Goodbye to the weakest link

Insider threats, data leakage and other attacks so should be the focus for protection, says Giri Sivanesan

People will always be the weakest link in the battle to protect corporate information and data from attackers. Attacks by hackers on businesses are increasingly committed with a modus operandum similar to that used in corporate and state espionage beyond the PC.

As security technology improves, hackers increasingly target individuals. This raises an intriguing mix of problems and issues for corporate security managers.

Human beings have characteristics that can make them particularly vulnerable and useful to those who want to carry out attacks. Insider knowledge and access can increase the impact of an attack significantly even where the role of the attack vector is only one of facilitation, for example, in a cyber attack.

Disgruntled employees or low-wage, temporary staff who perhaps have less loyalty to their employer may be more easily convinced to obtain confidential documents as part of elaborate attacks. They need not be fully aware that an attack is in the offing and may stem from such actions.

The adversary begins by making acquaintance with the target. They will try to make his or her actions appear normal and unpremeditated. Cultivation and recruitment of a target can be quick, but has taken place in the past over weeks, months, or even years.

The target may be attending an industry conference overseas as a key member of the research team for a large technology company. During the trip, the person meets an old colleague, who introduces the person to a friend with similar technology interests who is very flattering. Over the duration of the event, the new ‘friend’ becomes keen to learn more about the team’s work.

The target is often sought through someone with direct access to the target – an access agent – such as the mutual friend cited in the example above. It is more likely that the target in this example would trust a friend of a colleague than a complete stranger.

When employment prospects and salaries may be uncertain, the risk from insiders being involved in an attack increases. Employees are far more likely to accept cash bribes or gifts as part of a cultivation process in such circumstances.

A detailed employment screening and psychometric profile may help identify personality traits that suggest an employee may be susceptible to cultivation. But most vetting activities are limited to basic security checks. These are conditions for a new employment contract rather than an ongoing requisite for employment and often concentrated on more senior positions or higher wage earners perhaps less likely to be vulnerable than, say, support, temporary or even cleaning staff.

Many organisations also choose to instate duty controls that require two or more employees to complete a business task. While this may increase the administrative burden, it can make it harder for an attacker by requiring the complicity of two or potentially three people.

Clear and concise security policies aligned to an organisation’s security risks should underpin all efforts to effectively manage against insider threats and attacks exploiting an organisation’s personnel, together with a strong organisational security culture, thorough background checks and aftercare.

Giri Sivanesen is senior security consultant at Pentura