Information security professionals are taught that employees are the greatest threat to an organization's security. The argument behind this is based on the precept that because employees have inside information about an organization, they constitute more of a security risk to the organization than anyone (and anything) else. Disgruntled employees, more so, constitute a much greater threat. I never really bought into this argument; in fact, back in school I argued against what I felt was a presumption on a number of occasions. The way I saw it, employees do not set out to wreak havoc on corporate assets -- they were more concerned about getting paid than anything else. For me at the time, hackers, unethical programmers, and other malicious users out there posed more of a threat to corporate assets than anyone else because these were individuals who were focused on one thing and one thing alone -- breaking into your network -- and would spend hours (days even, if required) trying to access corporate data systems. Bottom line: this is what they do! I know a couple of people who share this flawed initial assumption of mine. However, several years working in security have changed my opinion on this, drastically. I soon came to the realization (very quickly I might add) that employees aren't considered the greatest threat to an organization merely because of what they could do with the information they have access to, but also because of the amount of havoc that potentially could ensue from the misuse of this information or outright negligence in the handling of such information by employees: The security lapse Consider for example, the case of an employee who receives an e-mail that appears to have been sent from a different department in the organization, including a link that purports to contain a report from that department. Without verifying that the e-mail was actually sent from the department, the employee clicks on the link and is led to a website containing malware (you'd be surprised how many users don't know that clicking on a link or icon in an e-mail message can activate a virus or Trojan program, or allow another person to access computers from a remote location). Here's another: an unassuming visitor walks into the reception area in an organization; throws several questions at the receptionist -- under the pretext of inquiring about the organization's services; then deviates to strike up a very lively conversation with the receptionist. Within minutes, they seem like old friends who've known each other all their lives. The receptionist has to step out for a while, as such asks the visitor to "keep an eye on things for a while". The visitor waits for the receptionist to step out, disconnects the receptionist's computer from the network, then carries it out of the office (or simply accesses the corporate network using the computer). OR ... The same "unassuming" visitor parks his vehicle in front of an office building, enters the building and walks into an empty office. The visitor then disconnects the computer from the network, carries it out of the office, places it in his vehicle and drives off, never to be seen again. Sounds like the stuff Hollywood movies are made of, doesn't it? Unfortunately, such occurrences are all too common in everyday workplaces. Such poor security habits by employees result in physical attacks that could easily have been prevented in the first place. The "Socially Engineered" Employee Not all (employee-related) security breaches are as a result of blatantly obvious security lapses, though. Although attacks typically rely on some kind of vulnerability, some security breaches are actually the result of a carefully crafted strategy by the attacker, in which the attacker takes advantage of publicly available information about an organization to infiltrate the organization's systems. Let's go back to Hollywood; the manner in which thieves are portrayed in the movies gives us a sense of what could be. In movies, before a thief robs a bank or steals jewelry, he "cases the joint" by taking pictures, getting floor plans, etc. Hollywood thieves are lucky enough to get schematics of alarm, ventilation, and other systems. "Prison Break" is one of my favorite TV shows; in this series, the main character, Michael Scofield, is able to break in and out of prisons because he has access to structural plans and other building schematics. Now, any security agent will tell you that real-life thieves aren't that lucky -- this is also true for attackers and cybercriminals. However, before committing a crime, many attackers do occasionally case the joint to look over the location, find weaknesses in security systems, and determine what types of locks and alarm systems are being used. Bottom line: they try to gather as much information as possible before committing a crime. This process of finding information about an organization and its network is often referred to as "footprinting" or "reconnaissance". Most network attacks begin by gathering information from a company's Web site because Web pages are an easy way for attackers to discover critical information about an organization. Whois and Domain Name System (DNS) lookups provide quite a lot of information too, including the e-mail addresses of primary (technical and administrative) contacts for the organization, server IP address(es) and other vital DNS records. This type of information could prove extremely valuable to an attacker. "Why try to crack a password when you can simply ask for it?" As sad as it may seem, unfortunately, many corporate users give attackers everything they need to break into a network. Help desk or network support staff know this to be true. Though company policy states that passwords must not be given to anyone, users often feel this doesn't apply to IT, and typically see nothing wrong with giving out their passwords to IT technicians and other IT personnel. Users often don't consider their company passwords private and might not think that what they have on their computers is important or would be of interest to an attacker. This can prove extremely costly, here's how: In many large organizations, employees may not know everyone in IT staff. An attacker knows this too well, as such poses as "Mark", a name he found after doing a whois lookup or after performing