In my last article (Defence in depth), I wrote about a number of different approaches that should be considered for a defence in depth security model. In this article, I go in to a little more depth on a topic which is perhaps the most exciting for me, but also one of the hardest to fully mitigate against, the human factor.
Imagine a fantasy world where security vendor's claims that their product can protect you against the bad guy's complete technological arsenal. Every time they try to infiltrate your network, either from the outside or within, they are detected and blocked with no impact on your resources. I did ask you to your imagination! That's an unlikely scenario as I'll discuss in an upcoming post but even if it could come to fruition, if your human resources have not been trained to a suitable level in InfoSec, then there are a host of other attack vectors at the atacker's disposal. The list below outlines some of these:
- USB drive-by. An attacker drops a USB pen drive in an effective location and a member of staff picks it up and curiosity gets the better of them, leading to them plugging it in to a corporate machine. An effective location could be the car park, reception, the reception area toilet or a popular location nearby where staff like to meet at lunch or after work e.g. cafe, park or bar
- Phishing email. A phishing email is one that tries to extract information from you. An example would be one that purports to be from your bank saying you need to login and confirm your details. You click on what looks like a legitimate link and are taken to what looks like your bank's login page. What in effect happens is you are directed to a clone of your bank's website that is controlled by the attackers who then get your legitimate details and can then use them to login to your real bank account. That would be a personal attack, but imagine how many vendors, suppliers and partners etc. that your company works for. You probably have logos of lots of them on your corporate website so its easy to find some of this information out
- Phone calls. An attacker calls your Helpdesk claiming to be the CEO and asks for their password to be reset. Maybe you have a process in place for ensuring the request is legitimate, but what if the attacker starts using guilt and authority to pressure the Helpdesk advisor in to bypassing that process. Next thing, the CEO's email account has been breached and think of the treasure that most likely lies within. Maybe the real CEO made such a hurried request in the last few months and somebody got their fingers burnt for refusing to make the change
This limited list highlights a number of points, the primary one being that your people are the weakest link in your security chain, more often than not. Most people are aware of the types of attacks listed above, so training needs to be clever, not just a once a year exercise to tick a box, but ongoing and done in innovative ways to prevent message fatigue. The last point in particular highlights a big point which is, you need buy in from the top and all the way down. If your CEO needs a password reset in a hurry which breaks protocol, staff should be commended for not complying with that request, no matter how high up it comes from.
I'd love to know if you have any specific tales of the human link being leveraged in an attack.