Human Element Security
This chapter discusses several issues that pertain to the human element of information security and why the people that staff our organizations to pose a security challenge that cannot be directly addressed with technical controls in every case. It covers items that we might want to discuss with users including: protecting data, passwords, social engineering, network usage, malware, use of personal equipment on corporate networks, clean desk policies, and policy and regulatory knowledge. It also talks about what we can to do make our security awareness and training programs better, and the steps that we can take to make this information.
Keywords
security awareness; passwords; social engineering; pretexting; phishing; tailgating; malware; policy; regulatory; training
Information in This Chapter
Introduction
One of the more difficult aspects in all of information security is providing security for and against the some of the people within and surrounding our information, including our employees, contractors, partners, customers, service providers, and any number of other people. Almost without fail, we can expect these people to behave in unexpected or unusual ways, whether innocently, through ignorance, or maliciously. Whatever the case, providing security for this area can be a challenge.
Humans: the weak link
Security professionals spend a great deal of time assembling the layers of security that protect our organizations. We put controls in place (administrative, technical, and physical) in order to keep the bad out and the good in, and expend a great deal of time and resources in ensuring that our various intrusion detection, mail filtering, web proxies, firewalls, and a myriad of other technologies are tuned just so, in order to maintain optimal security for our environments. Unfortunately, bad decisions on the part of our users can nullify all of these measures with a single click.
Often with the best of intentions, our users will click on links that are really malicious code, send sensitive information via unprotected methods, divulge passwords, write secure information down and post it in conspicuous places, reveal sensitive information over social media, and a veritable horror show of other such compromising behaviors. Worse yet, when encouraged by a skilled adversary, these tendencies be channeled in particular directions to enable very specific attacks to take place. An excellent example of this is the RSA breach that took place in 2011 [1]. In this case, highly sensitive information related to RSAs widely used hardware authentication tokens was stolen, with the initial method of ingress to the company’s environment being a social engineering attack.
The solution to these types of issues, in addition to the technical measures that we already have in place, is a solid security awareness and training program. We must make users aware of the risk they are accepting through their actions and change their behavior.
Security awareness
As we have previously discussed, building an appropriate level of security awareness in our users us crucial to the ongoing security of our organizations. Although what we discuss with them will vary from one organization or environment to another, there are a few core items that will be standard in the majority of such efforts: protecting data, passwords, social engineering, network usage, malware, the use of personal equipment, clean desk, and policy knowledge.
In the next few sections, we will take a look at the basics of each of these areas.
Protecting data
Regardless of the industry in which we operate, we will almost always have a need for protecting data of some variety. As we covered in Chapter 6, there are numerous laws and regulations that govern data, and compliance with them is one of the costs of doing business. If we process credit card transactions, we need to worry about Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA) for those that handle medical patient data, Family Educational Rights and Privacy Act (FERPA) for educational data processing, and numerous others.
In addition to compliance requirements, protecting data is also smart for somewhat softer reasons, such as reputation and customer retention. Appearing in the news because of a data breach can be extremely damaging to a company and can drive customers to competitors very swiftly. Additionally not being in compliance with some regulations can result in penalties like suspensions, fines, and in some cases jail.
In order to adequately communicate the need for data security to users, we should present them with reoccurring training that regularly covers the data with which we work. Our users need to understand the criticality of carefully handling data from both a compliance and a customer retention and reputation perspective. Companies that have annual training have found very low retention rates and little behavior modification. The key is quarterly or even monthly training that engages the users. Some companies are even using gamification techniques as part of their program.
Passwords
Passwords are an area in which we can easily enforce a technical control, to a certain extent, to force users to handle passwords appropriately, but then fail entirely in another. For example, we can, in most operating systems and tools, enforce certain levels of password strength: at least eight characters, at least one upper case, at least one lower case, at least one symbol, at least one number. This would produce a password something along the lines of P@ssw0rd. The key is to balance the complexity of the password with the importance of what is being protected. Eight characters is probably fine for a site that stores family photos, but not recommend for a bank account.
On top of this, we can generally force password expiration and make the user reset their password at some interval, say 90 days. Additionally, we can stipulate that new passwords cannot be a variation of the previous 10 passwords used, in order to prevent a user from doing something along the lines of incrementing a number or changing one letter. This should ensure that we don’t have passwords trivially guessed by an attacker, although these will still not stand up against a determined and skilled attacker with sufficient access to resources (few things will).
