IN PREVIOUS CHAPTERS, WE DEALT WITH ACCESS CONTROLS primarily from a technological and a policy standpoint. In this chapter, we will delve into the human side of access controls. Human beings are often the weakest link in any access control system. This chapter will examine human behavior, and how adverse behavior can be mitigated through training, organizational culture, and employee support. We also cover employment best practices and ethics programs, which help combat problem behaviors in the workplace.
Technology and policies that implement access controls are tools that dictate behavior, and help to enforce those dictates. In an ideal world, we would not need access controls because human beings would always behave appropriately. Unfortunately, this is not always the case. Because human beings sometimes make improper decisions and act inappropriately in certain circumstances, organizations use access controls to protect sensitive resources.
What exactly is "human nature"? Human nature is the sum of qualities and traits shared by all humans. Human nature affects how we interpret events, how we react to others, and the choices we make every day. It is grounded in thousands of years of evolutionary history.
Although human nature is an important element of who we are and what we do, it does not completely control us. We can choose to act contrary to human nature when we believe it suits our best interests or to fulfill some deeper need. Generally, human nature dictates that we should follow societal norms and avoid punishment, yet some people choose to violate those norms. Some who make these choices feel that they have no viable alternatives, while others simply discount the probability that they will be caught and punished. The majority of hackers fall into this category. They are highly intelligent and believe firmly that they are smart enough not to get caught.
What does all this have to do with access control? Everything. Because of human nature, organizations need access controls. At the same time, human nature fights against access controls. Human nature is the single greatest vulnerability in any access control system.
Human beings make mistakes. When employees have access to data they don't need, the data is at risk of accidental deletion. Another common problem is the employee who inadvertently shares sensitive data with someone who shouldn't have access to it.
Many employees don't understand risks from viruses and worms, or sophisticated phishing attempts. An employee might open an infected e-mail and forward it to coworkers without realizing the danger. Another source of malware is universal serial bus (USB) flash drives. Employees often use them to transfer files back and forth from their work and home computers. If an employee's home computer is infected with malware, he or she can transfer that malware to his or her office computer via the USB drive.
Laptops and other mobile devices are handy to use but are easily stolen. When users don't exercise physical control over their laptops or smartphones, the devices often disappear. The larger issue may be the data on the device. Is the data confidential? Can someone with malicious intentions access the data? If inadvertently exposed, could it be used against the organization or perhaps people the organization deals with?
Training employees and controlling their actions with access controls reduces a significant number of these incidents.
There are two primary elements to every malicious access control story: the attacker who seeks to break into a computer system, and the resource owner who needs to protect the confidentiality, integrity, and availability of resources against the attacker. What motivates certain individuals to try to gain access to resources to which they do not have a legitimate right?
A hacker usually has two primary motives to break into a computer system: wealth and status. Very young hackers, at 12 or 13 years old, usually begin by defeating copy protections on video games. They desire games but don't always have the resources to purchase legitimate copies. Instead, they borrow games from friends, make copies, and study the protections until they determine a way around them. It's possible that what they learn through these efforts might help them defeat more stringent access controls later in life. They might use their skills to access information with a higher monetary value. They could either sell the information for cash, or use stolen credit card and bank account information to purchase items they want.
The status motivation is less obvious than the wealth motivation, and more powerful. A hacker generally does not gain positive status in mainstream society for hacking efforts, although he or she may gain notoriety. At the point that the hacker is engaging in illegal hacking activity, he or she has already rejected the possibility of mainstream status. Instead, the hacker works for status within the hacker subculture. There are two main keys to status in the hacker subculture:
Note
A target is a system or network that contains valuable data, and has attracted the notice of the hacker. A target is considered highly desirable if the government, and specifically the military, owns it. A corporately owned target is considered highly desirable if it is protected by particularly strong access controls.
By understanding the psychology of the hacker, you can more effectively design access controls to dissuade or prevent him or her from hacking your systems.
Another facet of human nature is the desire to be helpful, trust others, and cooperate. For example, let's say you're approaching the front doors of an office building and see a delivery person with a dolly full of boxes, struggling to prop open the door. To be helpful and cooperative, you hold the door open for the delivery person. You notice his shirt has a well-known delivery company logo so you trust that he is an employee of that company. There are many other everyday examples in which people instinctively demonstrate the human traits of helpfulness, trust, and cooperation. These traits, however, are also exploitable weaknesses. For example, how do you know the delivery person isn't an intruder who simply bought or stole a shirt from one of the company's employees?
Social engineering is a strategy in which hackers exploit the general human tendency to trust, cooperate, and offer help, especially to those they consider part of their organization or peer group.
