What Is Your Best Scare Tactic To Get People Serious About Security?

[ascorbic]

In my day to day life I see plenty of people not taking security seriously enough. I guess ignorance is bliss for these guys. They either think "WEP, it is equivalent so it is good enough" or "Nothing will ever happen to us" or the worst of all "We can't invest any money into hiring a network guy to secure and maintain our network, it just costs too much."

Have you ever scared someone into beefing up security on your network? If so what sort of techniques seem to work best to get people serious about security?

[Charles]

Doesn't work if they don't want to listen.

I've mentioned that the main AP here runs WEP, but no one wants to bother to get it upgraded to WPA at the very least.

You can talk and talk until you are blue in the face, but they won't listen if it'll cost you $$$.

Also keep in mind that anything you do to "scare" them, will more then likely get you fired.

Edited April 19, 2010 by Charles

[Sparda]

If you are working for a company, the best approach (from what I've herd) is to convince them that upgrading some thing to be secure is not a expenditure as such, it's a running cost.

That is to say, buying new server for new big ass application = expenditure, maintenance contract for big ass application server and application = running cost. As part of this you have to try and convince them that been secure is not a hole they put money in, it's the cost required to avoid spending must much larger amounts of money.

For example, a virus out brake on the network might require x hours of down time for the whole company because x hours * (x employess * x money to employee) * * money made per average = big scary number (or some thing like that). There for spending x much smaller amount on preventative measures is very more preferable. Obviously a virus out brake is just a an example, a compromised database server is likely to cost a bit less, but still a large amount. Though, depending what is on the server it might be exponentially more.

Try and figure out what bad things could result from <gaping security hole> and attempt to estimate how long it would take to fix if it went wrong and what services would not be available at that time then give it to the money spenders to figure out what they want to do. if they say nay make sure it's on the record.

[VaKo]

Learn about the difference between TCO and TCA, and see if you can mention that upgrading system x can be done in-line with normal replacements of systems and can be leveraged to give you other features in addition to fixing a glaring security hole. With things like WEP, its pretty much a case of implementing a firewall between the WAP and the network, which should be done anyway, and given that wireless will not be a primary system can be done with lower end equipment (a few hundred $$'s for hardware plus 2-3 days of your pay). If you really are dealing the the S in SME, then a $50 linksys will do the trick, and if that costs to much then its probably time to prep your resume.

[digip]

In my day to day life I see plenty of people not taking security seriously enough. I guess ignorance is bliss for these guys. They either think "WEP, it is equivalent so it is good enough" or "Nothing will ever happen to us" or the worst of all "We can't invest any money into hiring a network guy to secure and maintain our network, it just costs too much."

Have you ever scared someone into beefing up security on your network? If so what sort of techniques seem to work best to get people serious about security?

Best way to convince them is to show them. If they have something you know to be secure, then show them how its broken. Break in(with their permission) and physically show them the process of what it takes and then let them decide. If they still don't want to fix it, then chalk it up to their problem, not yours and move on.

[d1g1tal3nvy]

@ ascorbic

I recently urged those in charge of the IT arm of our organization to get an IDS/IPS (intrusion detection/prevention) device into place. With the recession and budgets getting tighter, it's really hard to convince those in charge of the budget, to see (like Vako referenced) the how the total cost of ownership is in their favor, if the cost of the mitigating the risk is less than the risk itself. A perfect example I recently gave, was demonstrating how an employee on our network could run a packet sniffer and capture unencrypted data without any alarms being triggered. Once my manager and our Director saw that, it sent up a red-flag for them and it became a no-brainer. ^_^

[joeypesci]

I worked in the public sector for a few years. I told the networking team "You do realise the WIFI is running WEP still. The people in the flats over the road are probably having a whale of a time." They said "What do you mean? It's 128bit WEP, they won't crack that". I looked at him in shock, shook my head and walked away.

Fools.

A year or so later they finally installed a radius setup.

[StarchyPizza]

You could document the holes, form a presentation and express your concerns. Maybe map out the cost as others have stated previously. But definetly don't cause any damage or down time, because you'll end up without a job.

