Slashdot Mirror
Ask Slashdot: How To Communicate Security Alerts?
Capt.Michaels writes: "I need to start sending security alerts and warnings to employees at my somewhat sizable company. My problem: I'm not sure how to send these alerts without freaking everyone out and causing the help desk to get flooded with phone calls. For example, let's take the current Internet Explorer exploit that caused US-CERT to recommend switching browsers. I don't want everyone killing our limited help desk with ridiculous questions like, 'I downloaded $New_Browser, how can I get my toolbar? How do I bookmark things in this browser? Can you tell me which browser you recommend?' Simply put: some vulnerabilities are worth major changes, but many aren't. If we switched software every time a new vulnerability came out, we'd never get anything done. Sooner or later, a patch will come out, and everything will be back to normal. But how do I communicate to end users that they should be aware of an issue and take extra care until it's fixed, without causing panic?"
Problem solved. Just relay on your backend infrastructure.
- NSA guy
Try EMET from Microsoft.
Type it; print it; deliver it.
It worked for generations.
Ruining around the office in panic screaming that we are all going to die worked well for me so far.
Also, what kind of security events are we talking about here?
Easy, kill all your users. Seriously.
You are fighting a loosing battle. Everytime i try and make a process more idiot proof 10x more wild moron users appear.
In the case of the browser, there are a couple of things I would have done:
1) IT should have selected a viable alternative. Whether it is Chrome, FireFox, etc... IT should be deciding on one to use. You are right in not wanting to bog down the help desk with these calls. By selecting one you can send a message out to your users stating that to improve security, reliability, and performance of your system, we will begin rolling out a new web browser for everyone to use. Be sure to include time for a quick training session. There are various methods for pushing software out behind the scenes as well to install it without bothering many of the workers.
2) Used something like Group Policy to push out the workaround and disable the DLL in question. This could have easily been done using a login script or GPO. Then you could sit tight waiting on a patch for your existing browser. You may still want to remind everyone to be on the lookout for anything suspicious and report it should something happen.
The sad fact is that nothing is bulletproof. It could just as easily be Chrome or Safari next week. Don't forget Safari had a nasty SSL flaw not too long ago too. You are right in not wanting to scare your users, but that is where I say you need to put effort into education on the basics of security. Let them know you have their back. And above all, be creative.
Anticipate all questions (smart or dumb), and create a howto/faq addressing each one.
sig: sauer
To be blunt, you don't need to tell every employee about every security problem, precisely for the reasons you stated: they'll panic.
The best thing you can to is to try to mitigate the problem until a fix is available, and then deploy a fix. Mitigation can mean anything from blocking access to the offending program, malicious website, etc., but nothing beats good old fashioned user education. Instructing your users on safe computing habits goes a long way toward keeping your network secure, and as long as you're not a dick about it, most people will actually listen. There are always those that won't listen or cooperate because 'computery things are your job, not mine', but I've found that those people are few and far between.
The security alerts should come from the help desk and the support staff. They are much more in touch with the types of problems that will occur, as well as how to best communicate with the users. You can work with the support staff to craft an accurate and helpful message without causing chaos.
Goddamn hippy.
systemd is Roko's Basilisk.
be as concise as possible. carry a giant hammer. "There is a vulnerability in IE. If you're paying attention, you will not have any issues. [procedure or new policy]. If you cannot comply with [new policy] please bring your machine to [your office] for molecular realignment."
Stop locking people's machines down. Make IT into a department that trains people to be responsible, not a department that locks their machines up.
they'll know how to communicate and what things to mention. and if they don't, they will learn quickly.
All your issues can be addressed with 2 things - an email to employees that explains everything they need to know about the security update, and a security policy that prevents the installation of unauthorized software.
Then, for the handful of dumbasses that will ignore the email, try to install an unapproved browser, then call your helpdesk, they have the ammo they need to politely inform the user that if they like getting a paycheck, they should read their messages and abide by the computer usage policy*.
* Save veeps and members of the board, since they not only believe that company policy doesn't apply to them, but also have the ability to fire you. But that's, like, maybe 20 people, so not a big deal.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
I need to start sending security alerts and warnings to employees at my somewhat sizable company.
Presuming this is a Windows network, just do a net send / msg to all users.
My problem: I'm not sure how to send these alerts without freaking everyone out
Aw, but that's half the fun of net send!!!