A typical social engineering strategy involves the following:
Assumed identity—the social engineer pretend to be someone who is considered a "trusted" individual, with a legitimate purpose to ask questions or request information. Commonly assumed identities are technical support experts and company executives. Social engineers choose these identities because the average employee is likely to cooperate with an expert or an executive without question. The delivery person example used earlier in this section is an example of an assumed identity.
Believability—The social engineer is careful to inject as much truth as possible into his or her story. Social engineers use insider jargon, names of actual employees the victim is likely to know (but not well), and other information.
Multiple contacts—The more contact a person has with another individual or group, the more likely the person is considered as "trusted" or a part of the group. A skilled social engineer makes one or two preliminary calls to the victim, each time gathering a little more seemingly innocuous information. The social engineer weaves this information into his or her story and request for help, increasing the believability of both.
Request for help—Once a social engineer gains the trust of a victim, the social engineer asks for help. Typically, he or she has a serious problem that could be easily solved if the social engineer only had a certain piece of information (that the victim has). Because the victim has already identified the social engineer as one of "us," the victim is predisposed to be helpful and solve the fictitious problem by providing the crucial information.
Social engineering only works when employees are trusting and complacent. If employees are trained to recognize social engineering tactics and know how to respond appropriately, the social engineer will fail. Unfortunately, most employees are not alert to the possibility of social engineering. They assume that because they are required to show their employee ID to enter the office building, that anyone they meet inside must belong there.
Transitioning an individual from "them" to "us" generally requires a certain amount of information about that person. Organizations need to know if individuals they're about to hire can be trusted and will not harm the company and its assets.
That's why most organizations perform pre-employment background checks before hiring job candidates. Employers want some assurances that information provided by applicants is true and complete, and they want to know if an applicant has a personal history that may conflict with the goals of the organization. For example, a financial firm would not want to hire (and in fact, would be legally prohibited from hiring) someone with a history of embezzlement and fraud to be an investment fund manager.
A wide variety of information can be obtained through a pre-employment screening, either done by the hiring company or by a third-party firm. Examples of pre-employment screening information includes:
Driving records
Credit reports
Criminal records including arrest reports, incarceration records, and court records
Medical records
Bankruptcies
Military service records
School records
Worker's compensation records
Character references
Neighbor interviews
References from previous employers
Drug test results
Sex offender listings
Note
Under the Health Insurance Portability and Accountability Act (HIPAA), which you read about in Chapter 4, medical information can only be used in determining an applicant's ability to perform a job, with or without reasonable accommodation for disability.
Much of this information is publicly available, but some information such as medical and school records, credit reports, and permission to conduct interviews with neighbors and other personal associates requires special consent from the applicant. Laws that restrict the use of such information are HIPAA (for medical records), the Family Educational Rights and Privacy Act or FERPA (for school records), and the Fair Credit Reporting Act (credit reports).
Note
Chapter 4 contains in-depth information on HIPAA, FERPA, and many other laws that affect data privacy.
In general, according to the Fair Credit Reporting Act, negative credit information over seven years old cannot be considered in an employment decision. In addition, although an employer can investigate an applicant's bankruptcy history, that information cannot be used to make an employment decision.
If an employer uses information obtained in a credit check to deny employment, the employer is required to notify the applicant of the decision, and provide the name and phone number of the reporting agency that performed the background check. Applicants generally have 10 days to dispute the negative information used to make the employment decision.
At best, a bad hiring decision can lead to lowered employee morale, failed projects, and the expense of hiring someone else to replace the unqualified employee. In the banking industry, hiring a prohibited person can lead to fines of up to $1,000,000 per day for every day the individual remains with the company or up to five years in prison for the hiring manager.
These penalties may seem unreasonable for simply hiring an unqualified person to do a job. They are assessed when a bank hires an individual who has been convicted of a violation under Section 19 of the Federal Deposit Insurance Act. Section 19 deals with criminal offenses involving dishonesty, breach of trust, and money laundering.
After a hiring decision is made, and perhaps an initial probationary period expires, it may seem unnecessary to continue to observe employees. However, where ongoing observation is a part of standard procedure, many organizations are able to prevent incidents of workplace violence, employee embezzlement, and avoid other forms of risk associated with hiring employees.
A disgruntled employee is a person who is angry or dissatisfied, usually with some aspect of his or her employment. Disgruntled employees often believe they have been unfairly passed over for recognition or promotion, or that they are expected to accomplish more than is reasonable.
