Securing your People
CS
463/480 Lecture, Dr.
Lawlor
People are very complex, but important components in any
organization. Your own people can be your greatest asset, like
the conscientious sysadmin who notices the weird patterns in the
outgoing traffic from your SSL box, or your greatest weakness, like
the "on premises armed guard" who on his last day of employment
decides to test out his rifle on your new server rack.
- Social
engineering attacks target the people that are the
core of any organization. If the secretary will loan the
master key to anyone with a clipboard and coveralls, it doesn't
matter how the lock works. Employees can be theoretically
be patched to be more robust to social engineering attacks via
training, but it's difficult to close all possible holes.
- Phishing or the more targeted spear phishing attacks collect
credentials by convincing people they need to enter
them. I know very smart, capable people at UAF who have
lost control of their accounts this way.
- Insider threats come from current or former employees
of the organization. Your now-ex sysadmin knows exactly
how everything on your system works, including the logs and
alarms, and might even retain some credentials that you forgot
to remove, making them a formidable adversary.
Countermeasures are primarily about detection and "technical
controls", meaning tools to enforce your policies. For
example, the standard UNIX root access tool sudo can log
both attempted and failed accesses, and restrict user accounts and
commands.
- Insider threat can be reduced with a "no-lone zone"
rule: nobody is allowed in the area alone, and the controls are
designed to be physically impossible to operate by a single
person (e.g., two buttons ten feet apart must be pressed
simultaneously).
- Bank employees, who handle tens of thousands of dollars in
cash every day, are required to take two weeks vacation each
year, to keep them away from the premises in case they're hiding
some discrepancy; and the "four eyes"
principle is designed to keep the bank president from
being able to loan himself money off the books.
Depending on the organization, employees might be required to submit
to intrusive screening.
- Many law enforcement or sensitive agency employees are
required to pass an FBI background check, where an FBI agent
interviews your friends and co-workers.
- Reporting bank account status is used to detect payoffs or
money problems. For example, government contracting
officers are required to file financial
disclosures with the US Office of Government Ethics.
- Applicants for jobs in law enforcement are frequently required
to submit
their social media account credentials, ostensibly to
check an applicant's character.
- Many jobs require a mandatory drug test. I was surprised
to discover IBM required a drug test for its interns in 1999.
- Some jobs require the employee to pass lie detector tests,
sometimes as often as every 6 months.
One tricky fact is that even the best and most productive employees
can have some very hard times in their lives, such as:
- Depression and other mental health issues affect
about 1 in 5 Americans each year.
- Problems with drugs (prescription or recreational) affect
about 1 in 10 Americans each year.
- Family conflict, such as a bitter divorce, or a family member
with a drug problem.
- Philosophical differences, such as the Wall Street financial
analyst who decides all property is theft and becomes a Marxist.
A one-man illustration of the insider threat is Edward Snowden,
a capable sysadmin in the classified community who decided to flee a
good-paying job in Hawaii with untold gigs of classified documents
(estimates range from 50,000 documents to 1.7 million). He
first fled to Hong Kong and then to Russia, where he has been slowly
releasing the documents to the press. It is difficult for me
to conceive of a more thorough or intrusive personnel management
system than that used by the US government in the intelligence
services, which include an impressive array of benefits including
excellent pay, absolutely reliable employment, and a compelling
mission of national importance; and a terrifying variety of
punishments, ranging from felony charges resulting in a lifetime in
federal prison, through extrajudicial torture and execution.
But crucially, Snowden was disgusted with what he saw as a pervasive
and runaway surveillance system, and he was unable to change the
system from the inside by working with his coworkers, his
supervisor, or the office of general counsel, so he decided to
accumulate classified documents and leave the country.
Regardless of how you feel about his actions, the key organizational
data security lesson is that all your people must agree with your
mission, or your greatest assets can become your greatest threats.