Jump to content

What Is Your Best Scare Tactic To Get People Serious About Security?


ascorbic
 Share

Recommended Posts

In my day to day life I see plenty of people not taking security seriously enough. I guess ignorance is bliss for these guys. They either think "WEP, it is equivalent so it is good enough" or "Nothing will ever happen to us" or the worst of all "We can't invest any money into hiring a network guy to secure and maintain our network, it just costs too much."

Have you ever scared someone into beefing up security on your network? If so what sort of techniques seem to work best to get people serious about security?

Link to comment
Share on other sites

Doesn't work if they don't want to listen.

I've mentioned that the main AP here runs WEP, but no one wants to bother to get it upgraded to WPA at the very least.

You can talk and talk until you are blue in the face, but they won't listen if it'll cost you $$$.

Also keep in mind that anything you do to "scare" them, will more then likely get you fired.

Edited by Charles
Link to comment
Share on other sites

If you are working for a company, the best approach (from what I've herd) is to convince them that upgrading some thing to be secure is not a expenditure as such, it's a running cost.

That is to say, buying new server for new big ass application = expenditure, maintenance contract for big ass application server and application = running cost. As part of this you have to try and convince them that been secure is not a hole they put money in, it's the cost required to avoid spending must much larger amounts of money.

For example, a virus out brake on the network might require x hours of down time for the whole company because x hours * (x employess * x money to employee) * * money made per average = big scary number (or some thing like that). There for spending x much smaller amount on preventative measures is very more preferable. Obviously a virus out brake is just a an example, a compromised database server is likely to cost a bit less, but still a large amount. Though, depending what is on the server it might be exponentially more.

Try and figure out what bad things could result from <gaping security hole> and attempt to estimate how long it would take to fix if it went wrong and what services would not be available at that time then give it to the money spenders to figure out what they want to do. if they say nay make sure it's on the record.

Link to comment
Share on other sites

Learn about the difference between TCO and TCA, and see if you can mention that upgrading system x can be done in-line with normal replacements of systems and can be leveraged to give you other features in addition to fixing a glaring security hole. With things like WEP, its pretty much a case of implementing a firewall between the WAP and the network, which should be done anyway, and given that wireless will not be a primary system can be done with lower end equipment (a few hundred $$'s for hardware plus 2-3 days of your pay). If you really are dealing the the S in SME, then a $50 linksys will do the trick, and if that costs to much then its probably time to prep your resume.

Link to comment
Share on other sites

In my day to day life I see plenty of people not taking security seriously enough. I guess ignorance is bliss for these guys. They either think "WEP, it is equivalent so it is good enough" or "Nothing will ever happen to us" or the worst of all "We can't invest any money into hiring a network guy to secure and maintain our network, it just costs too much."

Have you ever scared someone into beefing up security on your network? If so what sort of techniques seem to work best to get people serious about security?

Best way to convince them is to show them. If they have something you know to be secure, then show them how its broken. Break in(with their permission) and physically show them the process of what it takes and then let them decide. If they still don't want to fix it, then chalk it up to their problem, not yours and move on.

Link to comment
Share on other sites

@ ascorbic

I recently urged those in charge of the IT arm of our organization to get an IDS/IPS (intrusion detection/prevention) device into place. With the recession and budgets getting tighter, it's really hard to convince those in charge of the budget, to see (like Vako referenced) the how the total cost of ownership is in their favor, if the cost of the mitigating the risk is less than the risk itself. A perfect example I recently gave, was demonstrating how an employee on our network could run a packet sniffer and capture unencrypted data without any alarms being triggered. Once my manager and our Director saw that, it sent up a red-flag for them and it became a no-brainer. ^_^

Link to comment
Share on other sites

  • 4 weeks later...

I worked in the public sector for a few years. I told the networking team "You do realise the WIFI is running WEP still. The people in the flats over the road are probably having a whale of a time." They said "What do you mean? It's 128bit WEP, they won't crack that". I looked at him in shock, shook my head and walked away.

Fools.

A year or so later they finally installed a radius setup.