Some disgruntled employees are easy to spot—they complain loudly to anyone who will listen about the unfair treatment they receive. Others are more difficult to identify. Some things to watch for when identifying potentially disgruntled employees are:
Work that is consistently below average—Not bad enough to warrant termination, but below average. This can indicate a person who does not care about his or her work.
A pattern of coming in late and leaving early—This can indicate a person who simply does not want to be where he or she is.
The loner—Someone who does not join in normal workplace socialization may not identify with the organization.
The socialite—The opposite of the loner, a person who spends a lot of time socializing and networking with coworkers may be looking for allies or sympathizers.
Displays of passive-aggressive behavior—This can denote someone who is dissatisfied with his or her situation.
Most disgruntled employees do not show up for work with the intention to cause harm to coworkers, but they still represent a significant risk to the organization. In 2006, a disgruntled employee of Paine Webber resigned from his position but left a parting gift for his employer: a "logic bomb" that deleted over 1,000 files and took down the corporate network for more than a day, costing the company more than $3,000,000 in damages. The employee, like many others, felt that his work was unappreciated and that he had been unfairly passed over for a bonus that he rightly deserved. The difference between this Paine Webber employee and thousands of others who have felt the same way is access. This particular employee was a systems administrator. He had high-level access to sensitive systems and the technical background knowledge to create his logic bomb.
If managers at Paine Webber had identified the systems administrator as a potentially disgruntled employee, the situation could have been diffused and his frustrations dealt with in a more constructive manner. At the very least, his activities could have been more carefully monitored and his logic bomb found before it detonated after his resignation.
Termination of employment is a sensitive issue that should be handled carefully. On one hand, the soon-to-be former employee should be treated respectfully and with understanding—after all, losing one's job is a traumatic event that can have a significant impact on an individual's personal life. On the other hand, the organization must protect itself from any negative actions on the part of the employee. The following is a list of actions to consider when an employee is terminated:
Lock the terminated employee's workstation and network accounts, and back up data prior to the termination meeting. This will prevent the employee from causing damage after receiving notice of the termination decision.
Lock or remove accounts on databases and file servers prior to or during the termination meeting.
Change all passwords, especially those to online accounts the terminated employee could access from outside the organization, prior to the termination meeting.
Arrange for company property to be returned. This may include a corporate cell phone or personal digital assistant (PDA), keys, company car, ID badge, parking pass, laptop computer, client files, and contact lists. A terminated employee could use these items to gain unauthorized access to facilities or data.
Consider how the terminated employee will be allowed to retrieve personal belongings after the termination meeting. After the meeting, the employee should be considered a potentially hostile visitor to the facility and appropriate physical security measures should be taken. The employee should not be allowed to return to his or her office or another area of the facility unescorted.
Consider whether security should be called to escort the terminated employee out of the building after the termination meeting.
Change the locks on the terminated employee's office door, and change keypad codes as needed.
Lock or remove the terminated employee's e-mail account. If the e-mail account is left active, the employee could use that account to send seemingly official e-mails containing sensitive information to clients or members of the media.
Change the terminated employee's voice-mail message and forward his or her office phone to another employee or to a manager. Change the PIN on the voice-mail system.
Note
The timing of these actions must be well-planned. If an employee comes into work in the morning to find that all of her accounts have been locked, she might suspect she is about to be terminated.
The majority of security breaches do not come from hardened criminals or teenagers looking for something to do, although those types of breaches do happen, and as a security professional you should be aware of them and mitigate those risks. Most security breaches are performed by disgruntled employees and former employees. These employees have intimate knowledge of the organization and its systems, and may have friends and allies in the organization willing to help. One way to reduce the risk of employee retaliation is to perform thorough background checks on hiring candidates. However, because you can't always predict human behavior, access control techniques such as those discussed in this section mitigate the risk of retaliation by removing a disgruntled employee's opportunity to do harm.
Most organizations are structured as a hierarchy comprised of senior management, operational management, and staff. In terms of access control, this hierarchical structure implies that a higher-level employee should have all the access rights that a lower-level employee has, plus some additional rights. A skilled social engineer can exploit this assumption by posing as a high-level executive, and then target a lower-level member of the support staff. Support staff members are trained to be helpful, and the target may be intimidated by someone he or she assumes is an important executive. These natural tendencies represent an easy opportunity for a social engineering attack. All the social engineer has to do is call the help desk and claim to be the executive or the executive's assistant, and ask the support person to create an account on a sensitive system. Assuming the executive must be authorized on any system, the help desk employee creates the account without question, and the attacker has all the access she needs.
