(c) Copyright 2005. Koen Maris

The Human Factor

k m ar@b aleo.be

Table of contents

Table of contents............................................................................................................ 2Abstract .......................................................................................................................... 3Introduction.................................................................................................................... 4

Today ......................................................................................................................... 4The public domain ..................................................................................................... 4

Target audience .............................................................................................................. 5Management............................................................................................................... 5Mid management ....................................................................................................... 5Staff:........................................................................................................................... 5Technical staff............................................................................................................ 5

Definitions...................................................................................................................... 6The human factor (layer 8) ............................................................................................ 6

The design issues ....................................................................................................... 6The technology problem ............................................................................................ 6Cultural behavior ....................................................................................................... 7Social engineering...................................................................................................... 7

The exploits............................................................................................................ 7Human based social engineering ........................................................................... 8Technology based social engineering .................................................................... 8

Countermeasures............................................................................................................ 9Seven steps to build your human firewall .................................................................. 9

1. Convince your top management .................................................................... 92. Assign and clarify roles and responsibilities ................................................. 93. Define an action plan linked to a budget ..................................................... 104. Develop and update the policy framework .................................................. 105. Develop a security awareness/education program ....................................... 106. Measure the progress of your security awareness efforts ............................ 107. Develop security incident response team and plan ...................................... 11

Information .................................................................................................................. 12Resources ..................................................................................................................... 12

AbstractBusiness today contains an important number of security risks. In most cases, the employees deal with issues according to their knowledge. The importance of a transparent security strategy is often neglected, this results in only the techies havingthe know how of the security and the strategy. Transparency is necessary so security does not become an obstacle in the business processes.If Top Management is not aware about the strategy, they might take a differentdirection, if the employees are not aware they might impede your efforts hencesecurity awareness.Often business relies blindly on technology to eliminate a maximum of the risks theyhave in their work environment. Technology has a gap; it is first of all made by humans, administered by humans and the output interpreted by humans. Deemed toend with the biggest security issue “the human factor”.This said it should be clear that security cannot solely lie within IT if the size of the organization allows it. Security awareness can be obtained by training your employeeswith security issues that they can reflect to their environment and their private lives.A security awareness program gives a company the ability to highlight risks,improvement made on security, how to use the security department etc…Your employees often think that you security department is a bunch of techies and/orfreaks that like to have control. Profiling your department as a point of contact wheresecurity issues can be discussed enhances overall security.The key factor, educate your staff by an awareness program, a quiz, posters, e-mailmessages or reminders, intranet information etc…Repetition is determent to success; humans only retain information by repeating it over and over and using a more relaxed approach instead of an academic one will loosen up people resulting in more interaction with the security management and itsstaff.

IntroductionOur technology-oriented civilization tends to solve problems with technology-basedsolutions. This paper lays out the importance of the human aspects in information security in relation with technology used to mitigate the risk.Statistics show that as many as 75 percent of the security incidents are caused by human error or ignorance. Whilst technology solutions can never be the panacea ininformation security one can increase the effectiveness by implementing a well- designed security awareness strategy.Convince your management and launch your ideas in a comprehensive language foryour target audience!

Today

Today employee’s have little idea about the security improvement efforts made by the employers. Nevertheless, all these efforts can be easily bypassed by mistake, configuration error, misinterpretation or intentionally actions.All people take action according to what they know, what they have seen in the pastor on the information given at the very moment when the action is required. This behavior is baleful for the security no matter how much investment in technology ismade. Due to the rapid changing techniques in order to gain financialbenefit technology only cannot cope. The key factor is informing all your employee’s and all-hierarchical levels. By repeating the message, constant reminding with little notes, posters, mails and/or intranet is an effective way to keep up with the new breedof attacks.

The public domain

In our day-to-day lives, we are overwhelmed by security awareness campaigns. Government, law enforcement, state security and many others inform us with many issues that need public awareness. The information spreads over any medium available and able to reach the mass. Important factor is catching the attention, one-liners, funny or shocking pictures are still the number one strategy.In fact, the public domain has plenty of examples to guide you through an effectivecampaign that improves your security strategy.

Ex.: During the Christmas period a lot of countries put in a lot of effort to make drivers conscious about the risks of drinking and driving. It is clear that the opportunity (Christmas) is exploited to have a better attention from the audience. In most countries, it is a big annual event but focus is kept through the year by differentcampaigns with a mutual interest.Imagine marketing only works on one big event a year; you will not get a good salescycle outside your marketing periods.

