Many firms around the world today are coming to terms with the importance of protecting their intellectual assets. But while information security finally seems to be getting the attention it deserves, many seem to be focusing all their solutions onto one area. I speak of course about network security. But this is only part of the picture. Unfortunately we seem to be ignoring the method of protection that is hardest to implement, yet the easiest to bypass. You can have the strongest network security technologies and still have a big gaping hole in your defenses. That is because the people who try to break into your systems have known for a long time that it is often easier to use your own employees as the method of intrusion. A good analogy for this would be if you set your home intrusion alarm to protect against someone getting in without your knowledge. Unbeknownst to you, one of your children has disabled your alarm after you've gone to bed in order to let one of their friends inside later in the evening.
In this article, I would like to raise your awareness of some threats to your information that cannot be stopped using network security technology. Most of these fall into the categories of social engineering and/or physical security.
Someone who wants access to your company's information may realize that trying to hack your network could be too inefficient. There are much easier ways to get access to your information that don't even require having knowledge of your network and its security features. Let me give you some examples.
If I want access to your premises, I only have to get my hands on the uniform of a utility worker, or technology support person, like someone from the telephone company or a photocopier repairperson. Once in your reception area, I will likely not be challenged trying to access an area of the company containing workstations or servers. This is especially true if I look the part, carry the right tools and have an air of determination about me. Fake support people have been known to have great success sitting at a workstation, accessing data during times of chaos, such as during department moves, after power failures, etc.
If my goal is to access company information you might think I will require a lot of time on premises. You would be wrong. All I need is three to five minutes in an unoccupied room with a live network connection. I could leave behind a small laptop computer running a network-sniffing program that would capture enough information about your network to make it easy for me to access it from a place and time of my choosing. This assumes I am connecting to a hub versus a switch. But with a little more planning I could leave the laptop plugged into your switch or router in the cable closet, as long as it was out of sight. I could walk in, leave the laptop under a pile of stuff or behind a rack for a day or so and then I would come back and retrieve it just as easily.
If I did manage to get inside your company, I could do something as simple as attaching a keystroke-capturing device to a workstation's keyboard. This would capture all of the user's keystrokes including their username and password. I would of course have to come back to retrieve this device. But if I got caught under someone's desk, it's not likely they would suspect I was meddling with their PC, just retrieving a dropped tool.
If I need to access information belonging to a specific individual within your company I may have a unique and creative method at my disposal if this individual works on a laptop computer. I'll just come in and steal the laptop. It's very unlikely that I will be challenged leaving your company with a laptop under my arm as it probably happens all the time, let alone if I conceal it inside a briefcase or backpack.
Speaking of passwords, using hi-tech methods to try to capture a password from a keyboard are often unnecessary considering the foolish things users often do at their desks. For example, rather than memorizing their passwords, users will often write them down and leave them in a place that is easy to find. I have lost count of how many passwords I have found on sticky notes attached to monitors, under keyboards, inside drawers, on the backs of picture frames and so on.
While doing a practicum at a company that provides network and hosting services, I was employed in their network operations center. After earning a high level of trust amongst the administrators, I was left to manage the center while the remainder attended an important function. The previous evening, they had changed the administrator password on all of the servers. Of course they forgot to tell me, which was going to make my life difficult trying to log into all of the servers to do my work while I was there alone. Fortunately, they left me many clues that helped to solve my problem. First, I discovered a note describing the transposition of certain letters to numbers such as "3" instead of "e". If you are familiar with "l33t speak" you know what I'm talking about. This had been left in plain sight beside one of the servers. I continued to look around and eventually found a piece of paper in the garbage with the new password written on it in plain text. Having all the information I needed, I transposed the plain text password into l33t speak and I tried it, with complete success. The other administrators were quite surprised to find that I was able to log into all the servers without any trouble, after realizing they had never told me the new password. They had already forgotten that they had left behind all the clues I would need.