An access control model based on organizational structure is designed to prevent social engineering attacks. Rather than giving high-level employees high-level access to sensitive resources, employees are given access based on the tasks they must complete as part of their job. Access rules are based on the balance of confidentiality and necessity. In this sense, an organizational structure model is similar to the role-based access control (RBAC) model discussed in chapters 6 and 10.
The organizational structure model adds consideration for the two-way flow of information in an organization. Managers communicate information downward to their departments and teams, and employees communicate information upward to their managers. Unfortunately, if all members of an organization are not well trained in information security, this two-way communication can result in unintentional breaches of confidential information. For example, a manager who was not aware of information flow might mention to employee A that employee B is highly favored to receive a promotion because of B's excellent productivity. On the other hand, employee C, who knows that employee D is planning to leave the organization, might mention during a project planning meeting that they'll need to be sure that D's replacement is up to speed before the project launch, inadvertently informing the entire team and the manager that employee D is planning to resign.
For the most sensitive positions, especially those that are directly responsible for crucial information and assets, job rotation is a way to minimize the effects of dishonesty. Take, for example, the responsibility of signing checks and reconciling an organization's bank statements. If a single individual holds this responsibility for several years, that person could embezzle significant amounts of money from the organization. However, if the responsibility rotates among half a dozen managers, a manager could embezzle for no more than a few months, knowing that the next manager who checks the bank statements against approved expenditures would probably catch any fraudulent activity.
In some industries, especially the financial sector, periodic vacations are required as part of the employment agreement. Periodic, or mandatory, vacations are a security measure. If an individual in a highly sensitive position is doing something dishonest, requiring that person to take one or two weeks off from work provides time for evidence of dishonesty to surface.
Another benefit of periodic vacations, which isn't often considered, is that they can reduce the success of social engineers. When an individual holds a high-stress position for a long period of time, that stress can create a sense of burnout or constant crisis. Both of these states of mind are easy for a social engineer to exploit, because they prevent the victim from seeing a situation clearly. To combat this, a required vacation period is sometimes necessary.
Separation of duties ensures that a single person does not handle all crucial decisions and activities, especially those involving a high level of trust. The goal is to avoid the temptation to commit fraud or other illegal activities. Most people consider themselves reasonably honest, and consider stealing wrong or immoral. However, life is messy, and concepts like right and wrong can get blurred when surrounded with the realities of life.
Consider the following scenario: A CFO at a mid-sized financial firm has worked hard to achieve his position. He is well-respected and known for finding "diamond-in-the-rough" investments that pay off well for his firm. His bonuses are tied to investment decisions that produce profits—if the firm does well, the CFO receives a lucrative bonus. His wife is a database administrator for a large consulting firm. They have three young children, a large home in a desirable neighborhood, and a significant amount of debt.
On Friday evening, the wife comes home from work obviously shaken. Due to an economic downturn, her company has just announced that it will lay off 50 percent of its consultants. She has been offered a small severance package in return for her voluntary resignation. Faced with their income being cut in half, the CFO starts looking for ways to increase his personal income to make up the difference.
As their financial situation becomes more strained, he begins to take bigger and bigger risks, hoping for a big payoff that will allow them to pay off their debts and get back on their feet until his wife finds another position. Three months after his wife loses her job, the foreclosure notice arrives. Unless they can pay off several months of overdue mortgage payments, they will lose their home.
The CFO knows that the market will eventually go back up and he will find the big payoff, but he can't wait any longer. He issues himself a corporate check for $250,000—enough to bring his mortgage current, pay off over-due bills, and give his family a few months of breathing room. He will pay it all back, he promises himself, as soon as the market rebounds. As the CFO, he has the final authority to issue checks, and knows that no one below him will question the expenditure.
The CFO did not set out to embezzle from the firm. He simply found himself in a desperate situation and did what he felt he had to do to in order to buy himself some time to solve the problems he faced. Desperation coupled with opportunity resulted in the theft of a quarter-million dollars.
Two-person control is designed to eliminate the opportunity for theft, fraud, or other harmful activity. The concept states that there must be two authorized individuals available to approve any sensitive activity. In the preceding scenario, a two-person control would have prevented the CFO from embezzling because he would have needed a second signatory, such as the CEO, on the check. Requiring two signatures would have removed the opportunity to embezzle.
Two-person control is not foolproof. In the above scenario, the CFO may have been able to tell the CEO his story and convince him to co-sign the check, as a personal favor. This situation is a form of "collusion." However, breaching the subject would have been risky, as simply asking another officer of the company to help him embezzle could have been grounds for his own termination.
Although two-person control can be an effective way to remove the opportunity for harmful or dangerous activity, it is only as effective as those who enforce it. If the financial firm required two signatories on all checks, but the CFO knew that the bank did not enforce this rule, the two-person control would have been ineffective.