Target audience

In security awareness, you have not one specific audience focus. If possible, split the audience in relation to function they withhold in the company. Splitting your audiencein to target groups allows you talk in the specific language of the group.

Management: To attract Senior Management members your presentation has to be focused on key elements only. For them it is more interesting to know at what risk level they are, what loss expectancy they have in case of an event and more important what can they gain with spending cash for security improvement. A numerical or statistical approach will improve the level of understanding of the complex issues; also, examples from real life will raise their attention. If the company would loose assets, what would be the financials loss or what is the loss in case the reputation is damaged. Important to know is that if you like them to support your strategy they have to find themselves in the proposals. If they are notin line with your thoughts, you will have a hard job to convince them.Remember the goal of security awareness, changing behavior. Hard but necessaryis to pin point the day to day risks in their work environment. After all Senior Management is less comfortable with the fact somebody will tell them how to work and handle things.If everyone is compliant to the password policy and Senior Management is not,the company could loose its valuable reputation very quick and easy.Mid management: Mostly responsible to transmit the message to department heads. A more granular explanation of the policies, standards,procedures and guidelines is mandatory, as they are responsible to map it to different department heads. If the messages transmission fails, the pyramid structure will not work. Crucial factor is full understanding and acceptance by midmanagement. Their support determines the overall acceptance downwards in the pyramid.Staff: Convincing your staff is the biggest obstacle, and it is only a start as your goal is to change behavior. You can convince them but that will not guarantee success. To change behavior you need repetition and to get repetition you need time, money and support from your management. Splitting staff in to groups that are job related increases the effectiveness of your security awareness. Pointing outthe importance of the person behind the job and his/her security related issues willmore likely improve the response to your efforts. Make your staff feel involved is the key message to a successful security aware staff.Technical staff: Special care is required because convincing technical staff inhow they should approach some parts of their job will not be easy going.Technical staff tends to get things up and running and applies security afterwards.Security integration should start at the beginning of each project or somewhere in the initializing phase. Appending security at the end of project will be expensive, difficult and results in less restrictive security integration as originally planned.

DefinitionsOften the words training and awareness are used in the wrong context. To avoid this misunderstanding a short explanation based on the NIST-800-50 document. Awareness:Awareness is not training. The purpose of awareness presentations is simply to focusattention on security. Awareness presentations are intended to allow individuals torecognize IT security concerns and respond accordingly.Training:Training strives to produce relevant and needed security skills and competencies.

The human factor (layer 8)Layer 8 complex layer with fuzzy logic making random decisions and unpredictable behavior. The topic is around for quite some time and business does need to address itas never before. Often layer 8 is the cause of scandal where social engineering attacks are successful. This type of attack will rise in the future and we are standing on the edge, technology is keeping us from falling but will it in the future?.

The design issuesDesigning a secure harbor for the business is a difficult task, as not every business unit has its own view on what should be offered. Techies often design to their needs and are less focused on the business requirements. If the design does not incorporatethe requirements of the business, it will be subject of a lot of resistance. A solution cannot be successful in security if the people are opposed to it from the very beginning. User-friendly design will improve security due to the reduced error rate.

The technology problemOften companies see the technology solution as the way to go. Heavily armored with firewalls, IDS/IPS, VPN, PKI, Anti-virus etc… the security officer considers himself as secured to the bone with a good understanding of its benefits and limitations of theproducts. However, all this technology remains a valuable tool to protect against malicious attacks but one has to consider the drawbacks in this tech savvy world.

Technology is not perfect. Vulnerabilities, unchecked buffers and backdoors are still found in commercial and non-commercial software despite the effortsof your software engineering teams. The best approach to mitigate such risks is using a multilayered solution even though history proofs that the best security can be compromised one way or another.Often big institutions do not understand the complex security issues in sufficient detail to ensure an appropriate solution. Such an approach results in choices that are often only an answer to one of the problems occurring. A firewall can be very good in filtering traffic but could be a nightmare in handling reporting and alerting.A technical solution is an expensive purchase and costly to keep it running. The off-the-shelf products are often an answer to few of the requirements andadd little competitive advantage.

External consultants/engineers integrate the products in your infrastructure;this is a huge opportunity to have intrusion or data leakage.

Cultural behaviorDiscipline! Discipline varies around the world. In some countries everything is regulated and executed as written in the books. The cultural behavior is importantwhen designing a campaign. It does not make sense developing strict rules if theycannot be enforced.E.g.:Japan: Due to construction works near the server room it became inevitable to makea huge hole in the wall leading to the server room. Although the hole was big, enough to walk through it but the staff still used the mantrap to enter the server room and advised consultants to do so. A good example on how culture can have an impact on your security strategy.