If obtaining a uniform would be too difficult or breaching the premises as a service person would be next to impossible, it may actually be easier to gain access by following an authorized employee through a door. Again, this would be rather easy if I look like I belong there, by dressing and acting the part. All I would need is a few days to study the culture of your employees. It is human nature to be polite and offer to hold the door for someone who was following him or her through it. Getting back to the preparation that would be required, I may need to spend a few days hanging around so that your employees get used to my presence. Contrary to what you might think, I am actually going to go out of my way to talk to various people. This adds to the illusion that I belong. I may spend some time in the nearest coffee shop or restaurant. That way, once I find a way inside it is less likely that I will be challenged by anyone.
In the previous examples, I actually had to show up at your company. But in reality, I may not have to go there at all. I may just call one of your employees who I suspect knows little about security or systems support and convince them to give me their username and password. How would I do that? All I would have to do is say that I am Fred from IT. If your support person asked you for your username and password so that they could fix your account you'd give it to them wouldn't you? I hope your answer to the last question was no. If your company has in place a method of connecting to the network from home, a username and password may be all I need.
But I have the other methods of gaining access to your information that would boggle your mind. There are methods of capturing the radiation from a video monitor and using it to recreate what a user is seeing on their screen. This can be done from a fair distance, perhaps your parking lot or an office on another floor of your building. While we're talking about radiation, let's not forget analog cell phone use or even cordless phones within the company. Now of course wireless networks have created perhaps the easiest method of accessing information in the history of networking. This is mostly due to the fact that most users of wireless networks have no idea how patently insecure they are nor do they know enough about the simple methods that can be used to secure these networks, even in a basic way. For this reason alone, wireless infrastructure should never be used on a network that is used to carry or connect to critical data. Unfortunately, there are times users have extended their connection to the corporate network with OTS (off-the-shelf) wireless hardware and the company doesn't even know it's happening. The technology to operate a wireless network more securely is coming in short order, but in the meantime I would advise against it.
Now you're probably thinking this is an awful lot of trouble to go through just to get access to corporate information. While all these cloak and dagger techniques may have been limited at one time to governments and the military, corporate secrets are being sought from the competition all the time. After all, is there an easier way to level the corporate playing field?
So what's a poor company to do about all of this nonsense? The answer is simpler than you might think. It's called awareness and education. Users at every level need to be indoctrinated with basic security skills and knowledge. It starts at the Receptionist's desk. Nobody should be allowed beyond the foyer unless they can produce valid identification and their purpose at your company can be validated with a phone call to that person's boss or a known contact within your company. Employees throughout the company must be trained to be on the lookout for people who don't seem to belong there. They need to be taught that it is just as important to protect a strong password from falling into the wrong hands, as it is to have a strong password to begin with. They need to be aware that the support department is never going to ask them for their username and password since they have the power to completely control their account, including changing and or resetting a password at any time. They need to understand the dangers of opening attachments in an e-mail message, even if it is from someone they know. And they need to understand why it is possible for an e-mail from someone they know to be infected. You may have prohibited the use of instant messaging programs or any software that could be used to bypass the security features built into your network. The users in your company may not know why these programs are not allowed. In their mind, it's just another example of the fun police in action.
All of your employees need to be empowered with the mission to strengthen its security. After all, even if an employee is aware of what steps they need to take to help keep the company secure, they will resist doing so if they do not feel it's in their best interest. Employees will also resist any security measure that is too impractical or inconvenient. For example, you'll likely have a mutiny on your hands if you were to impose a 24 character password that expires every other day.
The best way to handle this is to take steps to make your employees part of the solution instead of part of the problem. Many companies around the world are learning this lesson and making employee-driven security initiatives profitable for the employees themselves. For example, if an employee does something that directly prevents a security breach; they can be offered a substantial cash reward, say $10,000. This may seem excessive, but imagine how many millions of dollars you could potentially lose if someone succeeded in accessing your corporate information. This is the kind of plan that puts responsibility for security back in the hands of the people who can contribute the most.
When it comes to security, your employees may be the weakest link. With logical, enforceable security policy and solid security training this link can be transformed into one of the strongest.
No comments:
Post a Comment