part of the solution and always has been. So an employee who does not realise that their device is encrypted basically when it is switched off, may still have very poor security habits, such as leaving a laptop logged on with the lid down, thinking the data is secure because it is magically encrypted.

If Mike Gillespie had one more Dollar to spent in IT, I bet, he would invest this Dollar into security awareness Training.

We need change!

We need Change!

To ensure sustainability, it is very important to get people involved in these IT security topics. As Benjamin Franklin once said: ‘Tell me and I forget. Teach me and I may remember. Involve me and I learn’. Thus, to increase the likelihood of success, IT security programs should always be embedded in a change process.

But Management buy-in comes first! Why?

To stay in the market, with a well respected brand and competitive products, is definitely part of every company’s business strategy. IT is just an enabler for business strategy. IT supports the business groups in protecting the important digital assets and the intellectual property of a company.

Therefore, IT cannot be the driver for a security program. Business must take the initiative and start and manage the program to ensure sustainable change in IT security awareness and behaviour. If a C-level manager could be won as program sponsor, it is very likely that the program’s targets are met.

It’s all about leadership! And Change.