Similarly, there should always be oversight of any significant activity requiring two-person control to prevent collusion. Whenever two individuals consistently share a significant responsibility, a bond can form between the two individuals. This friendship can become more important to the individuals than the shared task. In the scenario above, if the CEO and CFO were close friends, the CFO would have trusted that his friend would not take action against him, and would be likely to help him take out a private loan from the company. In this case, a regular monthly review by the board of directors of all large expenditures would provide some oversight to the two-person control.
Auditing, both internally and by an external firm, is a common way to ensure that all transactions are legitimate and complete. A firm that uses internal auditing must have a team of employees who have the authority to investigate any potential misuse of resources. An internal audit is only useful if the auditors have the freedom to follow up on any information they find, and they are part of an organization that independently reports to the chief executive.
External audits must be performed by an objective outside organization. Unfortunately, when the auditing company is hired by the organization it is supposed to audit, the same weaknesses can surface. A good example of the failure of external auditing is the Enron collapse. Enron was able to hide important financial information from both stakeholders and banks. Their auditing firm, Arthur Andersen, did not discover the hidden information and lost their right to conduct audits.
Ultimately, it is the responsibility of the owner of sensitive systems, data, and other resources, to monitor its use and prevent abuses. A data owner should be responsible for:
Disclosing to users any relevant legal, regulatory, or ethical issues surrounding the use or disclosure of the information
Implementing a data classification system and rating the data according to its sensitivity, confidentiality, inherent value, and other factors
Maintaining a list of authorized users
Implementing procedures to safeguard information from unauthorized use, disclosure, alteration, or accidental or intentional destruction
Developing a policy governing data retention and disposition
Providing users with adequate training in the use and protection of the information
Owners of other sensitive resources should have similar responsibilities to classify their resources and safeguard them from unauthorized use or destruction.
A well-trained workforce is a valuable asset in any access control system, especially when it comes to defeating social engineering tactics. Employees cannot be expected to respond appropriately to security situations if they have not been trained in the proper way to handle them.
Simply handing a new hire the employee handbook and expecting him or her to read the sections on security policy is not enough. A good security awareness program should meet the following criteria:
Be ongoing—Telling employees about a security policy once is not enough. Security awareness messages should be repeated and reinforced on a regular basis.
Include multiple formats—Not every individual learns in the same way. Some people are better at processing written information, while others are auditory learners. Some respond better to visual representations or dramatizations. Presenting information in a variety of formats helps to ensure that every employee understands security concepts well.
Be interactive—People remember information more clearly when they are able to interact with it. Role-playing activities are a great way to allow employees to interact with security information and practice recognizing and responding to security events.
Include multiple points of contact—It can take up to a dozen repetitions before a concept becomes internalized. Place security awareness signs around the workplace, schedule workshops and seminars, and conduct security awareness drills. Each time employees encounter security awareness messages, that information will become a little more ingrained.
What should employees learn about security? Two common policies, the acceptable use policy and the security awareness policy, cover the most common security information most employees need. Neither of these policies is a one-size-fits-all solution. Each organization will have its own versions.
An acceptable use policy (AUP) defines how employees may use the IT infrastructure supplied by an organization. In general, an acceptable use policy specifies whether employees may use organization resources such as networks, Internet connection, and e-mail accounts for personal use. It may also define whether employees may download files from the Internet, forward humorous or chain letters via e-mail, or engage in sending spam. An acceptable use policy generally forbids any activity that is prohibited by federal, state, or local laws or that violates regulatory compliance. Common elements in an acceptable use policy are:
Keep all passwords secure and do not share accounts.
All workstations and laptops must be secured with a password-protected screensaver.
Use of organizational communication resources, including e-mail, telephone, Internet, and inter-office mail, shall be limited to business purposes only. Personal use is strictly prohibited.
Sending unsolicited junk e-mail or advertisements is prohibited.
Any form of harassment, including e-mail and telephone messages, is prohibited.
Creating or forwarding chain letters, pyramid schemes, or other similar messages is prohibited.
Circumventing the security of any network or host owned by the organization is prohibited.
Most acceptable use policies go into more depth; however, these are some common items found in every acceptable use policy.
A security awareness policy specifies what individual employees are responsible for in terms of information security. It also defines the responsibilities of managers and information owners. Because security is an ever-changing field, many security awareness policies do not lay out specific procedures, but rather refer employees to another resource for up-to-date information, such as a page on the organization's intranet.
