Intel says phishing remains top enterprise security risk

ACCORDING TO Jackee Ireland, Intel director of risk and threat analysis, social engineering is a form of hacking that focuses on gaining information from 'people' rather than gaining it by hacking into a computer.

Of course, there are things that firms can realistically do with technology to secure the enterprise. But Ireland told the assembled multittudes at Intel's Security Seminar in Folsom last week that the weakest link in the security of any system is the end user.

As long as users can be tricked into clicking on a link or going to an unknown web site, everybody is at risk, said Ireland. Intel IT management works to educate staff about how social engineering is used against them.

Social Engineering is really a techie con game. So how does it work? Apparently, it plays to people's ambitions, exploits their greed, and most people are trusting of, and helpful to, strangers.

The slide below was obviously a bit of a put off. How can they imply this about esteemed INQ scribblers like Charlie Demerjian

Intel says it tries to make its security policy easy to access and easy to understand. Ireland said that if you need an attorney to translate your security policy, nobody is going to follow it. We wish the easy-to-understand idea would apply to licensing agreements for Intel and others. She said the policy must have both clear employee expectations and clear consequences for not adhering to the policy. The policy must apply to the boss as well as the staff.

Ireland talked about Intel's successes and failures enforcing the corporate security policies. She gave these examples: Intel was building a new plant in Malaysia to replace an existing facility. Suddenly, there was a spike in employee claims for lost corporate-provided laptops. Risk Analysis found that employees were locking their laptops in the boot of their cars while construction was going on. After a video system was installed at the parking area, construction workers were seen removing the computers from employees' cars. An employee education program on theft and vehicle security was initiated without pointing rudely at the construction workers. The rate of lost computers took a nose dive.

Ireland said they use a systematic series of measurements to figure out how their security policies are working. She showed a slide with five indicators. Four of which were positive. The one with slippage was phishing.

Ireland claimed that sometimes phishing education works. In evidence, she submitted this tale: There once was a ranking Intel boss who sent out an email to everybody and forgot to sign it. Within moments the help desk was flooded with employees asking if it was a phishing email. In less than a half hour the email was pulled off the corporate email server. A disgruntled boss complained to the help desk. IT Risk Management stepped in and explained the consequences for not following the Corporate Security Policy.

The solution for now is a combination of multiple layers of security, strict behaviour policies, and external security appliances. Obviously, we scribblers have to sharpen our social skills so we are not marked as the bad guys. µ