Where we run into a problem is how the user actually handles the password or passwords after they have been set. If our theoretical user takes the movie cliché route, they will write their password down and stick it to the underside of their keyboard. We may also see passwords being shared among users for convenience sake, passwords being created based on of pet names, birthdates, or other such personal information, and so on. Potentially one of the more damaging user behaviors is manually syncing passwords between systems or applications.
For example, we might force a strong password on a given system in the workplace. The user attempting to make their life easier might manually synchronize all other systems in the organization to the same password (including their VPN credentials) and then proceed to go home and do the same with their Internet forum credentials, e-mail, online gaming passwords, and so forth. At this point, the user has one strong password everywhere and life is much easier for them. Great! Unfortunately, not so great for the organization at which the user is employed.
To continue our example, the password database for an online forum is compromised and published to the Internet, containing the username (e-mail address here) and decrypted password. At this point, the attacker compromised the webmail of our user and now has full access to a truly disturbing amount of information, including the instructions for connecting to the company VPN that the user e-mailed to their home address. We can see very quickly where this is likely to go.
Ultimately, the important items when communicating to users regarding password security are that they need to use strong passwords even when not directly forced to do so, that they need to handle passwords appropriately and not leave or record them somewhere where they might easily be compromised, and that they should not use the same password repeatedly across multiple systems or applications.
Social engineering
Social engineering is a technique that relies on the willingness of people to help others, particularly when the target is faced with someone that appears to be in distress, someone that is intimidating, or someone that we would normally expect to see in a given situation. For example, if someone is attempting to gain unauthorized access to a building where a proximity badge is normally required to enter, this could pose a problem of such a badge were not available; not so for our social engineer. We would start by studying the location in order to determine when the shift changes took place in order to determine when the flow of people entering our door would be likely to take place. We would also want to observe the people entering and exiting the building in order to get an idea of the appropriate way to dress. We might also investigate different door in the building in order to find one that was not manned by a security guard, lacking secondary physical access controls such as a turnstile, and preferably one without a camera. Once appropriately dressed, we would then proceed to the building at the time selected based on our observations, and carrying our prop. In this case we might select a large box so as to not have free hands to reach for our (not actually present) proximity badge. In the majority of cases, unless we are targeting a very high security facility, when we walk up to the door right behind someone and are clearly struggling with our heavy parcel, they will hold the door open for us and will not ask a single question regarding our authorization to enter the door. This is social engineering, and more specifically, pretexting.
Pretexting
In pretexting, we often assume the guise of a manager, customer, reporter, or even a co-worker’s family member. Using a fake identity, we create a believable scenario that elicits the target to give us sensitive information or perform some action which they would not normally do for a stranger.
While we can use pretexting in face-to-face encounters or over some communication medium, each of them has their own challenges. Direct, face-to-face encounters require a heightened level of attention to detail about our body language, while indirect encounters, such as over the phone or through e-mail, require us to focus more on verbal mannerisms. However, both types of encounters require strong communication and psychological skills, specialized knowledge, and a quick mind in order to be successful.
Walking up to a security guard without any detailed knowledge of the target organization and convincing the guard that they need to allow us access to their facility is quite a challenge, and one that probably won’t succeed, unless the guard is incompetent or the social engineer is very skilled. Pretexting gives us an edge when trying to social engineer a victim; if we can drop names, provide details on the organization, and give the victim sufficient cause to believe we deserve access to the information or access for which we are asking, or for that matter already have it, our chances of success increase substantially.
Phishing
Phishing is a particular social engineering technique and is largely employed through the use of electronic communications such as e-mail, texting, or phone calls. Most phishing attacks are very broad in nature and involve convincing the potential victim to click on a link in the e-mail, in order to send the victim to a fake site designed to collect personal information or credentials, or to have the victim install malware on their system. The fake sites used in web-based phishing attacks are typically copies of well-known web sites, such as banking sites, Facebook, and eBay. Some such sites are poorly designed imitations with clumsy attempts at similar design and logos and terrible grammar, while others are very cleverly crafted and extremely difficult to distinguish from the legitimate page that they are imitating.
The problem with most phishing attacks is that unless the target victim actually has an account on the site being faked, the attack will fail; someone who does not have a MyBank bank account will not be convinced by a phishing attack that redirects to a fake MyBank bank web site. Even if the target victim does have an account, people are beginning to be cautious of unsolicited e-mails from their banks or other web sites. In general, phishing attacks do not count on careful inspection by the recipient, they count on a very small percentage of success over hundreds of thousands or millions of attempts. In order to work with better odds of success, attackers may turn to spear phishing.