Link to comment
Share on other sites

I think the best scare is human error. Unless it's on my network of computer within my household, I just let people's ignorance teach them a lesson because it's there fault for not listening to someone who is giving them valuable advice.

Link to comment
Share on other sites

Break into someones computer/system and steal all their banking details and then make a large money transfer to somewhere overseas. That should definitely wake those fuckers up. Ohh where is all my money gone, or what should I do to make my self safe from getting attacked again.

Or even better wipe off a system completely with viruses making them lose money so they will realize that security is vitally important and that it should never be disregarded no matter what.

These kind of people need to be punished somehow so they can learn the hard way the importance of computer security.

Link to comment
Share on other sites

Break into someones computer/system and steal all their banking details and then make a large money transfer to somewhere overseas. That should definitely wake those fuckers up. Ohh where is all my money gone, or what should I do to make my self safe from getting attacked again.

Or even better wipe off a system completely with viruses making them lose money so they will realize that security is vitally important and that it should never be disregarded no matter what.

These kind of people need to be punished somehow so they can learn the hard way the importance of computer security.

This is the stupidest thing I have ever read. This way of thinking is why the term "hacker" has evolved to mean "computer criminal."

Link to comment
Share on other sites

This is the stupidest thing I have ever read. This way of thinking is why the term "hacker" has evolved to mean "computer criminal."

I know this is not the correct thing to do, but one way or the other something has to be done in order to create some security awareness. These kind of people need to realize the importance of security. What would you suggest instead?

Edited by Infiltrator
Link to comment
Share on other sites

Hack them then send them a letter.

Hahaha nice one!!!

Link to comment
Share on other sites

I know this is not the correct thing to do, but one way or the other something has to be done in order to create some security awareness. These kind of people need to realize the importance of security. What would you suggest instead?

Breaking into a system in order to prove that it isn't secure is not that different from the way the Mafia operated/operates. This is the wrong kind of mentality.

The best course of action is to contact someone holding an appropriate position at the company/business and inform them of the problem. If they do not take any action to 'fix' the problem, then it is out of your hands and should be left alone.

Link to comment
Share on other sites

In my office we put on EOD suits, set a smoke grenade off in the HVAC system and punch the fire alarm. Then we charge into the departments office and randomly seize a laptop or 2, throw them into the carpark and cordon the area off.

No one installs random shit any more.

Link to comment
Share on other sites

Break into someones computer/system and steal all their banking details and then make a large money transfer to somewhere overseas. That should definitely wake those fuckers up. Ohh where is all my money gone, or what should I do to make my self safe from getting attacked again.

Or even better wipe off a system completely with viruses making them lose money so they will realize that security is vitally important and that it should never be disregarded no matter what.

These kind of people need to be punished somehow so they can learn the hard way the importance of computer security.

LOL

Link to comment
Share on other sites

This is the stupidest thing I have ever read. This way of thinking is why the term "hacker" has evolved to mean "computer criminal."

It's not that stupid, since it would probably work. It's potentially a better idea than doing nothing at all, since we all know how easy it would be for an actual computer criminal to steal that kind of info from the guys co workers. If that happened, they would probably wish that he actually had hacked them and "stolen" their bank info. Anyway, if the guy is trying to help his coworkers and bosses, I doubt he would actually steal someones secret banking info for the purpose of stealing their money, and even if he did, he would probably reverse any 'damage' that he caused after he proved his point.

Link to comment
Share on other sites

Breaking into a system in order to prove that it isn't secure is not that different from the way the Mafia operated/operates. This is the wrong kind of mentality.

The best course of action is to contact someone holding an appropriate position at the company/business and inform them of the problem. If they do not take any action to 'fix' the problem, then it is out of your hands and should be left alone.

Most of the time when someone tries to blow the whistle the person on the receiving end tries to ignore the message, so again my friend its very important for those bastards to understand what security is all about. And that's why there is always someone hacking or trying to break into a system to prove their point until someone realizes that they should be doing what is right improving security.

anyway I was just trying to make a point in here, but you are right.

