Securing your People

CS 463/480 Lecture, Dr. Lawlor

People are very complex, but important components in any organization. Your own people can be your greatest asset, like the conscientious sysadmin who notices the weird patterns in the outgoing traffic from your SSL box, or your greatest weakness, like the "on premises armed guard" who on his last day of employment decides to test out his rifle on your new server rack.

Social engineering attacks target the people that are the core of any organization. If the secretary will loan the master key to anyone with a clipboard and coveralls, it doesn't matter how the lock works. Employees can be theoretically be patched to be more robust to social engineering attacks via training, but it's difficult to close all possible holes.

Phishing or the more targeted spear phishing attacks collect credentials by convincing people they need to enter them. I know very smart, capable people at UAF who have lost control of their accounts this way.

Insider threats come from current or former employees of the organization. Your now-ex sysadmin knows exactly how everything on your system works, including the logs and alarms, and might even retain some credentials that you forgot to remove, making them a formidable adversary.

Countermeasures are primarily about detection and "technical controls", meaning tools to enforce your policies. For example, the standard UNIX root access tool sudo can log both attempted and failed accesses, and restrict user accounts and commands.

Insider threat can be reduced with a "no-lone zone" rule: nobody is allowed in the area alone, and the controls are designed to be physically impossible to operate by a single person (e.g., two buttons ten feet apart must be pressed simultaneously).
Bank employees, who handle tens of thousands of dollars in cash every day, are required to take two weeks vacation each year, to keep them away from the premises in case they're hiding some discrepancy; and the "four eyes" principle is designed to keep the bank president from being able to loan himself money off the books.

Depending on the organization, employees might be required to submit to intrusive screening.

Many law enforcement or sensitive agency employees are required to pass an FBI background check, where an FBI agent interviews your friends and co-workers.
Reporting bank account status is used to detect payoffs or money problems. For example, government contracting officers are required to file financial disclosures with the US Office of Government Ethics.
Applicants for jobs in law enforcement are frequently required to submit their social media account credentials, ostensibly to check an applicant's character.
Many jobs require a mandatory drug test. I was surprised to discover IBM required a drug test for its interns in 1999.
Some jobs require the employee to pass lie detector tests, sometimes as often as every 6 months.

One tricky fact is that even the best and most productive employees can have some very hard times in their lives, such as:

Depression and other mental health issues affect about 1 in 5 Americans each year.
Problems with drugs (prescription or recreational) affect about 1 in 10 Americans each year.
Family conflict, such as a bitter divorce, or a family member with a drug problem.
Philosophical differences, such as the Wall Street financial analyst who decides all property is theft and becomes a Marxist.

A one-man illustration of the insider threat is Edward Snowden, a capable sysadmin in the classified community who decided to flee a good-paying job in Hawaii with untold gigs of classified documents (estimates range from 50,000 documents to 1.7 million). He first fled to Hong Kong and then to Russia, where he has been slowly releasing the documents to the press. It is difficult for me to conceive of a more thorough or intrusive personnel management system than that used by the US government in the intelligence services, which include an impressive array of benefits including excellent pay, absolutely reliable employment, and a compelling mission of national importance; and a terrifying variety of punishments, ranging from felony charges resulting in a lifetime in federal prison, through extrajudicial torture and execution. But crucially, Snowden was disgusted with what he saw as a pervasive and runaway surveillance system, and he was unable to change the system from the inside by working with his coworkers, his supervisor, or the office of general counsel, so he decided to accumulate classified documents and leave the country.

Regardless of how you feel about his actions, the key organizational data security lesson is that all your people must agree with your mission, or your greatest assets can become your greatest threats.