In general, employees must agree to read and follow security procedures. Managers are responsible for providing training and security resources for those under their supervision, and information owners are responsible for classifying their information and taking appropriate steps to safeguard it. Some common elements in a security awareness policy include:
The organization shall provide ongoing training and resources on information security.
Information owners shall classify the information according to its sensitivity, and take reasonable precautions to safeguard the information.
Employees should understand common security threats and maintain a sense of vigilance, especially in regards to social engineering attacks.
Employees should immediately report any suspicious activity to their manager.
Many security awareness policies also include references to other documents, both internal policies and external resources that employees can reference if they are unsure of whether a given situation constitutes a security threat.
As children, most people learn the basic concept "treat others as you would want them to treat you." Of course, life for adults is rarely that simple. Adults tend to complicate things. The study of ethics is essentially the study of those complications, and how to navigate them back to the simplicity of "treat others as you would want them to treat you." In this section, you'll examine how ethics affect information security, and specifically the need for access controls.
"Right" and "wrong" may seem like basic concepts—most children learn that lying and stealing are wrong—but in the real world of organizational behavior, there is a grey area between the two absolutes. Most decisions people make fall into this grey area.
Organizational ethics programs are essential for defining the core values of the organization. However, an organization that forgets or ignores the code of ethics once it has been written does not fully take advantage of this powerful tool. An ethics program is far more than a written document. It involves several stages, which should be reviewed and repeated regularly:
Define the core values of the organization, and ensure that those values are reflected in the stated code of ethics. An organization's core values should be limited to those three to five values that are most critical to that particular organization. An educational institution, for example, may place intellectual development on its list of core values, while a manufacturing company would replace that value with one more suited to its purpose, such as quality assurance. These core values should be reviewed annually, to ensure that the stated values still reflect the goals of the organization.
Solicit input from a wide range of stakeholders across all levels and departments of the organization. Although a code of ethics should have strong backing from the highest levels of management, it is also important for employees at all levels to see that their perspectives are represented in the final document.
Write or revise the code of ethics, including information on where an employee can go for clarification, and how ethical dilemmas should be resolved. Distribute the document to every employee, and post copies throughout the organization.
Create or review structures within the organization that support the code of ethics. For example, many organizations create an ethics committee at the board level, which provides high-level leadership on ethics matters, as well as an ombudsman to assist in clarifying ethical questions by interpreting policies and procedures in the day-to-day operations of the organization. The ombudsman also assists in resolving ethical concerns employees may have about their duties or about the activities of management.
Conduct training sessions and workshops to further clarify the core values contained within the code of ethics and to allow employees the opportunity to practice analyzing situations and making ethical decisions, in a low-stress environment. This experience will help them when they are faced with an ethical dilemma in higher-stress situations.
This process is critical in times of rapid change and crisis, when there may not be time to deliberate on the ethical implications of behaviors and decisions. By placing a high priority on ethics, and ensuring that every employee is well trained in the process of analyzing situations and making ethical decisions, an organization can ensure that their employees will use the code of ethics when it is most needed. Ongoing attention to the process of ethics management makes the code of ethics a real presence in organizational culture, not just another document in the employee handbook. It should inform every other policy, including those on information security.
Simply writing policies that define the responsibilities of information owners, managers, and employees is not sufficient to actually safeguard sensitive resources. Those policies must be understood, accepted, and enforced on all levels. For an information security policy to be truly effective, individual employees must accept its importance in meeting their needs and enforce it informally within their working groups.
Employees should understand that safeguarding information is vital to the continued success of the organization, and therefore the continuation of their jobs, and their personal ability to meet the physical needs of their families. The policy itself should also specify who has the ultimate authority to enforce the policy and specific consequences of non-compliance. Managers should be proactive in providing resources and training for their employees. They are also responsible for formal policy enforcement. Information owners must also take their role seriously and ensure that the information they are responsible for is adequately protected.
Human resources should be an integral part of enforcing security policy. By providing resources and training opportunities, they can help prevent security policy non-compliance. They are also responsible for implementing the stated consequences for noncompliance, including formal employee censure and termination.
Human nature is a complex thing, and cannot be used to explain every incident of individual or organizational behavior, but it is usually a factor. In this section, you will discover some best practices for working with human nature to achieve positive security behaviors while minimizing negative ones.
Employees cannot follow practices they do not know about or understand. A comprehensive training program is a good way to make sure that everyone in the organization understands which behaviors have an impact on security and how to recognize risky behaviors in themselves and their peers. Offer training workshops and seminars on a regular basis, put up posters reminding employees to create secure passwords or recognize social engineering tactics, and encourage managers to discuss security practices that apply specifically to their area of the organization with their teams.
