New York battles botnets by testing employees
<b>SPECIAL REPORT: The Next Steps for Security</b> | The Empire State has been pioneering an 'inoculation' program as a cornerstone of its anti-botnet strategy.
- By Patience Wait
- Jan 22, 2007
Dealing with computers that have become ensnared in botnets'networks of 'zombie' computers that are being directed to launch waves of spam or distributed denial-of-service attacks'is next to impossible. The best way to block those headaches is prevention, and the state of New York has been pioneering an 'inoculation' program as a cornerstone of its prevention strategy.
'There are many ways to get infected'peer-to-peer sharing, visiting malicious Web sites, opening e-mail that is malicious,' said William Pelgrin, chief information security officer for the state. 'We decided to look at how to change our [user] culture.'
Pelgrin worked with AT&T Corp. and the SANS Institute of Bethesda, Md., to devise an inoculation program, a software training exercise that would imitate malware.
In a pilot, Pelgrin's office sent out notices about ongoing phishing activities to some 10,000 employees in five stage agencies, reminding the users of the risks in opening e-mail from unidentified senders or clicking on links embedded in unsolicited e-mail.
'A month later we built an application that said, 'New York State is concerned about cybersecurity, and the policy requires you to have a secure password.' We purchased a password checker and each employee was required to put in a password,' Pelgrin said. 'Then we sent out an e-mail and it came from a legitimate source, but from outside our network.'
Pelgrin's office never told the users it was a test, but there were hints in the outside e-mail message that it was not legitimate. 'We gave clear signs this was a scam. We didn't want to make it foolproof, but left some clues,' he said.
If users activated the link in the message, they would be asked for their user ID and password. If they started to type it in, a dialogue box popped up and told them it was a security test and they'd failed it. Then there was a short video and a 10-question exam.
Out of the 10,000 users in the pilot, 83 percent did the right thing; three percent took the appropriate action by typing in the URL to go to the site rather than click on the embedded link, while 80 percent either deleted the e-mail or reported it to the CISO's office.
Pelgrin was not satisfied with the 83 percent success rate, and two months later ran a similar exercise, targeting the same 10,000 users.
'Eight percent failed this time,' he said. 'We did a survey to find out why the employees improved; we wanted to incorporate it into our ongoing training for staff.' He added that human error and human intervention still are major sources of botnet infections.
Pelgrin said his office is planning another exercise over the next year to see how they are making progress in educating employees.