Are You Aware?

Information Security is not just an IT issue, it's an organizational issue.

When companies attempt to address the organizational impact of information security, user awareness training is always first on the to-do list.  However, in all of the security awareness training I have seen, one key component is usually left out, and that is clearly communicating to users that they are (a huge) part of the problem.  When I say that users are part of the problem, I'm not saying it to shame individuals into feeling responsible, but rather to make it clear that even if you are in a position that is far removed from IT or information security, at any given time, any single employee can have a tremendous negative impact on the organization's security posture.

Take for example, the maintenance team at my apartment building, they are most certainly not information security professionals.  The other day, I went into my elevator as I always do and noticed that the box containing the fire service elevator keys was left open.  When I left a few hours later, the box was still open  which would have given a malicious individual more than enough time to steal the keys, make copies, and put the originals back, or just simply steal the keys.  Beyond the keys in the box itself, as you can see in the below picture, the key for this box is attached to someone's car keys which has some very interesting implications, such as the fact that if the owner were to lose their car keys, every resident in the building is potentially at risk.  End users are the same when it comes to corporate data.

Exhibit A

fire2

Exhibit B

fire1

Though the above is more of a physical security risk than a technology risk, physical security and digital security are very closely linked.  In the case of securing electronic assets, there is no shortage of news reports about companies being breached due to phishing and social engineering campaigns.  A few very high profile targets, such as RSA, Google, Northrop Grumman, and many others can be used as examples.

When people aren't given all of the facts, bad things happen.  If you go to a dentist and the dentist tells you that you have a cavity, most people understand it but only superficially.  They know that something is wrong with their tooth, and that it will need to be fixed, but they likely won't take the time to think about the physiological causes of tooth decay, after all, that's the dentist's job.  Security awareness training is a lot like going to the dentist.  Not only is it painful, but users are frequently only given half of the equation and the threats are too externalized to seem relevant to them as individual employees and in the end the message remains the same, "security is IT's responsibility."  This doesn't help anyone.

In the case of phishing, there are generally two things that must happen.  First, an attacker crafts a special e-mail with a malicious attachment, or convinces a user to click a malicious link.  The second part of the attack requires user intervention, meaning they need to make a conscious decision to follow the link or open the attachment.  Even though these phishing attempts can be targeted and very convincing, doing recon on a target is fairly trivial.  Let's assume we have a user named Steve Singlehop and he works at supercompany.biz.  Like many other people, Steve has a LinkedIn profile that displays his achievements, and one of his most recent achievements is a large LDAP migration.  We want to attack Steve and using this information, we can write a pretty convincing phishing e-mail with very little work and only a few details.  Based on the naming convention for most corporate e-mail accounts, we can easily guess his e-mail address.

------

Hi Steve.  I wanted to contact you regarding your latest changes relating to the LDAP migration.  I am having a few issues authenticating and was hoping you could take a look.  I've attached the most recent architecture document hoping that you would have some insight.

Thanks again for your time and I hope to hear back from you soon!

Regards,
Andrew

------

Most security savvy people wouldn't open that attachment, but someone who's worried about their big LDAP migration would likely open it without hesitation, only to be infected.  Once the user is  infected, the attacker(s) can then use this foothold into the environment to launch additional and more devastating attacks.  When I was working as a consultant and we'd conduct social engineering attacks, a popular method was to send out mass e-mails announcing that $Company had partnered with Fake Benefit Site (we obviously used a much more convincing name) and that a important changes were being made to help users better manage their retirement, 401k, and health insurance options.  All they had to do was go to the website, and log in with their corporate username and password.  What the site actually did was harvest the usernames and passwords and redirect the user to a page telling them that the site was not yet active and to check back in a week.  The success rate for this particular attack across numerous medium to large companies was uncomfortably high, even when repeated against the same company at a later date.

The media often mysticizes hackers into making them appear like technological ninjas who weave in and out of networks stealing sensitive data right out from under you, and there's some truth to that.  But before any of that rogue-like stealth begins, there is most often a very simple and very preventable slip up that lets the attackers gain access.  In the case of user awareness, users need to be made painfully aware that they may unintentionally play a huge part in helping attackers gain and maintain access to data that has the possibility of putting the company out of business.  Unfortunately, many security industry people are disenfranchised with user awareness training due to the lack of return, and if you find yourself in that group, I think it's time to do a risk assessment on your training curriculum.