Many organizations claim to encourage discussion between individual employees and their managers, but few actually do. Encourage managers and team leaders to periodically check in with each of their direct reports and really listen to what they say about the organizational culture. If employees are reluctant to open up to their direct supervisors when asked their opinion on the general culture, they will be far less likely to initiate a conversation about a serious matter such as security.
These "how are things going" discussions should be conducted in a casual way, and repeated on a regular basis. This will encourage employees to alert their managers early when they notice a problem, rather than waiting until the problem is large enough to warrant requesting a formal meeting with the boss. It will also create a framework for the discussion, and can help defuse potential disgruntled employees. Most disgruntled employees feel that they are not valued and that management does not listen to their concerns. Simply asking these employees for their observations and opinions—and listening sincerely and genuinely taking their viewpoint into consideration—will go a long way toward making employees feel connected to the organization.
Many negative security behaviors have an element of risk-taking. Channel that urge to take risks into areas where it can benefit the organization, rather than hurt it. Encourage employees to take creative risks—both within the organization and in their private lives. Provide a bulletin board where employees with creative outlets such as music, theater, or art can post performance fliers and invite their peers to attend. Within the organization, go beyond the suggestion box. When employees bring up viable ideas for improving processes, let them implement those ideas on a small scale. This will not only give all employees a sense of ownership in the organization, but will create a process incubator that could generate innovations that give the organization a real advantage over the competition.
Access control systems that address human nature—and the problems human nature can introduce—focus on social engineering attacks. The case studies in this chapter also focus on social engineering, and how to implement access control policies that will prevent those types of attacks.
Private sector organizations are often the targets of social engineering attacks. They tend to be less well protected from social engineering attacks than governmental organizations. For this reason, foreign governments as well as competitors often target them.
Consider the case of Acme Software, a large technology firm. They produce software-based firewall and e-mail encryption solutions for home and business use.
Late one Monday afternoon, Janice, an administrative assistant, receives a telephone call from a man who says his name is "Ed" and works in the marketing department. Ed tells Janice that he is working on the marketing collateral for the big trade show next month and needs to know the major features for the new line of encryption software. Being helpful and providing information is a big part of Janice's job, so she knows right where to find the documentation on the new software. She reads off a list of features to Ed, who thanks her profusely for saving him a lot of time on this project.
A few days later, Ed makes another phone call, this time to a programmer on the encryption team. He tells the programmer the same story—that he is from marketing and is working on materials for the trade show—and asks the programmer to explain one of the most technical features from the list he got from Janice. The programmer begins to explain it, and Ed asks questions that clearly demonstrate that he does not understand the technology. As the programmer's frustration grows, Ed suggests that it might be easier if he could just play with a copy of the software. The programmer, at this point eager to get Ed off the phone, agrees. Ed tells the programmer that he's actually working from home and doesn't have his corporate laptop, and asks him to just send the files to his personal e-mail address instead. The programmer agrees, and sends an e-mail with a copy of the software to Ed's personal e-mail account.
Unfortunately, Ed was actually a corporate spy working for a foreign government. The U.S. government forbids the export of the encryption technology in the software to the nation in question, but the programmer had no idea he was breaking any laws. He was just trying to get "marketing" off the phone so he could get back to work on his code.
The ultimate weakness in this scenario was the employees' tunnel vision. They knew their jobs very well, but did not relate their positions to the larger organization. Janice knew that her job was to be helpful, but she did not stop to question who she was helping. The programmer did not connect the fact that he was working on highly sensitive code to the possibility that he could become the target of a social engineering attack. Better security awareness on all levels of the organization would have prevented this attack.
University networks are often targets of information theft because they hold valuable information and are accessed by people with minimal—if any—security training. Consider this scenario:
Michelle is a first-year early childhood education student attending the state university. Monday morning at 7:30 a.m., her phone rings. On the other end of the line is someone claiming to be from Campus Information Security. He tells her they have been monitoring the data usage from her room and have noticed a spike in file transfers over the past week.
Michelle is initially confused, having been suddenly woken up by the phone and unfamiliar with the terms "file transfer" and "data usage." The man on the line asks her how long she has been operating an illegal file sharing server from her room, and informs her that such activity is a violation of university policy. She could be expelled from school and face stiff civil fines, as well as possible jail time.
Fully awake now, Michelle protests. She hasn't been running a file server from her room; there must be some mistake. At first, the man on the phone seems unconvinced, but as Michelle pleads her innocence and ignorance of the issue, he backs down and suggests that she must have a virus that's causing the increased file transfer rate. He'll need to log onto her system to run a diagnostic check and clean out the virus, and to do so he'll need her username and password.
