IG Report Shows Need for Security Training

It shouldn't be surprising that 60 percent of IRS employees fell for a social engineering test scam, in which the employees gave up sensitive computer information to a caller posing as someone from the help desk, according to a report by the Treasury Inspector General for Tax Administration and reported by The Associated Press. This kind of social engineering "attack" is particularly hard to guard against because 1) someone is contacting you (either by phone or email) who knows your name and other personal information about you and 2) is posing as a representative of a legitimate office in your organization.

The only real way to fight this kind of spoof is through education, as Government Executive magazine reports in the upcoming Aug. 15 issue. Look for the issue in your mailbox soon. In the meantime, here's an excerpt from the article, which appears in the Managing Technology column:

The most effective defense [against social engineering attacks] is education, security experts say. Agencies must train computer users to spot fraudulent e-mails [and phone calls] and resist replying to them. Educating includes “inoculation,” intentionally setting a spear phishing trap by sending out a false e-mail to a group of employees to see who takes the bait, according to Alan Paller, director of research at the SANS Institute of Bethesda, Md., which manages the Internet Storm Center and tracks cyberthreats. IT managers contact employees who replied or opened an attachment and teach them what to look for in a fake e-mail. Mistakes sometimes are the best teachers, Paller says. He estimates that spear phishing attacks on government number only in the low hundreds, but says the threat should not be taken lightly. It takes only one successful attempt to create a lot of damage.

In its report, the Treasury IG office recommends the same course of action:

The Chief, Mission Assurance and Security Services, should continue security awareness activities to remind employees of the potential for social engineering attempts and the need to report these incidents to the IRS computer security organization, conduct internal social engineering tests on a periodic basis to increase employees’ security awareness and the need to protect usernames and passwords, and coordinate with business units to emphasize the need to

discipline employees for security violations resulting from negligence or carelessness.

What's disconcerting about this particular approach is that training rarely gets the attention it needs to be effective. It's almost always one of the first line items to be cut from a tight budget, and agency IT budgets are tighter than they ever have been. Training also gets shortchanged when staffing is low, which means employees have little time to take off form regular work to attend training classes or even to read training materials. But training is the only defense. Firewalls and intrusion detection systems don't defend against social engineering attempts.

Do you see any efforts to increase information security training in your agencies?