[Rascal]

I think the best scare is human error. Unless it's on my network of computer within my household, I just let people's ignorance teach them a lesson because it's there fault for not listening to someone who is giving them valuable advice.

[Infiltrator]

Break into someones computer/system and steal all their banking details and then make a large money transfer to somewhere overseas. That should definitely wake those fuckers up. Ohh where is all my money gone, or what should I do to make my self safe from getting attacked again.

Or even better wipe off a system completely with viruses making them lose money so they will realize that security is vitally important and that it should never be disregarded no matter what.

These kind of people need to be punished somehow so they can learn the hard way the importance of computer security.

[fsck]

Break into someones computer/system and steal all their banking details and then make a large money transfer to somewhere overseas. That should definitely wake those fuckers up. Ohh where is all my money gone, or what should I do to make my self safe from getting attacked again.

Or even better wipe off a system completely with viruses making them lose money so they will realize that security is vitally important and that it should never be disregarded no matter what.

These kind of people need to be punished somehow so they can learn the hard way the importance of computer security.

This is the stupidest thing I have ever read. This way of thinking is why the term "hacker" has evolved to mean "computer criminal."

[Infiltrator]

This is the stupidest thing I have ever read. This way of thinking is why the term "hacker" has evolved to mean "computer criminal."

I know this is not the correct thing to do, but one way or the other something has to be done in order to create some security awareness. These kind of people need to realize the importance of security. What would you suggest instead?

Edited May 19, 2010 by Infiltrator

[Rascal]

Hack them then send them a letter.

[Infiltrator]

Hack them then send them a letter.

Hahaha nice one!!!

[fsck]

I know this is not the correct thing to do, but one way or the other something has to be done in order to create some security awareness. These kind of people need to realize the importance of security. What would you suggest instead?

Breaking into a system in order to prove that it isn't secure is not that different from the way the Mafia operated/operates. This is the wrong kind of mentality.

The best course of action is to contact someone holding an appropriate position at the company/business and inform them of the problem. If they do not take any action to 'fix' the problem, then it is out of your hands and should be left alone.

[VaKo]

In my office we put on EOD suits, set a smoke grenade off in the HVAC system and punch the fire alarm. Then we charge into the departments office and randomly seize a laptop or 2, throw them into the carpark and cordon the area off.

No one installs random shit any more.

[NegativeSpace]

Break into someones computer/system and steal all their banking details and then make a large money transfer to somewhere overseas. That should definitely wake those fuckers up. Ohh where is all my money gone, or what should I do to make my self safe from getting attacked again.

Or even better wipe off a system completely with viruses making them lose money so they will realize that security is vitally important and that it should never be disregarded no matter what.

These kind of people need to be punished somehow so they can learn the hard way the importance of computer security.

LOL

[NegativeSpace]

This is the stupidest thing I have ever read. This way of thinking is why the term "hacker" has evolved to mean "computer criminal."

It's not that stupid, since it would probably work. It's potentially a better idea than doing nothing at all, since we all know how easy it would be for an actual computer criminal to steal that kind of info from the guys co workers. If that happened, they would probably wish that he actually had hacked them and "stolen" their bank info. Anyway, if the guy is trying to help his coworkers and bosses, I doubt he would actually steal someones secret banking info for the purpose of stealing their money, and even if he did, he would probably reverse any 'damage' that he caused after he proved his point.

[Infiltrator]

Breaking into a system in order to prove that it isn't secure is not that different from the way the Mafia operated/operates. This is the wrong kind of mentality.

The best course of action is to contact someone holding an appropriate position at the company/business and inform them of the problem. If they do not take any action to 'fix' the problem, then it is out of your hands and should be left alone.

Most of the time when someone tries to blow the whistle the person on the receiving end tries to ignore the message, so again my friend its very important for those bastards to understand what security is all about. And that's why there is always someone hacking or trying to break into a system to prove their point until someone realizes that they should be doing what is right improving security.

anyway I was just trying to make a point in here, but you are right.