a zone transfer and examining the company's DNS server. He then places a call for Alberta, another employee name he found from the zone transfer information, as well as on several company Web pages that showed the e-mail addresses, and also the company's "Google Groups" page. In order to get her number, he simply calls the main switchboard and requests to be directed to Alberta's voice-mail because he would like to leave a message for her. The receptionist replies that Alberta is in the office, and asks if he would like to be connected to her. The attacker then pretends that his "other line is ringing", and that he seems to have misplaced her extension. "Could you please give it to me, and I'll call her back in a few minutes? I really need to take this call." The receptionist doesn't see a problem with connecting a caller to an employee or giving an employee's direct number or extension, especially since the caller knows Alberta's name and "seems" to know her. Besides, there "seems" to be a sense of urgency, and the caller has remained cordial enough not to suggest any foul play. So, she does -- "Extension 2100", and the attacker replies: "Thanks! Gotta go." After 30 minutes or so, he calls the company again, this time asking to be connected to a different extension -- "Extension 2101, please" he asks. The receptionists connects him, and a man answers "Accounting department, John Williams here." "Sorry John, Mark here. I was actually calling Alberta, but I guess I got your extension by mistake. Alberta complained about not being able to connect to the Internet earlier and we're just checking IP address information. We just fixed her's. Are you also having a problem?" At this point, the attacker has successfully established credibility by using Alberta's name. John now feels he already knows Mark, even if he doesn't, and so has no problem replying: "Seems only the accounting department is having issues with VLAN configuration." Mark then asks if John is "Still running Windows XP?" He says no, but tells Mark exactly which operating system they are using. The (not so) obvious danger signs. Social engineering tactics like these are quite effective because they are more difficult to defend against. In fact, a security professional's most difficult task is preventing social engineers from getting crucial information from company employees. Attackers typically take advantage of human behavior to stage well crafted ploys to obtain inside information, and such ploys often go undetected until the harm has been done. In our social engineer's case for instance, having already established a 'pseudo' trust relationship with John over the telephone, "Mark" now has a lot of avenue's to explore in furthering his ploy. He might decide to find out how IT support staff work by contacting the help desk and pretending to be John. Or, if he wanted John's password, he try something like: "John, we may need to shut down Accounting's network connectivity for an hour or so. I could reduce this time to ten minutes for you if I work on the problem from here. The only problem is that I would be needing your password to complete this. I already have your logon username as jwilliams@mail-info. Is this correct?" John would probably give his password over the telephone to a total stranger. Creating a sense of urgency, showing kindness, pretending to be in a position of authority, and Quid pro quo are some of the techniques employed by social engineers in an attempt to obtain information from unsuspecting employees. Mitigating the threat Employees are considered the largest security risk in an organization because they have access to information systems and knowledge of how the system works. Employees are also the weakest link in an organization's security because no matter how much money is spent on firewalls and Intrusion Detection Systems (IDSs), or how advanced these systems are, bad security habits by employees can open up holes in an organization's security faster than a can opener would a tin can. As far as security risks go, employees can be divided into those that do not maintain good security habits and "disgruntled employees". Employees who do not maintain good security habits may not have received proper information systems security education or have developed poor security habits. Common security violations we see from such employees include: improper password security, using easy to guess passwords, leaving terminals or information unsecured, and unknowingly providing information to third parties. Disgruntled employees are generally unhappy about something -- could be over receiving termination notices, not receiving raises, etc. -- and typically want to exact revenge on their managers in particular or their place of employment in general by stealing information. They constitute a major threat because of their level of knowledge and access to company information and resources. The largest threat to an organization's information systems undoubtedly comes the inside, not outside. As such, protecting the organization from threats within should be paramount. Here's a quick preventive checklist: A well laid out and clearly outlined policy should be implemented to define access levels, control, and the use of processes, systems, and technology within the organization's IT framework. Users should be trained not to give any inside information to outsiders, including information about OSes. Employees should be taught to verify and confirm that the person asking questions is indeed who s/he claims to be, and that they are authorized to request the type of information they are asking for. Employees should be made aware that not all hacking incidents require programming skills; most hacking is done through social engineering. It costs much more to fix a damage caused from malicious attacks, or to recover from a security breach caused as a result of employee negligence in handling information, than it would have to implement proper security policies and procedures. Security awareness training and strong policies are extremely important in addressing the threat and risks posed by employees, and preventing related attacks. In order to negate the effects of employee-related threats, employees must be informed, educated, and involved with regards to best security practices and procedures.