Relieved that he is no longer threatening her with expulsion, fines, and jail time, Michelle agrees and gives him her information. He tells her to give him a couple of hours to work on things, and he'll erase the virus and make a note in his files.
The social engineer who targeted Michelle spends the next couple of hours using her account to explore the university's network and break into more sensitive areas than Michelle has access to.
In this case, the hacker exploited two crucial things: ignorance and fear. First, he targeted a first-year student who was unlikely to have any experience or knowledge of information security. He didn't choose a computer science major, he chose a budding preschool teacher. Second, he bullied her until she was clearly upset, then changed tactics and became helpful. He also chose to contact her at a time when she was most likely to be groggy. When people are first awoken, they tend to react to situations more emotionally than they would when fully awake. No one thinks calmly and rationally when they are woken out of a deep sleep.
The solution to this problem is education. If the university simply would have made information security a part of its freshman orientation, and emphasized that no one from the university will ever ask for a student's password, Michelle would have had a good chance of recognizing that something about the call wasn't right.
Infrastructure facilities usually have strong physical security. They are surrounded by barbed wire and have security guards at every entrance. Those guards are highly trained and aware of the important role they play in keeping things running smoothly, but they are still human and prone to very understandable mistakes.
James was a third-shift guard at a nuclear power plant. He took his job seriously, dividing his time between watching the surveillance monitors in the security office and walking the hallways in his area looking for anything out of the ordinary.
One cold night in January around 2:00 a.m. he heard voices down the hallway that led to the control room. He hurried to the source of the sound and discovered two young men. He asked to see their ID badges, which they claimed to have forgotten. They told him they were new employees, and gave the name of their manager. James escorted them back to the security office, where he placed a call to the manager, waking her up. The manager confirmed that she does have two new employees and confirmed their names, then asked to talk to the two men.
James handed over the phone, and listened as one of the young men explained to the manager that he was just in early to finish some paperwork he didn't do the night before, and confirmed that he would have a presentation ready for the staff meeting later that day. Then the young man hung up the phone and apologized to James for all the trouble, and explained how he was new and didn't want to get in trouble for not getting this paperwork done. James let the two men go.
James had expected to get the phone back to get a final okay from the manger. He had already woken her up once, so he didn't want to call back and risk getting in trouble. A few minutes after the two men left the security office, the manager called back and informed James that she had no idea who the two men were; they were definitely not her employees. She had tried to ask questions, but the man on the phone simply ignored her and talked about paperwork and staff meetings. Of course, by the time James found this out and began looking for the two young men, they had already found what they were looking for and left the premises.
The weakness in this situation was the security guard's natural fear of angering someone higher up the organizational chart than himself. No one likes being woken up at 2:00 a.m.—especially twice in one night. The solution to this problem is to educate everyone in an organization—managers and employees alike—on the importance of security protocols. If James had felt more certain that as long as he was doing his job he was safe from repercussions, he would not have hesitated to call the manager back and would have caught the two young men in their scam.
In this chapter, we discussed how human nature both insists upon access control and fights against it. You read about how a skilled social engineer can exploit human nature to obtain unauthorized access to information and systems, and how training, organizational culture, and employee support can mitigate the weaknesses that human nature introduce into any access control system.
Generally, hackers are motivated by ________ and ________.
A target is a system or network that contains valuable data, and has attracted the notice of the hacker.
True
False
A typical social engineering strategy involves which of the following?
Assumed identity
Believability
Multiple contacts
Requests for information
A and B only
All of the above
What element of human nature does a social engineer exploit?
Fear
Ambition
Trust
Desire for status
Greed
An employer can obtain an applicant's driving records as part of a pre-employment background check.
True
False
An employer can obtain an applicant's medical history and credit reports without special consent of the applicant.
True
False
Passive-aggressive behavior can be an indicator of a ________ employee.
Prior to or during an employee termination meeting, which of the following should be locked or changed?
The employee's workstation and network accounts
The employee's e-mail account(s)
Passwords for online accounts accessible to the employee
The employee's accounts on databases and file servers
All of the above
Two-way communication is critical to the organizational structure model of access control.
True
False
Which of the following can help uncover dishonesty, such as fraud or theft, in the workplace? (Select two.)
Mandatory vacation
Pre-employment checks
Job rotation
Ethics training
All of the above
________ is designed to eliminate the opportunity for theft, fraud, or other harmful activity.
Access owners are responsible for maintaining a list of authorized users.
True
False
Informing employees of security and acceptable use policies during orientation is sufficient training.
True
False
Human resources should be an integral part of enforcing security policy.
True
False