Spear phishing is a targeted attack against a specific company, organization, or person. A spear phishing attack requires advanced reconnaissance so that the vehicle for the attack will be seen as legitimate and directs the potential victim to a fake site that the victim would expect, and see as valid. In addition, our e-mail must be seen to come from a valid sender—someone the victim would trust, such as someone from human resources, a manger, the corporate IT support team, a peer, or friend.
Where a normal phishing attack might be clumsy and poorly constructed, depending on a very small percentage of recipients responding regardless, a spear phishing attack is quite the opposite. In a spear phishing attack, the attacker will send a very clean e-mail containing the proper logos, graphics, signature block, and everything as expected. The language will be properly constructed grammatically and spelling will not be an issue. If there are links present, they will be disguised in such a fashion as to not appear immediately malicious. If the attack exists to steal credentials for a site or service, the attacker may even use the freshly stolen credentials to log the victim into the real site that they are imitating, leaving no error message or broken session to clue them in that something strange has happened.
Tailgating
Physical tailgating, also known as “piggybacking,” is what most people think of when they hear the term used. Quite simply, this is the act of following someone through an access control point, such as secure door, without having the proper credentials, badge, or key, normally needed to enter the door.
Tailgating is a problem endemic to locations which use technical access controls. In almost any location, unless strong steps have been taken to prevent it, we can see people tailgating. This is partly an issue of laziness and partly an issue of the desire to avoid confrontation. Particularly in locations where the majority of foot traffic is composed of younger people, we will see tailgating policies flouted, that is, closed school campuses, apartment buildings…often willfully so. Such locations make for particularly easy tailgating targets.
A few tricks of equipment, such as knowing which props to use, and the use of psychology to allow attacker to play on the sympathies of others, will aid them in their tailgating efforts.
Network usage
Network usage, or perhaps more accurately network awareness, is an important concept to discuss with users. It is certainly the case today that a large number of people have access to numerous networks, both wired and wireless, from relatively restricted networks in the workplace to wide-open networks (largely wireless) in homes, coffee shops, and on airplanes. It is easy for an uneducated user to assume that connecting a laptop to the network in a conference room at work is the same as the wireless network in a hotel, which is also the same as a network in an airport; such access is now so common that it has taken on the same overall appearance as any utility such as the power provided by a wall outlet or the illumination given off by a lamp. We expect it to be there, function as expected, and we don’t really think about it beyond this. This makes educating users on security for networks somewhat difficult, as the potential harm is not obvious.
One aspect of this discussion is protection of the enterprise network. In general, and as we will discuss again later in this chapter, we do not want to allow foreign devices on our networks. This means that users need to be aware that they cannot allow vendors to plug in a device in a conference room, that they should not connect their iPad to the production network, etc.… The general solution to this issue is to provide a proper alternative network for such devices to use, often implemented in the form of a guest wireless network, and make sure that users know how to connect to it and within what parameters they are allowed to use this service.
The other side of the issue is the use of corporate resources on outside networks, a problem that has bitten many organizations badly over time, often resulting in breaches of sensitive data. If we load up our laptop with sensitive data, then go get on the network at the local coffee shop or hotel; we may very well be sharing this data with everyone else on the network if the device is not securely configured.
An easy technical solution to this problem is to implement a VPN that allows access to the corporate network and configure the VPN client to automatically connect the device to the VPN whenever it finds itself on a foreign network. Additionally, we need to develop some level of awareness in our users regarding what devices they connect to which networks and how they need to handle the sensitive data that these devices might contain.
Malware
User education in the area of malware can be difficult to communicate to users as education in this area often revolves around teaching them to not indiscriminately click things. This involves a discussion of being careful while surfing the web, opening e-mail attachments (even if they were naked pictures of Miley Cyrus, you shouldn’t be looking at them at work), using social network tools, using smart phones and a number of other similar activities. This can be difficult due to the lack of an exhaustive list of what bad things might look like, but we can point out some of the common items:
• E-mail attachments from people that you do not know
• E-mail attachments containing certain file types (exe, zip, pdf, etc.)
• Web links using shortened URLs such as http://bit.ly
• Web links using names that differ slightly from what we expect (myco.org when we expect myco.com)
In general, we want to instill a healthy sense of paranoia in our users so that their default action, instead of just immediately clicking on something is to call our helpdesk or security team to ask about it first. Yes, this does mean extra work for these teams, but it is preferable to the alternative.
Personal equipment
The use of personal equipment being acceptable or not in the workplace varies considerably from one working environment to the next, but there are often commonalities. In order to maintain a reasonable level of security, the typical threshold for acceptable use of personal equipment is at the border of the organization’s network, that is, bringing your personal laptop to work and placing it on the same network as production systems is typically not acceptable, but attaching it to the guest wireless network may be fine. Corporate policy should dictate how such situations are to be handled.
