By Wayne Hanson
Sept 20, 2005
"We just did a phishing exercise to 10,000 desktops," said Will
Pelgrin, director of the New York State Office of Cyber Security and
Critical Infrastructure Coordination. "We sent out a generic advisory
on phishing, and no one was aware there would be an exercise to
About a month after the advisory, an e-mail arrived on those agency
desktops. It came from outside, but appeared to be from state
government. It said that since security was so important, and that
passwords were the first line of defense, the state had developed a
password checker for state employees. "It asked them to enter their
personal password and user ID to see how good their passwords were,"
said Pelgrin. "Out of 10,000 employees, we had about 17 percent that
fell prey to it at that time. A month or so later we went back to the
same cohort of individuals to see if they learned from the educational
component of this, and we cut our numbers down to about seven percent.
Now," he said, "the job is to get to those seven percent."
Pelgrin said the approach was "warm and fuzzy." Commissioners of
affected agencies signed off on the exercise beforehand and looked at
all documents before they were sent. And no information was collected
on who fell for the ruse, just aggregate statistics. Those that
provided a password and user ID got a message telling them what the
exercise was all about, a video explaining the dangers of providing
the information, and a survey.
"From the survey," said Pelgrin, "We got a lot of responses that it
taught them something about phishing, not only at work -- since we
filter out a lot of that crud here -- but at home where you get much
more of it."
"This is about vigilance and resilience," he said. "One hundred
percent security will never be obtainable. If you think you're safe,
you're not secure. 9/11 taught us not to say things won't occur.
Vigilance has to be there. Cars are becoming safer every day but you
still need to buckle your seat belt."
In keeping with that premise, Pelgrin has expanded the efforts of his
office to educate and inform state and local government, law
enforcement, and the public. His office -- along with the Department
of Homeland Security's National Cyber Security Division and other
organizations -- developed a cyber-security awareness program for New
York, that other state and local governments around the country are
invited to use.
New York Governor E. Pataki proclaimed October as Cyber Security
Awareness Month for the state, and Pelgrin and others are working to
expand the idea nationwide, providing materials and programs to state
and local governments.
"We do a Web cast every other month," said Pelgrin. "It started out as
a New York State effort and quickly became a national one, and is now
international. We've had up to nine countries participate in those Web
casts. I choose the topic area, and we look for vendors that could do
the presentation. They are not unique to any vendor, they have to be
generic ... things that people could take and actually implement to
make themselves more secure than they were the day before.
"We've done vulnerability risk assessments," he said, "taught people
how to identify spyware, adware, and what to do about it. Over the
last year, we've done about seven of those.
"For October," said Pelgrin, "our theme is protecting children on the
Internet. The slogan is: 'It's everyone's responsibility' Parents,
teachers, law enforcement, government -- everyone needs to take a role
to ensure our children are protected and also that children don't
become the next hacking generation. We're really concerned that we've
got to change the culture that a script kiddie [definition link] is
not a right of passage -- it's wrong. We need to teach cyber ethics.
We're all told that it's wrong to steal physical items, and only
recently have we begun to teach kids that it's wrong to download
copyrighted music. How can we make them good cyber citizens, how can
we build into this culture?
"Our governor has asked me to put on a major conference Oct. 20th,"
said Pelgrin, "and GTC is partnering with us on it. There will be
about 1,000 adults, with a separate track for about 1,200 fourth and
fifth graders. For the children we've hired a company ... which will
do an interactive play on cyber security for the children. It will be
streaming video and we're filming that and it will be broadcast by
satellite, and we will make [the film] available to state and local
"We're asking schools across the country to participate by having
classrooms set up. We're using some of the curriculum from Cybersmart
as the basis for that scripting.
The governor will keynote the conference, said Pelgrin. We have Alan
Paller, director of research for the SANS Institute as second keynote,
and we have Patrick Gray, director of X-Force Operations for ISS,
doing the third keynote. And Howard Schmidt will be doing the VIP
reception the night before."
As if that weren't enough, Pelgrin has also contributed an
introduction to a book coming out next year, The Black Book on
"Computer technology was really created as an enabler to make our
lives more efficient more effective, to be able to communicate,
provide customers with better service, promote e-commerce, etc.," he
said. "Cyber security was always looked at as the impediment -- it's
going to cost money, take time, etc. Now, though," he said, "because
of attacks on technology, cyber security has changed from an
impediment to an enabler ... We're to the point where security is
critical, it's not an afterthought.
"If security doesn't get down to the desktop level, he said, "we'll
Note: Director Pelgrin did not present at GTC East this year, but was
interviewed by phone last week.
InfoSec News v2.0 - Coming Soon!