Social engineeringProbably the biggest concern today is social engineering, because it is spread throughout all layers of your company and any department could be subject of it. Inthe most companies a robust policy structure guards against it but control of the compliancy is mandatory, as policies are useless if not applied.What is social engineering?It is an art of deception or persuasion to gain information that would be hidden to theattacker. Despite all efforts and policy integration, any human is subject to emotion that is one of the key elements to misuse by an attacker. Aquiring information or access privileges based on false thrust relationship build between the attacker and its victim.

The exploits

Diffusion of responsibility – If the victim is convinced the responsibility does not lie solely in his/her hand they are more likely to grant the attackersrequest.Trust Relationships – The attacker tries to expend more time into its attackto develop a relationship with the goal to gain trust. Exploiting the trust is done by provoking a series of interactions that were positive. Once the attacker is confident, he/she will then try his luck on a bigger move.Moral duty – The attacker encourages the target to act out of a sense of moral duty. Convincing the target that the policy is not stroking with common moral issues will increase the chance to gather information. Thetarget assumes detection will be unlikely.Guilt – Psychodrama, manipulate empathy, create sympathy and touchingthe heartstrings all these factors are mastered by social engineers. Believein the innocence of the requestor and the having faith in the story oftenleads to granting access of giving information to avoid being left with guilt.request.

Desire to be helpful – Relying on people’s helpfulness is one of the key aspects used by social engineers. Social engineers do notice rather quickly if people are not assertive and not confident in refusing.Cooperation – Avoiding situations of conflict, speaking with a voice of reason rather than shouting or barking. Social engineers would be just that guy that would understand your difficult situation.

Human based social engineeringImpersonation: The most common attack, the attacker says he is someone from the company having trouble to gain access. The attacker will have somenames that he will abuse to retrieve the necessary information.The VIP approach: An attacker claims to be a senior member or any other important employee that could have a higher level of access and that creates acertain ambiance of fear at the victim’s side.Shoulder surfing: The attacker tries to capture information you type, keystrokes when password is asked, usernames appearing on your screenetc…Dumpster diving: Valuable information can be found in the waste bins. This has been reduced by using a shredder but shredding in one direction onlycould be insufficient to prevent a determent attacker from finding information.Piggy backing: Slip into a building by hiding into a group of allowed people.The mass of people is your disguise.Third-party approach: The attacker may know someone in the company andthis person would have given the authorization. To the victim the third partywill be most of the time a senior staff member.

Technology based social engineering

Popup windows: A small window popups prompting the user to reenter information, often a username/password but could also be an email address forspam purposes. Once this is done the information is send by email or over web(http) to the attacker.Mail attachments: An email is the ideal disguise to hide malicious programs using a fake file types. Distributing spam, viruses, Trojan horses or any otherprogram that can automatically spread itself and gather information for the attacker. History has proven that users tend to click on the attachments whether the sender is known or not.Spam, chain emails and hoaxes: These do not have a direct threat to thecompany or the person but they rely on social engineering and gather information such as email addresses to be sold afterwards.Websites: A common ploy is to offer something for free or a chance to win. Often you have to enter personal information, which could be used for identitytheft. Or one has to pay a fee to be able to receive the price, after the fee ispaid you never hear from them again.

Countermeasures

A typical question from management would be: “How can we get full protectionagainst it and what will be the cost?”The answer is fairly simple, no full security against it exists and the costs arerecurrent. No matter how much technology integration at some point, the human factor is involved. The human factor can be influenced either political, cultural or a social event. As with any threat, there are always possibilities to mitigate the risk thusreducing the success rate of the malicious event.

Seven steps to build your human firewall

1. Convince your top managementEvery project in your organization it requires support from management. The top down approach proves to be the best in convincing the employees of the seriousnessof the project and the need for the change.Getting your management over the line is definitely the hardest part and an externalexpert in “human firewall” could be a major help. A key factor to get the managementat your side is to prove that security is a business enabler and not a continuous expense. Psychology would be your instrument to achieve this step.According to Gartner Group there are three major questions that executives and boardof directors need to answer when confronting information security issues:

Is our security policy enforced fairly, consistently and legally acrossthe organization?Would our employees, contractors and partners know if a securityviolation was being committed?Would they know what to do about it if they did recognize a securityviolation?

