cancel
Showing results for 
Search instead for 
Did you mean: 

The human factor

Level 9

In my last article (Defence in depth), I wrote about a number of different approaches that should be considered for a defence in depth security model. In this article, I go in to a little more depth on a topic which is perhaps the most exciting for me, but also one of the hardest to fully mitigate against, the human factor.

Imagine a fantasy world where security vendor's claims that their product can protect you against the bad guy's complete technological arsenal. Every time they try to infiltrate your network, either from the outside or within, they are detected and blocked with no impact on your resources. I did ask you to your imagination! That's an unlikely scenario as I'll discuss in an upcoming post but even if it could come to fruition, if your human resources have not been trained to a suitable level in InfoSec, then there are a host of other attack vectors at the atacker's disposal. The list below outlines some of these:

  • USB drive-by. An attacker drops a USB pen drive in an effective location and a member of staff picks it up and curiosity gets the better of them, leading to them plugging it in to a corporate machine. An effective location could be the car park, reception, the reception area toilet or a popular location nearby where staff like to meet at lunch or after work e.g. cafe, park or bar
  • Phishing email. A phishing email is one that tries to extract information from you. An example would be one that purports to be from your bank saying you need to login and confirm your details. You click on what looks like a legitimate link and are taken to what looks like your bank's login page. What in effect happens is you are directed to a clone of your bank's website that is controlled by the attackers who then get your legitimate details and can then use them to login to your real bank account. That would be a personal attack, but imagine how many vendors, suppliers and partners etc. that your company works for. You probably have logos of lots of them on your corporate website so its easy to find some of this information out
  • Phone calls. An attacker calls your Helpdesk claiming to be the CEO and asks for their password to be reset. Maybe you have a process in place for ensuring the request is legitimate, but what if the attacker starts using guilt and authority to pressure the Helpdesk advisor in to bypassing that process. Next thing, the CEO's email account has been breached and think of the treasure that most likely lies within. Maybe the real CEO made such a hurried request in the last few months and somebody got their fingers burnt for refusing to make the change

This limited list highlights a number of points, the primary one being that your people are the weakest link in your security chain, more often than not. Most people are aware of the types of attacks listed above, so training needs to be clever, not just a once a year exercise to tick a box, but ongoing and done in innovative ways to prevent message fatigue. The last point in particular highlights a big point which is, you need buy in from the top and all the way down. If your CEO needs a password reset in a hurry which breaks protocol, staff should be commended for not complying with that request, no matter how high up it comes from.

I'd love to know if you have any specific tales of the human link being leveraged in an attack.

19 Comments
Jfrazier
Level 18

I do not have a specific tale to add, but these topics as mentioned are covered every year in a mandatory training exercise...primarily for the less security savvy.

Vegaskid
Level 9

Thanks for chipping in Jfrazier. Have you ever worked anywhere that does random spot checks to see how staff react e.g. trying to circumvent the password reset policy, having a 'mystery shopper' try to get past the authorised reception area etc.? I find that even those that have a number of years' experience in IT security can be caught out without regular bite sized training as opposed to the annual box ticking exercise.

Jfrazier
Level 18

They drop a "phishing" test email out from time to time..  No mystery shopper here being a finance company.

bspencer63
Level 12

The (computer.user = job.security) and the biggest point of failure for the security of your Network!  Without a doubt, this is one of my pet peeves!

No matter how much one invests into security devices, software, etc... Your security is only as good as the weakest user's knowledge.  If you protect everything possible, and I mean everything, there is still that mitigating facet of the user doing what they want, because they have access.  So, don't give them access!  You say.... Easier said than done when you have over 200 bosses and all of them are Lawyers.  Go figure.  Anyway, I drifted a bit, testing them is a prudent and viable option, educating them is a necessary option, not once but on-going.  Annual is a start but semi-annual or quarterly would be more prudent as there are phishing scams, viruses, and new breech methods constantly being developed and discovered, so if you wait for the annual training, you just might be working overtime fixing things or looking for a new job!

Like the phishing email testing Jfrazier!  Get some cheep usb drives and configure them to write to a file or directory with the current logged on user name and time and see how many bite.  It actually is depressing!

If you really want to test your users, look to a guy like Jayson E. Street.  He has meandered in through the front door of some companies that should have never been allowed to access.  Doesn't even use any other hacking tools or documentation except a camera and a USB drive.  Banks, Feds, Major Corporations etc have been penetrated simply by walking past security and looking like you know who, where, and why you are there....  Now that's some crazy stuff!

cahunt
Level 17

The only way the human factor is a factor at all is when one of your Hue-Mons decides the policies in place are just suggestions about operation.

