"We just did a phishing [definition link
] exercise to 10,000 desktops," said William F. Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination
. "We sent out a generic advisory on phishing, and no one was aware there would be an exercise to follow."
About a month after the advisory, an e-mail arrived on those agency desktops. It came from outside, but appeared to be from state government. It said that since security was so important, and that passwords were the first line of defense, the state had developed a password checker for state employees. "It asked them to enter their personal password and user ID to see how good their passwords were," said Pelgrin. "Out of 10,000 employees, we had about 17 percent that fell prey to it at that time. A month or so later we went back to the same cohort of individuals to see if they learned from the educational component of this, and we cut our numbers down to about seven percent. Now," he said, "the job is to get to those seven percent."
Pelgrin said the approach was "warm and fuzzy." Commissioners of affected agencies signed off on the exercise beforehand and looked at all documents before they were sent. And no information was collected on who fell for the ruse, just aggregate statistics. Those that provided a password and user ID got a message telling them what the exercise was all about, a video explaining the dangers of providing the information, and a survey.
"From the survey," said Pelgrin, "We got a lot of responses that it taught them something about phishing, not only at work -- since we filter out a lot of that crud here -- but at home where you get much more of it."
"This is about vigilance and resilience," he said. "One hundred percent security will never be obtainable. If you think you're safe, you're not secure. 9/11 taught us not to say things won't occur. Vigilance has to be there. Cars are becoming safer every day but you still need to buckle your seat belt."
In keeping with that premise, Pelgrin has expanded the efforts of his office to educate and inform state and local government, law enforcement, and the public. His office -- along with the Department of Homeland Security's National Cyber Security Division and other organizations -- developed a cyber-security awareness program for New York, that other state and local governments around the country are invited to use.
New York Governor E. Pataki proclaimed October as Cyber Security Awareness Month for the state, and Pelgrin and others are working to expand the idea nationwide, providing materials and programs to state and local governments.
"We do a Web cast every other month," said Pelgrin. "It started out as a New York State effort and quickly became a national one, and is now international. We've had up to nine countries participate in those Web casts. I choose the topic area, and we look for vendors that could do the presentation. They are not unique to any vendor, they have to be generic ... things that people could take and actually implement to make themselves more secure than they were the day before.
"We've done vulnerability risk assessments," he said, "taught people how to identify spyware, adware, and what to do about it. Over the last year, we've done about seven of those.
"For October," said Pelgrin, "our theme is protecting children on the Internet. The slogan is: 'It's everyone's responsibility' Parents, teachers, law enforcement, government -- everyone needs to take a role to ensure our children are protected and also that children don't become the next hacking generation. We're really concerned that we've got to change the culture that a script kiddie [definition link
] is not a right of passage -- it's wrong. We need to teach cyber ethics. We're all told that it's wrong to steal physical items, and only recently have we begun to teach kids that it's wrong to download copyrighted music. How can we make them good cyber citizens, how can we build into this culture?
"Our governor has asked me to put on a major conference Oct. 20th
," said Pelgrin, "and GTC is partnering with us on it. There will be about 1,000 adults, with a separate track for about 1,200 fourth and fifth graders. For the children we've hired a company ... which will do an interactive play on cyber security for the children. It will be streaming video and we're filming that and it will be broadcast by satellite, and we will make [the film] available to state and local governments."
"We're asking schools across the country to participate by having classrooms set up. We're using some of the curriculum from Cybersmart
as the basis for that scripting.
The governor will keynote the conference, said Pelgrin. We have Alan Paller, director of research for the SANS Institute as second keynote, and we have Patrick Gray, director of X-Force Operations for ISS, doing the third keynote. And Howard Schmidt will be doing the VIP reception the night before."
As if that weren't enough, Pelgrin has also contributed an introduction to a book coming out next year, The Black Book on Government Security.
"Computer technology was really created as an enabler to make our lives more efficient more effective, to be able to communicate, provide customers with better service, promote e-commerce, etc.," he said. "Cyber security was always looked at as the impediment -- it's going to cost money, take time, etc. Now, though," he said, "because of attacks on technology, cyber security has changed from an impediment to an enabler ... We're to the point where security is critical, it's not an afterthought.
"If security doesn't get down to the desktop level, he said, "we'll all lose."
Note: Director Pelgrin did not present at GTC East this year, but was interviewed by phone last week.