While most users do understand the reasons for handling personal equipment in this way (largely malware and intellectual property issues), communicating that these same policies apply to other noncorporate-owned devices such as vendor laptops or MP3 players which are network capable may take a bit more work to communicate.
Clean desk
A clean desk policy is common in many environments where any sort of regulated or sensitive data is handled. Such policies typically state that sensitive information is not to be left out on a desk when it is to be unattended for any significant period of time, such as leaving for the day or going to lunch. The ultimate message that we are trying to communicate to users here is that data needs to be handled appropriately, even when it is not in electronic form.
This is typically followed up with a discussion on how sensitive data on physical media such as paper or tape needs to be disposed of in order to ensure that this is done properly, namely, the use of shred bins, data destruction services, media shredders, and so on.
Policy and regulatory knowledge
Lastly, but certainly not least, if we expect our users to follow the rules that we have laid out in the form of policies, regulations with which we must comply, and other such items that we, as an organization, may be compelled to comply with, we need to make some effort to communicate these policies. Although it is very easy to mass e-mail a link to a policy and have users attest to having read it, this is not likely to be a very successful strategy if the actual goal is some measure of education.
It is likely that there are a relatively small set of policies and regulations that contain the information we might consider most critical to communicate to our users. Some portion of this information should be condensed and communicated directly to users as a policy crib notes or highlights reel.
The security awareness and training program
Many of the ideas that we have discussed in this chapter are assembled with a single goal, namely modifying the behavior of users in our environments in the direction of being more secure. In order to communicate our desired information to users, we will most often use the vehicle of a security awareness and training program.
Such programs will often consist of instructor-led or computer-based training, typically conducted during the new-employee onboarding process and at some regular interval, and often followed up by a mandatory quiz or attestation of understanding by the person taking the training. Such devices often serve as both a gate for the participant to demonstrate at least some level of knowledge and a form of due diligence on the part of the company for tracking and ensuring that employees have completed the training requirement.
Effectively reaching users
Although firing off a mass e-mail to the entire company directing them to complete X computer-based training (CBT) by Y date at some interval certainly covers the checkbox to indicate that users are provided with regular security awareness training, this may not be the most effective route to actually influence the behavior of users in the desired direction. A yearly round of CBTs or death-by-Powerpoint in a conference room is likely to result in bored participants, frustrated trainers, and not much of a difference in a positive direction for improving overall security posture. If the goal is to truly end up with users making better decisions when they encounter a phishing e-mail or are face-to-face with a social engineer, then we need to move our training in the direction of being both more interesting and producing positive results.
In the area of being more interesting, we can look to the trend in the last few years of gamification for training and educating users. This does not necessarily mean using a video game for training, although this is certainly an option and such tools do exist, but adding certain game elements to what we are doing. For instance, if we have an hour allotted to conducting security awareness training for newly hired employees, we might reduce the lecture portion of the time to 30 min, then take the second half of the time to conduct an interactive quiz show style game on the material that we just covered. Once we add the element of competition (divide the class into teams) and incentive (prizes for the winners), we have just created a much more interesting environment for the information that we wish to communicate.
We can also gain the attention of our users through the user of security-oriented posters, giveaways (pens, coffee mugs, etc.), newsletters, and a great number of similar devices. Ultimately it does not matter to any great extent what these other avenues of awareness specifically are, but that there are different approaches to communicating the same information. If we can offer repeated and varied avenues for bringing this information to the users’ attention throughout their day, we stand a better chance of the information sinking in over the long term.
Summary
In this chapter we have discussed several issues that pertain to the human element of information security and why the people that staff our organizations to pose a security challenge that cannot be directly addressed with technical controls in every case. We covered items that we might want to discuss with users including protecting data, passwords, social engineering, network usage, malware, use of personal equipment on corporate networks, clean desk policies, and policy and regulatory knowledge. We also talked about what we can to do make our security awareness and training programs better, and the steps that we can take to make this information impact users behaviors.
Exercises
1. Why are humans considered to be the weak link?
2. Define tailgating. Why is this an issue?
3. What do we need to do to more effectively reach users in our security awareness and training efforts?
4. Why might we not want to allow personal equipment to be attached to the network of our organization?
5. How would you go about training users to recognize phishing e-mail attacks?
6. Why is it important not to use the same password for all of our accounts?
7. What is pretexting and how might it be used?
8. Why might using the wireless network in a hotel with a corporate laptop be dangerous?
9. Why might clicking on a shortened URL from a service such as bit.ly be dangerous?