I have either seen these first hand or hear a tale of someone who breached the security of a company one of these same ways. (Of course they were hired by the company to do this)

And only because someone is not properly trained to the point that a person starts to consider the options not related to policy and actual practice when they 1) Find a USB drive somewhere 2)See an email and blindly enter their credentials (not realizing the URI is an external site they have been routed to because of their frivolous link clicking). or 3) Get that call from a Department Head, Dr. or Other person of considerable interest or rank and do not stand their ground  - our CIO would never call in that fashion.

Someone stop to think about these occurrences rather than just know the policy and follow the policy to execution.

jkump
Level 15

I worked for a consulting company many years ago and I got a call from a client of ours that something was happening with their systems.  Turns out a social engineering ploy had been leveraged against the dial-up bulletin board system account and without multiple layers of authentication, they were able to access the sysop's account and gain control of the whole bulletin board system.  It proved that social engineering works.

Now, at least, we have multiple layers of authentication. 

mr.e
Level 14

I remember many, many years ago, when I joined my current company.  At the time, people were allowed to keep their passwords indefinitely and they could set easy to remember passwords. Believe it or not, many actually had the word Password as their permanent password for everything. Partly because of my insistence, the firm decided to enforce strict password rules.  Of course, there were many (even in upper management) who were extremely upset w/our IT department. 

Back then, network hacking and breaches were very infrequent --or at least they seemed to be.  Given all the news we've heard and read about in the past few years, you'd think most have learned their lesson.  Sadly, we still see some who try to have exceptions for their passwords and the like.

Vegaskid
Level 9

Thanks bspencer63. I do think sporadic testing is important.

Vegaskid
Level 9

Thanks cahunt. Some good points.

Vegaskid
Level 9

Thanks jkump. Defence in depth....reminds me of a recent post on here I read ;-)

Defence in depth

Vegaskid
Level 9

Thanks mr.e. You should check under everybody's keyboard to see how many passwords on sticky notes you find ;-)

goodzhere
Level 14

We are constantly being to to beware of this and beware of that.  We also do interactive annual training for this.  They try to stay on top of this where I work.

jkump
Level 15

I used to work in a SOX regulated environment.  When the auditors would visit, they were always looking for the low hanging fruit.  We ended almost getting fined due to users putting username and passwords on tape on monitors, under keyboards, in the unlocked pencil tray, etc.  It took some enormous efforts to get people to change.

I once had a consultant client in a previous life that used to keep her password written down under her chair but she wrote it backwards and she would reference it by getting her compact mirror out of her purse and hold it so she could remember her password.  At least that was creative, but after about a week she didn't need it anymore. 

Vegaskid
Level 9

lol, good one

Vegaskid
Level 9

Thanks goodzhere

topteaboy
Level 7

I see the task of user awareness being a joint effort that involves the IT team, HR, Corporate Communications and Internal Audit. Without the buy in from each area it is so hard to get a robust policy and process. Unfortunately for the last four years our HR and Corp Comms team have not taken any interest and the board directors are focused on cost. Finding individuals within these teams that are willing to dedicate some time to this issue is not easy and these are the ones that need the initial education inn understanding the potential business implication. Posting random snippets of information on an intranet is not enough, and neither is the occasional group wide email notification.

Vegaskid
Level 9

Thanks topteaboy. I agree about your points on buy-in and continuity of knowledge sharing.

mr.e
Level 14

This is so true!!!  The Human Factor.  One of the most difficult issues to address is getting people to stop tailgating for access to secured areas.  Think about it.  Chances are that you (like everyone else) do not want to be deemed as rude or non-courteous.  So, you feel obligated to let others in with your access badge, even people you've never seen before -- trusting that this person does belong.  This is very hard to enforce, especially where there are different layers of security where some persons have access to certain areas but not others.  I hope that technology catches up soon, since the "honor system" does not work, especially in our day and age.

That's my two cents..

Vegaskid
Level 9

Thanks mr.e and agreed. Propagating a culture where challenging people without passes on show or in areas that you think they should not be in is acceptable behaviour is indeed not as simple as it might sound. Some people don't like challenging others, even with the authority to do so. More still simply don't pay attention to what is going on around them.