No Phishing!

Security is always an issue with IT – ever more so these days with the explosion of connectivity, mobile devices and so on. Organisations often test their IT security by arranging with a specialist company to carry out an external “penetration test”. Effectively, that’s asking a friend to see if they can get past the organisation’s security controls by exploiting any weaknesses. If they can, then they let the organisation know and it can then plug the weaknesses.

In the past, these specialist companies have focussed on the technological defences. Increasingly, however, they are looking at the softer weak points – i.e. people. One company I spoke with carries out tests on datacentre security – they might be asked to see if they can gain physical access to an organisation’s datacentre. For obvious reasons I won’t tell you how they might try to do this, but it’s designed to test how good the access and security protocols in practice. On one occasion they did indeed manage to get into the datacentre – except it was the wrong one!

The other growing area is what they call a “social engineering” penetration test. To put it unkindly, this is to test how gullible the employees in an organisation are. You have probably all at some point seen an e-mail in your inbox offering you the chance to inherit somebody’s fortune if you can only help by supplying your bank account details. Or an e-mail from your bank telling you that there is a problem with your account and asking you to give them your password or PIN number so that they can check.

These e-mails are getting more and more sophisticated, and they steal branding and corporate images to make them look completely genuine at first glance. I have seen e-mails claiming to be from the RGU IT Help desk asking users to hand over their password so that their account can be reactivated, and these e-mails can look very convincing. Sometimes they ask for information, and sometimes they just try to coax you to click on a link for further information. That link, of course, will install some nasty software on your computer and from then on they can do anything – maybe steal confidential information (including any passwords you type in) or hijack your computer to get it to send out thousands of other e-mails to other people.

Have a look at the Wikipedia entry for more background.

I learned of one organisation recently where somebody thought one of these e-mails were genuine, clicked on the link, and before long their organisation had suffered a major security breach. These e-mails are therefore a real threat to security in any organisation, and not just a minor nuisance.

So remember:
– No legitimate organisation (internal or external) will EVER ask you to e-mail to them any confidential information, whether that’s a password, PIN number, date of birth or whatever.
– If you receive an e-mail that you were not expecting, and if it has a link to another web site, don’t click. Be very careful of unusual e-mails from people you know – especially if it’s little more than a link to some web site and a subject line saying “check this out”. It probably means their e-mail has been hacked and is being used to send out SPAM.

So, what’s a “social engineering” penetration test? That’s when we agree with an external company that they can send into the organisation lots of “phishing” style e-mails and then see how many people get tricked into responding. That’s not to catch people out, but to help educate and test the level of awareness across the organisation. I might just look at that . . .

RGU Business Travel Processes

I mentioned last year that we were planning to look at the University’s business travel processes and how these could be “e-enabled”. The Lean Kaizen event took place in December, and my thanks to the team for a great job. Here are some of their key findings and suggestions:

We currently process about 3,000 forms every year through the paper process. Some get lost, many are not correctly filled in or are incomplete. Visit reports are prepared but are often filed and never used to help future travellers. It can take up to 3 weeks to authorise travel in some instances. The team looked at flight bookings in particular and found that many of these were booked very close to the time of travel – 20% less than two weeks before travel. The team reckons that if a more efficient booking process allowed flights to be booked at least 4 weeks in advance we could save up to £30k per annum.

The team looked in depth at how a new electronic process might work and came up with 4 key objectives.

1)   It will be simple, paperless, and completed within 1 week. The electronic process will be smart enough to know where you are travelling, and particularly for local travel will present a much simpler form.

2)   It will provide useful information to management and travellers. For management, the system will provide information on current and future travellers by destination and analyse travel patterns. For travellers, the team have suggested some kind of internal “Trip Advisor” capability so that travellers can share information on different destinations.

3)   It will allow the University to keep in contact with travellers where required. We do have many staff travelling to a whole range of international destinations. Situations can change quickly and for some destinations we will want regular contact to ensure that staff are safe and well.

4)   It will assist the University to meet its strategic objectives. We want to make sure that the system helps to encourage staff to avoid travel where possible, and to use more sustainable travel in preference to high carbon modes of travel.

Next stage is to start the detailed work of putting together the electronic system. We would hope to have something up and running by the Summer and will keep you posted as this develops.

Members of the Lean Kaizen team were:

Professor David Gray (Images Research Institute), Amy Jones (Aberdeen Business School), Ally Flett & Claire Murray (Research and Enterprise Services), Debbie Teperek (Exec Support), Julie Deighton (International Office), Karen Henderson (Pharmacy and Life Sciences), Laurie Power, Petrena Morrison & Ros Shanks (School of Engineering). Renee Raper from HR facilitated the week.