An approach to an organization's risk factors (part 3)

Introduction

This is part three of our multi-part series "An approach to an organization's risk factors".

We strongly recommend that you read these articles sequentially, starting with part 1 here.

The first article discussed different procedures and systems that could be invoked in order to mitigate risk. The second article discussed Electronic factors as an area of risk. In this third and final part we will examine Human attack factors and Physical factors.

3. Human attack factors

By human attack factors, will we define all types of attacks in which human behavior is instrumental. Vectors of electronic and/or physical character will often accompany human attacks.

It seems safe to assume that attacks using humans (aka “wetware”) represent the biggest risk for organizations. The attacker's goals may be to steal information, destroy information, change information, and disrupt the organization’s ability to conduct its business towards customers and other stakeholders.

The wetware that constitutes a threat, however, comes in different flavors.

3.1. Disgruntled current or former employees

The disgruntled current or former employee may be a person who in certain circumstances represents a major risk for an organization. However, these types should not be discussed as one, since particularly the defense techniques against the two types differ.

3.1.1. The disgruntled former employee

Depending on the period that has passed since the person was employed, such a person may know much about the organization. Particularly if he/she bore a grudge against the company before leaving, one can easily imagine that plans for attacking the company have been initiated prior to leaving.

Social engineering schemes against former colleagues have a good potential for success, and he/she may have been able to set up backdoors into the organization’s systems prior to leaving.

Obviously, there is the additional risk that the person’s access credentials to the company’s systems are not fully revoked after he/she has left the company.

To mitigate this, there are two primary focus areas:

• Set up, maintain and enforce systems for revocation of access rights whenever a person leaves the company.
• Attempt to make the departure process as smooth as possible regardless of the reason for employment termination.
  In this context it is also important to assess the probability for “bad-speaking” and other public inflammatory statements about the organization from former employees. Such behavior can be very damaging for the organization, and close to impossible to defend against.

3.1.2. The disgruntled current employee

Many of the same issues are present with respect to current employees as former employees. However, there are some crucial differences:

• Current employees have access to the organization’s systems.
• There are more available options for sanctions that may be invoked against current employees. The potential for sanctions will normally be perceived to discourage “attacks” against the organization.

Nevertheless, a severely disgruntled employee represents a dangerous threat against an organization!

In order to mitigate this risk, the obvious is of course to allocate considerable resources in order to avoid this type of co-worker, and create good working environments.

Another mitigating factor would be to restrict access rights in such a manner that none has more access to the organization’s systems than needed to do their work (nor too restrictive access rights, of course, as this would encourage dissatisfaction). This approach to access is good practice in general.

3.2. Current employees tricked by the attacker

One of the most used - and perhaps the most effective – ways to infect a person or an organization by malware is through social engineering techniques.

Social engineering is done through emails with attachments or malicious links, through messages in social network communities, through phone calls, etc. Whenever new media or interactive applications arrive, we see that social engineering techniques, which attempt to exploit these are soon established.

If someone wanted to attack an organization by attempting to steal or destroy information, the approach with the highest probability for success is presumably social engineering schemes against current employees. A well-researched targeted attack of this type is very difficult to defend against.

Similar to the attacks performed by the disgruntled employee, attacks using a tricked employee, may to some extent be mitigated by the access regime that is in place.

Another important tool that should be considered is education of employees, aiming to raise the awareness level against this type of attack. We will point to the importance of raising awareness against the general characteristics of social engineering schemes. This is more efficient in the long run than focusing on particular social engineering techniques that are known to be used. The former will educate the employees to defend themselves and the organization against new types of techniques that may be introduced.
Education of this type should be an exercise repeated with regular intervals.

3.3. Current employees – unlucky and/or negligent

Issues resulting from negligence and/or pure bad luck should also me mentioned.

3.3.1. Malware infection by accident

By this, we primarily mean infection from visiting purely legitimate web sites (which e.g. have malicious advertisements), and other Internet resources.

The most efficient way to prevent against this seems to be raised awareness against dangers involved in everyday life, and enforcing general security mechanisms with respect to access control.

One should of course also ensure that updated security software is present on all computers that are in use in the organization.

3.3.2. Stolen equipment outside the working place

Computerized equipment stolen at home or during travel may have severe consequences for the organization, depending on the information that is stored on the equipment.

