101: The Human Factor in Security

History teaches us that men and nations behave wisely once they have exhausted all other alternatives. – Abba Eban

Information security controls that rely on technology alone are doomed to fail.

A system could require 14-character complex passwords that change every 30 days with a 30 minute lockout after 3 failed attempts; however, the user who writes his or her password on a post-it note and sticks it to the bottom of the keyboard has just potentially compromised the system. Information security controls design must involve people (the human factor) as well as technology in order to be truly effective. No technological method can stop someone from writing a password on a post-it, but effective education and policy can. (Not to mention a less draconian password policy, but that is something for another post.)

Sometimes people will do truly foolish things out of ignorance or in an effort to be helpful, which is why social engineering is so effective.

The following case illustrates how simple it is for human nature to compromise security.

In 2006, Secure Network Technologies (SNT) did security testing on a credit union that included some social engineering aspects. They put a Trojan horse on 20 random vendor-branded USB drives (the kind you get as giveaways at trade shows). The Trojan was designed to collect login and password information and email that information back to SNT. They left these USB drives in both internal and external locations, including the parking lot. Employees were observed to pick up the drives, take them into the facility and plug them into their computers. SNT was able to use the information collected from the Trojan to compromise other systems. (Read the article at darkREADING.)

After more than 15 years in Information Technology, I can tell you that no one should be surprised that a scheme like this was successful. It doesn’t matter if people were collecting and looking at the drives because they were curious, thought they had gotten free stuff, or were trying to find out whose drive it was so that it could be returned. All those motives, both good and bad, led to compromised systems the moment the drives were plugged into work computers.

But what could the credit union have done to prevent this, you ask?

There are two basic ways to attempt to defeat this specific type of attack. The first method involves turning off the USB ports on the computer; however, this is not the ideal method as it would mean users might not be able to effectively use PDAs or other necessary equipment without administrator assistance. The second method is preferred and involves a combination of policy and education.

The credit union should have had a policy that no personal or unapproved devices (including usb drives, cds, floppy disks, iPods, etc.) should be connected to bank equipment. The policy would then be communicated to all employees, along with basic education on why the policy exists. In addition, there must be repercussions for any incidents that involve security breaches due to an employee not adhering to the policy.

Tagged , , , . Bookmark the permalink.