Edited May 20, 2010 by Infiltrator

[NegativeSpace]

My suggestion is either Upsidedownternet (which might not be a good idea considering the following suggestion), or to discretely hack some of them, and do something that won't cost the company any extra money, but something that is obvious. It would need to be something that affected users would easily be able to fix themselves (so you don't get fired just in case they find out who did it). Maybe you could install some kind of wall paper of an image that says something to the effect of "HAHA, you've just been PWN3D by the ^whatever whatever^ neighborhood pranking hackers - PWN3D!!!!!". This sort of 'hack' would hopefully show people how vulnerable they are without causing the company to lose any productivity other than the time it would take to change their wall paper back to the cute puppy or grassy nole or waterfall. True, some of them might realize that the easiest way to do this would be to get physical access, which you have, but I think that most of them would assume that it was done over the 'internet', or even more likely, they would just be clueless. It's not perfect, and you might get caught and fired, especially if you do it right after you have been trying to convince everyone to upgrade their security.......

Maybe you could hack your friends home network and make a screen capture and narrative video of the process and email it it everyone on your companies roster. Again, there is some risk because of the possibility of a real criminal doing some malicious hacking on the network at a coincidental time to you showing everyone how easy it is to hack.

You could yell at them and wave your arms? You could actually hack the network and hold it hostage until the boss signs a contract to upgrade the security and to let you keep your job? Buy them a gift certificate to an IT company for christmas?

[Infiltrator]

I thought it was funny so why not post in here since we are all talking about scaring people on computer security.

http://www.afunnystuff.com/jokes/Computer-...are-people.html

[Mr-Protocol]

I work at a community college and attend classes as well. I was in my networking forensics course and happen to notice the website we use for class interaction was not HTTPS.

Well needless to say accounts and passwords (typically last 4 of social security number from default user account creation) were flying past my screen. I was sniffing wireless and had lots of logins from the library wireless computers.

After telling my supervisor and him talking to another supervisor, it got fixed. But of course it did not get fixed until 5 weeks later and the "networking team" took credit for it. Given everyone knows I discovered it. It was probably setup like that for YEARS but nobody noticed it as a security risk.

[Whig]

Best way to convince them is to show them. If they have something you know to be secure, then show them how its broken. Break in(with their permission) and physically show them the process of what it takes and then let them decide. If they still don't want to fix it, then chalk it up to their problem, not yours and move on.

That's what I would answer too. I try to show peoples how they example can crack their WEP so they will see how easy it is. Only problem is that it's really thin line before this will be teaching peoples to hack other peoples networks :-D but like I have wrote to my WEP cracking "article" "WEP is so easy to crack that you should never ever use it anywhere.".

[NetworkPro]

Scare tactic:

Simply over-exaggerate everything. Like the simplest almost-hack could lead to the entire BUSINESS stopping for two weeks. :) Just tell in computer terms, to the non-IT guys, and to the IT-guys - tell them about a 100 random (almost)possible hacks. Just put your 'marketing' cap/ poker face for this one ;)

P.S. but to achieve something good - make a free educational course for everyone at the office and teach them basic information security. Like to not put in a random USB drive they found on the floor. :) Show grewsome pictures to illustrate how bad that would be, like cartoon blood etc.

Edited June 16, 2010 by NetworkPro

[Infiltrator]

I work at a community college and attend classes as well. I was in my networking forensics course and happen to notice the website we use for class interaction was not HTTPS.

Well needless to say accounts and passwords (typically last 4 of social security number from default user account creation) were flying past my screen. I was sniffing wireless and had lots of logins from the library wireless computers.

After telling my supervisor and him talking to another supervisor, it got fixed. But of course it did not get fixed until 5 weeks later and the "networking team" took credit for it. Given everyone knows I discovered it. It was probably setup like that for YEARS but nobody noticed it as a security risk.

Oh probably they knew the risks and did not want to take any precautions. As usual the it department always think they are on top of everything.

Good work dude!