Spoilsport.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Send them something like this:
"Recently you may have heard about a vulnerability in Internet Explorer. Why this made the news and the Flash vulnerability from the same week didn't nobody knows. But please be aware that we know about this vulnerability - and, just like the last 5 zero-day vulnerabilities in Internet Explorer - we are monitoring the situation and will take any action deemed appropriate. At the present time we are protected by EMET - which we first deployed in 2011 - and do not have any exposure to existing exploits targeting this vulnerability. We will evaluate, test, and deploy the patch for this vulnerability during the standard "patch Tuesday" window when the other patches come out on May 13th.
Thanks!"
Is this even a question? If the IE bug isn't important to you, and you don't want people switching browsers, then why the hell would you communicate the bug to anyone? You should only be sending out notifications if your users need to take action or you're trying to communicate an outage. If you're email consists of "There's this problem you don't need to do anything about..." then you're wasting their time and they will quickly learn to ignore your notifications.
Users do not care about security issues or bugs. They want you to tell them if they need to do something. Otherwise leave them alone. If you have a few users that are worry warts and want to know about that thing they heard on the radio this morning, start a wiki page and just post it there. They can come and look at it if they have questions. But I'd avoid that. Documenting the reasons for your lack of action on a security issue is not a good idea. You may very well have good reasons, but uneducated poorly informed managers can make your life miserable if the bug ends up costing the company money.
Don a utilitarian yet heavily starched and pressed uniform, wear a funny hat and a hitler style mustache. Then get a ridding crop and an air horn. Go from cubicle to cubicle screaming and yelling obscenities and personal insults while instructing your vic.... users to apply patches or whatever. If anyone tries asking a question blow the air horn in their face then belittle them and kick up the crazyness of the insults a notch or two.
Or you could send out a friendly and professionally written email with precise directions with a picture for every step. But that honestly doesn't seem like much fun to me.
2) the patch for this vulnerability was pushed yesterday, out of stream, for all affected browsers, for all Windows OS's back to and including WinXP.
So how do you download it on a windows XP box, now that official support has ended? (I just inherited one, after Microsoft dropped support, and it has mission-critical, windows XP applications on it. B-b )
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Define actions (instant, daily, weekly alerts) for ranges of CVSS scores http://nvd.nist.gov/cvss.cfm?c...
Track incoming CVEs (http://nvd.nist.gov/download.cfm) , assign CVSS scores specific to your organization. Also have a organization specific remediation approach.
As you find out who is using what software, and use the CVE CPE (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2168) information to target more specific users.
In the blast emails, you could potentially harvest who thinks they may be affected to gather CPE information.
It's going to be a thankless, painful job, so you may as well automate as much as possible.
Set policy. Like, you have a list of recommended software. I'd say at least two browsers and a bunch of utility software. You support those, and beyond that it's best-effort. Curate the collection. With a clear idea of what's in use, you can even start to assemble the whole thing from FOSS and eventually move to a non-proprietary OS to underpin the tools. But that really is but a side-effect of having a good grasp of the needs of your shop. See the LiMux project.
Communicate. Not just this one thing, your entire policy, FAQs, tips and tricks, what-have-you. An internal website will do. A wiki is great for this*, even if you're not opening up editing to others. But you could do that for selected parts too. Make sure everybody knows where the fount of (IT) wisdom is to be found. You don't have to be pushy about getting people to use it; even helpdeskers reading ready-made solutions to panicked people is better than having them making up answers on the spot, though this is only true if the ready-made stuff is of good quality. And if it applies to the situation, but that's the helpdesker's job to workout. So make a point of both having helpdeskers add questions and of curating the material, so you both know what's popular and that they have decent answers.
Most of all, don't get condescending; write *for* the reader, not *at* them, or worse, refer to them as "the user", like so many programmers do. Who're they writing their software for, anyway?
Once that's going you can even expand into short tutorials**, book reviews to help pick up more skills, and so on. But let's get the basics going first.
Notice that if you have your shop organised with ready-made software and information answers, people will have a well-known point to look at in case of panic. So with that in hand, in case of big trouble you can send out word with a recommendation to review the latest news in the usual places where all the details can be found, with a short abstract with enough information --accessible to them-- to let them make a "should I spend time on this now? can it wait until later?" decision.
Don't try to force people's hands until and unless absolutely necessary. Give them the tools and the right information on the right time to let them make meaningful decisions. This requires not so much serious writing skill (though it helps), but putting yourself in their perspective. "I don't understand all this, why do I need to bother?"
* Plenty wiki software available. I like dokuwiki and dislike mediawiki because syntax, which I think is important as it is a tool to express and so convey the message. At minimum go for CREOLE support.
** A tutorial isn't a tutorial unless it also tells how to recover from mishaps. Most "tutorial" blogposts fail at this and as such are not worthy of the name.