Edited by Infiltrator
Link to comment
Share on other sites

My suggestion is either Upsidedownternet (which might not be a good idea considering the following suggestion), or to discretely hack some of them, and do something that won't cost the company any extra money, but something that is obvious. It would need to be something that affected users would easily be able to fix themselves (so you don't get fired just in case they find out who did it). Maybe you could install some kind of wall paper of an image that says something to the effect of "HAHA, you've just been PWN3D by the ^whatever whatever^ neighborhood pranking hackers - PWN3D!!!!!". This sort of 'hack' would hopefully show people how vulnerable they are without causing the company to lose any productivity other than the time it would take to change their wall paper back to the cute puppy or grassy nole or waterfall. True, some of them might realize that the easiest way to do this would be to get physical access, which you have, but I think that most of them would assume that it was done over the 'internet', or even more likely, they would just be clueless. It's not perfect, and you might get caught and fired, especially if you do it right after you have been trying to convince everyone to upgrade their security.......

Maybe you could hack your friends home network and make a screen capture and narrative video of the process and email it it everyone on your companies roster. Again, there is some risk because of the possibility of a real criminal doing some malicious hacking on the network at a coincidental time to you showing everyone how easy it is to hack.

You could yell at them and wave your arms? You could actually hack the network and hold it hostage until the boss signs a contract to upgrade the security and to let you keep your job? Buy them a gift certificate to an IT company for christmas?

Link to comment
Share on other sites

I thought it was funny so why not post in here since we are all talking about scaring people on computer security.

http://www.afunnystuff.com/jokes/Computer-...are-people.html

Link to comment
Share on other sites

  • 2 weeks later...

I work at a community college and attend classes as well. I was in my networking forensics course and happen to notice the website we use for class interaction was not HTTPS.

Well needless to say accounts and passwords (typically last 4 of social security number from default user account creation) were flying past my screen. I was sniffing wireless and had lots of logins from the library wireless computers.

After telling my supervisor and him talking to another supervisor, it got fixed. But of course it did not get fixed until 5 weeks later and the "networking team" took credit for it. Given everyone knows I discovered it. It was probably setup like that for YEARS but nobody noticed it as a security risk.

Link to comment
Share on other sites

  • 2 weeks later...
Best way to convince them is to show them. If they have something you know to be secure, then show them how its broken. Break in(with their permission) and physically show them the process of what it takes and then let them decide. If they still don't want to fix it, then chalk it up to their problem, not yours and move on.

That's what I would answer too. I try to show peoples how they example can crack their WEP so they will see how easy it is. Only problem is that it's really thin line before this will be teaching peoples to hack other peoples networks :-D but like I have wrote to my WEP cracking "article" "WEP is so easy to crack that you should never ever use it anywhere.".

Link to comment
Share on other sites

Scare tactic:

Simply over-exaggerate everything. Like the simplest almost-hack could lead to the entire BUSINESS stopping for two weeks. :) Just tell in computer terms, to the non-IT guys, and to the IT-guys - tell them about a 100 random (almost)possible hacks. Just put your 'marketing' cap/ poker face for this one ;)

P.S. but to achieve something good - make a free educational course for everyone at the office and teach them basic information security. Like to not put in a random USB drive they found on the floor. :) Show grewsome pictures to illustrate how bad that would be, like cartoon blood etc.

Edited by NetworkPro
Link to comment
Share on other sites

I work at a community college and attend classes as well. I was in my networking forensics course and happen to notice the website we use for class interaction was not HTTPS.

Well needless to say accounts and passwords (typically last 4 of social security number from default user account creation) were flying past my screen. I was sniffing wireless and had lots of logins from the library wireless computers.

After telling my supervisor and him talking to another supervisor, it got fixed. But of course it did not get fixed until 5 weeks later and the "networking team" took credit for it. Given everyone knows I discovered it. It was probably setup like that for YEARS but nobody noticed it as a security risk.

Oh probably they knew the risks and did not want to take any precautions. As usual the it department always think they are on top of everything.

Good work dude!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...