One aspect of security that is often overlooked is the Human Element. People are a factor in IT infrastructure and as such are also a possible attack vector. Business organizations should take this aspect of security as seriously as any other which can be achieved through training and adequate policies.
There are many ways as to how the human element can be exploited; some are obvious and people can be trained to easily identify them and cater for them, some require constant vigilance and can be catered for by policies and then there are those that can be devious and very tricky to cater for and which might require a mix of policies and training.
Protecting against the Simple Threats
There are a number of attacks that can be performed on the human element of the IT infrastructure. The most common attack is most likely using the email vector to convince a person to click a malicious attachment that will install Trojans or other malicious software. This attack vector can easily be tackled by installing security software to protect the email system, and also more importantly by educating employees to never open attachments which do not have a legitimate business purpose as well as to identify those that pretend to be business related but in truth are not.
It’s also important to teach employees to respect and protect confidential information. Things like passwords are there for a reason and people should be trained to respect that reason; this will prevent instances where employee see passwords as a nuisance and to avoid having to memorize them they end up writing them on a sticky note that they would then affix to their monitor. This would also protect against employees leaving confidential documents running around and make them appreciate the need to shred documents and not just throw them away where they can be intercepted from the garbage through the practice of dumpster diving.
Another important aspect of security is hardware control. Protection here is once again a mix of both software and user education. Employees should be taught about the potential dangers of getting portable storage from home (the risk of virus transfer) and connecting devices such as laptops or wireless routers that can leave your organization open to great risks from outside access to your inner networks. Employees should be taught to appreciate the risks of these practices and why they shouldn’t be done. Often employees are not aware of the risks involved and do things as a personal initiative to try and boost productivity but despite the good intentions, the risks still remain.
Protecting against the Complex Threats
The biggest danger and by far the most difficult to cater for is a targeted attack. Social engineering is probably the most insidious threat that the human element in an organization will suffer. It is not difficult to teach employees to detect general attacks such as phishing emails because it is easy to identify their general nature; however, when attacks are targeted it is a different matter altogether and becomes far more difficult. Let me illustrate through an example.
Let’s assume that I am a malicious person trying to get access to a sales database and I want to get hold of a user name and a password to steal credit card details. I can assume that it’s a safe bet that sales personnel might have an account to the database. My first step would be to get hold of the name of someone working in sales. Easy, one just needs to send a sales query to that company by email and you’ll get a name of a sales person with the reply in nearly all cases. Next I need the phone number of someone who is not in sales. It shouldn’t be too hard to get that – I subsequently call that number and when that person answers I can pretend to have dialled the wrong number and ask that person to please forward my call to the sales person whose name I just got. When the sales person answers I would then introduce myself as someone calling from IT, invent a fictitious name (unless the company is really small there is a very good chance that this will not raise a red flag and if it does I can always claim I am new), address that sales person by his/her name and come up with any excuse that might seem legitimate (e.g. we’re running an inventory of login and passwords for the sales database and I need to know their login details to verify that they are correct) to try and get that person’s login name and password. There is a very good chance that if the person whom I phoned doesn’t have any security training, s/he will not doubt me and give me the information that I asked for. After all this is seemingly an internal call, I know his/her name, I work in IT and I asked an IT-related question. It’s evident that this attack would be quite insidious and difficult to detect especially for an untrained person.
How can you really educate users to protect them against these types of attacks? As mentioned before, this needs to be a mixture of education and policies. A policy should be implemented instructing that no one should give his/her password to anyone. Employees should also be taught not to trust calls as being internal just because they seem so, especially if they are forwarded. Even if a person works with the company confidential information should still be treated as confidential and even if an employee thinks that the person requesting any confidential data should have access to that data s/he should not give it out unless s/he is authorized.
In conclusion the human element is an attack vector to an IT infrastructure as much as anything else and security needs to be in place to protect it. This is generally a mixture of software and education. In some cases it is an aspect that is overlooked but when that happens it becomes just as dangerous to an organization as any other security breach, after all it’s easier to access a person in an organization than a specific machine.