I was under the impression it would be made available through windows update but it's not really very clear.
http://blogs.technet.com/b/msr...
First, I would title them IT Security Alerts, rather than Security Alerts. One has to do with your computer, the other has to do with thrreats to your personal safety. You don't want people overreacting.
You can use Group Policy or your network login scripts to disable the svg vulnerability that was recently in IE without even telling your exployees.
You can ask slashdot all day "How do I write an email?", or you can just be an administrator.
Summary
Often times, email works great for something like this. Make sure you use a standardized and easy to read template that makes important information stand out.
Affected Items
Your Actions
Here's where you try to calm people down and/or tell them what they need to do. This section can be a lengthy if necessary, but make sure to break out individual items if this section grows to a text wall.
I saw it show up on my WSUS server today for XP on up.
http://www.salem-news.com/stim...
"If any question why we died, Tell them because our fathers lied."
Tell them there is some magical device on you network that prevent all secuity issues that can happen. They are safe and they can keep working in peace. Rainbows and unicorns bla bla bla...
In that case deployment is a non-issue.
Microsoft released the patch for XP as well.
It's on Windows Update, or you can download it at https://technet.microsoft.com/library/security/ms14-021
Go on, citizen, stamp the vote card. R or D, your choice.
They are annoying, flood the text inbox and hide other stuff. Have/buy an alert app for android & iphone (& maybe blackberry) which can actually handle things sanely. Not to mention the cost.
If there's a holdout with an L7089, texts may be acceptable for them but smartphone users have better options.
Assuming that you find a way to communicate these alerts without freaking everyone out (which is a tall order to start with) I think your goal -- of having people "take extra care until it is fixed" is so completely vague an inactionable as to be completely meaningless.
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
So you can be the one responsible to fix other vendor's software and web sites when they fail to run on other browsers. Have fun with that. Not everyone can switch and still function. It may not be the fault of the company using IE. Also, you have to look at organizations like Hospitals that are under regulations that may make it impossible or expensive to recertify equipment. A good example is the FDA regulating product certification systems. Changing out a system design can cost tens or hundreds of thousands of dollars to recertify a design.
I have my fun with Linux and use it in various ways, but it isn't always the easiest thing to just swap out in a workstation setting. You apparently have very limited knowledge of the various industries and exist in a world where your way is the only correct way. You can go have fun with your copy of Linux, but don't assume it fixes everyone's issue without understanding what they do. If they can switch and still function, great. For purely desktop/laptop environments, Microsoft still has ~90% market share.
For the most part that was restricted or disabled since the XP days (after one of the updates. Cannot remember which). You reminded me of the old school spam I used to get...
This will:
If you're not using an outbound proxy, god help you.
$5 / month hosted VPS on linux = awesome!
I had to create a warning protocol/process about 15 years ago but it might work for you. 1. We color coded the warnings kinda like the first DHS warnings ... colors are associated with threat levels.
2. When a threat or a vulnerability became a concern, we sent out global company emails to employees, contractors, and clients. The emails had a standard format, including color-coded stationary.
3. We created a short PDF for each threat/vuln that was sent as an attachment with the global email warning. This was done with guidance from an authority like SANS or the CERT at Carnegie Mellon.
4. That PDF contained an explanation of differences between threat and vuln (like the difference between Storm Watch and Storm Warning).
5. That PDF contained info about the particular threat/vuln, what the company was doing about it, and what personal steps the employees should take at work and at home. They were encouraged to give these PDFs to friends and family, so as to educate as many people as possible.
This process was detailed in our Risk Assessment plan. which was in our larger Security Plan. I know not every company has these but, if you created the plan by piecemeal, you can eventually have enough material to put a full Security Plan together. Just remember to change up the warning levels. Don't always leave it at yellow or orange or you create user ambivalence, just like the reception the DHS warning system got from the general public.
Include the solution or recommended course of action in the alert email. Don't just say there's a problem, tell them how to fix it.
Ex. download this hotfix at this link
Ex. enable/disable this setting
Ex. Be careful while using Internet Explorer and use an alternative browser such as firefox or chrome (I wouldn't include links here but thats just me)
Oh and no technical jargon, the unknown scares people, if your boss can understand it based on just your email (before you send it), you've achieved this.
It's on Windows Update, or you can download it at https://technet.microsoft.com/...
Thank you.
I was unsure whether the Windows Update servers had been taken down, so that some exceptional process was necressary, or just left running at the end-of-life {plus I.E. fix} patch level.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way