The human firewall
- 27 October, 2003 22:00
A help desk worker at a large company fields the next in a never-ending rush of calls from another breathless, overwrought employee. The caller is desperate for his e-mail and network passwords, which he claims to have forgotten. The staffer gives in and hands over the goods - worn down by tales of the rotten day the employee is having. Having tricked the help desk staffer, the intruder proceeds to waltz through the company's firewall and wreak havoc.
Giving out sensitive data to people without first authenticating their identity and access privileges is one of the most common and worst mistakes employees can make. Allowing a stranger inside an organization without authorization is yet another example of a broken link in the human firewall chain.
According to an example the International Organization for Standardization cites, a former contract programmer at a financial institution easily got past security because guards simply recognized him and waved him in. Once inside, he posed as a computer consultant doing an audit and interrogated an employee, who believed he was supposed to provide the data that was demanded.
This con tricked another employee into verifying information that he eventually used to transfer US$10.2 million from the company's bank to a Swiss account. The thief couldn't have committed his crime without the unwitting complicity of at least three employees who breached security by allowing him into the building and giving him network and database access.
According to a Computer Security Institute/FBI study of more than 500 U.S. security managers, 90 percent say they suffered breaches in 2001. The most serious financial losses occurred through theft of proprietary information and financial fraud, crimes associated with breaches in corporate security policies and weaknesses in human firewalls. The survey adds that 50 percent of the attacks came from employees, including contractors, working inside organizations.
Warren Moore, senior director of information security at Convergys Corp. in Cincinnati, says, "With human firewalling . . . really what you're talking about is changing corporate cultures. People want to be helpful, but that's the way intruders can get inside. You need to establish policies and educate employees."
But according to the Human Firewall Council, an international organization founded in 2001 to help security directors define policies, far too many organizations are neither training their employees to prevent breaches nor investing strategically in security.
In a study published in February, the council analyzed responses from more than 1,000 organizations and found that eight of 10 survey respondents had not implemented even minimal security management practices.
Even in industries such as financial services and healthcare, and government agencies, where security practices are federally mandated, little more than half of surveyed organizations had defined security management practices.
Security directors agree that technology is only one line of defense against hackers. They say establishing policies and following through with training and education are just as important as investing in antivirus software, firewalls and VPNs.
Edward Liebig, director of IT security of Manulife Annuities in Boston, recommends that companies cover general security guidelines with all new hires and conduct annual checks to make sure employees know the policies.
Untrained and/or exasperated receptionists, security guards, tech support, customer service and help desk staff are particularly vulnerable, especially if they are not aware of security policies. And opportunistic black hats have a good idea of where to look for the data they need and who to target because many are either current or former employees.
Thieves who use trickery to infiltrate a corporate network are always coming up with new techniques. One new approach is war mumbling, not to be confused with war dialing and war driving, which are ways of hacking into networks by calling numbers until one hits a modem, and driving through known hot spots until you get on an insecure 802.11 network.
War mumbling involves calling multiple customer service representatives and speaking with a very thick accent or mumbling incoherently in response to ID authentication questions until one of them gives up password data out of frustration.
Robert Richardson, the Computer Security Institute's editorial director, says the ways to combat war mumbling are "training combined with technology." He says voice recognition technology can be used to require a caller to repeat a series of random numbers that are matched to a voice print so that intruders can't anticipate a pattern or trick the system, he says.
Changing corporate culture, but how much?
To limit the damage done by intruders, Bruce Schneier, CTO and founder of Counterpane Internet Security Inc., a security and network monitoring firm, says security directors should work with human resources, department managers and top executives to decide how much data access each employee should get. This approach limits the information such intruders can trick out of a single weak link and make hacking more difficult.
"You can limit the amount of access (an employee has) to sensitive data to the bare minimum - giving customer service reps or even system admins less access to data, like credit card information, financial records and passwords," Schneier says. "This makes the organization more secure, but it also makes the organization less flexible."
Liebig agrees that "any security officer worth his salt will write policy that is absolutely 'by the book' best practice, and it is up to upper management if they wish to operate in that manner."
He says, "Policy setting is a give-and-take between business and security. Organizations have to weigh the risks of exposure against how they want to run their operations."
Schneier adds, "The reason that this (security policy compliance) is so hard is that it's not a technical problem, it's a human nature problem. Remember, amateurs hack systems; professionals hack people."
Christopher is a freelancer writer in San Francisco. She can be reached at email@example.com. -- Network World (US)