Welcome to the SecAware blog

I spy with my beady eye ...

5 Aug 2007

Get me the IRS Security Manager!

A majority of US Inland Revenue Service employees failed a social engineering penetration test recently, despite their "security awareness training" warning them of the threat:
"In a test sample, nearly 60 percent of 102 IRS employees were duped into handing over their access information, the IG said in a report released today. TIGTA auditors used social-engineering methods to survey the degree of compliance with data security. Posing as help-desk representatives, they called IRS line employees, including managers and contractors, and asked for their assistance to correct a computer problem. They requested that the employee provide a user name and temporarily change his or her password to one TIGTA callers suggested. TIGTA test callers convinced 61 of the 102 employees to comply with the requests. Only eight of the 102 employees in the sample contacted the appropriate offices to report or validate the test calls, the report said. The sample employees were from across IRS’ business units and geographic regions."

I'm uncertain exactly what is meant by "security awareness training" - is it security awareness (ongoing, continuous awareness activities), security training (periodic training courses/classes) or some hybrid? The full report only refers to compulsory annual security awareness activities. Anyway, whatever they are doing is evidently having some effect (some tested employees did attempt to verify the calls) but pushing that proportion towards 100% will be very tough. ['Course I know a company that could help ... we'll be releasing an updated social engineering awareness module later this year.]

[UPDATE] The Treasury Department report is here.

Folklowing previous reports, the IRS said it:
"Would update its security awareness program to include training on computer intrusions and unauthorized access and use existing media, such as the annual security training and security awareness week, to communicate IRS security standards on password protection procedures."

and also that it
"Had incorporated the topic of social engineering into its mandatory annual Online Security Awareness Training, which included examples and scenarios of attempts used to gain access to IRS systems. In addition, the IRS stated periodic reminders would be issued in the forms of (1) all-employee notices that would be included with employees’ Earnings and Leave statements and (2) articles in the computer security newsletter."

Obviously I would agree with the emphasis on security awareness but find the notion of an annual awareness event something of a joke. Putting notes on payslips and circulating a "computer security newsletter" are reasonable ideas but still nothing like enough to raise awareness. Is it any wonder so many IRS employees remain clueless?

1 comment:

  1. It's pretty amazing how effective social engineering tests are these days. Ongoing culture change and education are the only ways to solve the problem. I recently published a paper on my blog about some cost effective tactics that can be used to help improve employee awareness.


    The biggest issue with the paper is that it still takes a skilled security individual and management support to help implement the program, which is a key item still lacking in many organizations.