Regulations regarding encryption of portable devices may prove to be essential in scenarios where equipment containing sensitive data is lost or stolen. We would recommend that standard systems are set up in order to encrypt all information stored on harddrives and portable media (like USB sticks).

3.3.3. Wrong recipient in electronic communication

It is extremely easy to send an email by error to the wrong recipient. Normally this is a nuisance at most, but in some circumstances, the result may be that sensitive information falls into the wrong hands. The consequences for the organization may be severe.

To some degree this can be avoided by implementing systems for recalling (unread) emails and/or implementing systems for Data Leak Prevention (DLP).

3.4. Current employee – blackmail victim

Although not a common threat in many countries, it is not difficult to imagine that an organization’s employee becomes a victim of blackmail.

Depending on his/her position, the potential for harming the organization varies, but it may be substantial.

This type of situation is to some degree similar to the disgruntled employee issue described above.

3.5. Legitimate visitors

Legitimate visitors are often entering an organization’s premises. Even in organizations where there are regulations for visitor registering and badges, visitors may occasionally be left on their own.

Although the visitors' original intent may have been initially benign, they may be tempted if they coincidentally come across confidential information and USB sticks in offices etc. and/or get access to computers that are not locked.

4. Physical factors

Physical attack vectors have been less in focus in recent years than the more “cool” attacks that are performed through electronic means. Nevertheless, a person who gets physical access to an organization’s premises may cause a lot of harm.

In this chapter, we will not discuss the potential harm that may be caused by someone who is able to get physical access to computers. Suffice it to say, that physical access to a computer during a certain period, in principle enable access to all unencrypted information stored on that computer (which includes stealing and deleting information). Obviously, this is extremely dangerous.

Some of the content of this chapter does to some degree overlap with the previous one, e.g. with respect to the parts that have to do with lost/stolen laptops and mobile devices.

4.1. Access through "break-ins"

One way to get access to the organization’s premises is through break-ins. Typically, this is most likely done outside working hours (nights and weekends).

Many organizations have alarm systems, which alert e.g. a security company if the alarm goes off. There is, however, a time delay before assistance can reach the location. During that time there is sufficient opportunity for a thief to steal random computers, but hardly enough time for a non-prepared burglar to find and get access to the particularly high-sensitive equipment.

A prepared burglar who knows exactly what she is after and where this is located, may be able to get the equipment, depending on how well this is secured within the organization’s premises.

In general, most of the computers mentioned in part two in this series might be exposed through a break-in.

Likely points of access include:

• Front door ground floor
• Fire stairs
• Windows
• Other relevant access points

Depending on the layout of the organization, the list above should be customized and extended.

Securing access to sensitive systems inside the premises is also essential, to make it harder for someone who successfully breaks in to get the crucial systems/information.

4.2. Access from third-parties through social engineering

When an organization reaches a certain size with respect to the number of employees, most employees will not have complete information and knowledge about everyone else. This is particularly relevant for organizations, which are physically located on different sites.

Thus, it is possible for a person with bad intent to impersonate a “new employee”, an IT person, a cleaner, a janitor etc. and thereby get access to the premises. She may then get access to computer equipment and confidential information from the offices and elsewhere on the premises.

We also refer to the subchapter above about legitimate visitors.

4.3. Dumpster diving

An external company is usually used to collect garbage from an organization.

So-called "dumpster diving" is known to be useful for collecting information about an organization. This may be sensitive information, or information that can be instrumental in preparation for a subsequent targeted attack (e.g. through exploiting human factors as mentioned above).

4.4. Fire, lightning, and other "Acts of God"

Fire (by intent or accident), power failure (by intent or accident) broken physical Internet access (by intent or accident), broken cooling systems in computer rooms, lightning, flooding and other types of natural disasters, of course also represent security risks.

The consequences of incidents like these will depend on the organization’s backup systems and ability to set up business temporarily (at another location if needed).

Final words

The approach for risk assessment outlined in this article, is particularly suited for organizations that are smaller and do not have special personnel dedicated to risk evaluation. The general system we have introduced should be customized to each organization's own environment.

The end result should lead to a listing of factors that are at risk within the organization, and the sequence in which they should be addressed in order to examine if the risk each factor represents is acceptable for the organization. If not - risk mitigation must be implemented for each factor.

Previous articles in this series

• An approach to an organization's risk factors (part 1)
• An approach to an organization's risk factors (part 2)