2. Assign and clarify roles and responsibilitiesThe biggest obstacle in improving your security is a lack of clear-cut roles and responsibilities. Defining which business units are critical and including the keypeople in the task force may be one of your goals to set.Security functions are not necessarily limited to one person; separation of duties is often applied. However, rarely all people have the time and the authority to carry outbusiness wide security awareness initiatives. Nevertheless some functions may have overlapping duties or be combined by one person.

In his new book Information Security Roles & Responsibilities Made Easy, information security consultant and Human Firewall Council member, Charles Cresson Wood, writes that unfortunately "management at many organizations has never clearly stated its intentions about the work it wanted an information security function to perform. It's hard to do a 'good job,' if you don't know what your job is supposed to be. As perverse as this situation may sound, many information securityspecialists have been asked to do just that. When things go wrong, they often get blamed even though they didn't know these same things were important."

3. Define an action plan linked to a budgetAn action plan, start with an assessment of the relative value of information assets. A risk management approach is key to define values and risks. Prioritizing asset values are the corner stones of your plan and simplify the budgeting to address the most important information assets your organization has.The budget planning demands care and a strategic view, convincing it can enablebusiness instead of writing it off, as simple cost might be the key differentiator to get management over the finish. Often the human side of security is neglected, to increaseyour success rate you have to involve the technical people into your program. Both need to grow together instead of handling it as two separate issues.

4. Develop and update the policy frameworkThe policy framework defines the internal rules of your company. As in real life the law is subject to changes as the civilisation progresses this is the same in your organisation. Policies have to be read and understood by everyone in the organisation. The policies alignment with business goals is key to success. Policies that are constraining or contradictory with business are pushed in the forgotten list. Your ultimate goal is to weave in information security practices as an essential to conducting business safely and securely.

5. Develop a security awareness/education programSecurity awareness builds human firewalls. It is probably the best tool to inform your staff of day-to-day business risks. It is key that your awareness campaign adapts to business but also to the risk change. Events throughout the world define the campaignagenda partly. Conducting these campaigns should be done on a regular basis, repetition is determent for the success and the increase of security as a result.As a first step conducting a survey gives you the opportunity to retrieve informationabout the weaker and the stronger domains. This gives you the ability to focus your campaign on weaker points. The campaign should not be limited to a one shot presentation, posters, quizzes, intranet or emails can keep your staff up-to-date.

6. Measure the progress of your security awareness effortsQuizzes are an excellent tool to measure the status of your efforts when it comes to security awareness. A website with a “test your security awareness” or a quiz after thelunch brake where people have to find 10 security errors in an insecure working environment give you a good view where your staff is today.It allows you to detect the weak spots, work on those factors, and integrate new itemsto stay on track with the evolution.The outcome of your test phase should be integrated into report for top management.Help reassure management that you have made progress in answering the keyquestions posed at the beginning of this blueprint:

Is our security policy enforced fairly, consistently and legally acrossthe organization?Would our employees, contractors and partners know if a securityviolation was being committed?Would they know what to do about it if they did recognize a securityviolation?

7. Develop security incident response team and planDisaster recovery is mandatory to survive in the business jungle. It is important that business can recover in a quick and efficient way but more important is that damagecan be reduced from the very beginning of an event. The most important asset to protect is your staff, people first.

InformationAuthor : Koen Maris @ Belgium – LuxemburgEmployer : Secaron Sà r.l. - GrevenmacherBiography : Started with software development for small business to end with

managing large corporate networks and their systems. In the early internet era in Europe my attention was caught by the insecurity of most connected business. This launched me into the complex matter ofIT security which switched to a more general term Information Security. Today I am an active member in w w w .i s sa.o r g and w w w . i s c2.o r g .

Presentations : In the late 90’s I have done several presentations about the impact ofinternet and the security risks. This was in larger perspective initiatedby Cisco.My first of many perhaps!

Why : Experience showed that the human factor is often neglected.Implementing a techie solution for the problem and handing the real issues over to the administrator often leads to frustration of the staff.The hopes of making a difference through a more human approach should be considered and are keen in developing a concrete security strategy.

Resources htt p ://w w w . n i s t . g ov htt p ://w w w.i w a r .o r g.uk/c o m s ec/ r eso ur ce s /sa - to o l s / i nd e x. ht m w w w . i s sa.o r g CISSP Certification All-in-One Exam Guide, 2nd Edition ISBN: 0072229667 w w w .sans.o r g w ww .its ecur ity .co m

Thanks toMelissa Guenther m gu enthe r@ cox . net Clement Depuis cdup u i s @ c c c u r e.o r g