Breaching the Human Firewall Part 1

Human aspects of security, can contribute significantly to flaws in security posture. Recent examination of the Snowden incident, and how it has affected the practices at defence contractors, where the threat of industrial espionage is highest demonstrates how far ahead the defence industry is compared with others in the speed of their reaction. It also demonstrates [somewhat unfortunately] that it takes a high-profile incident to make firms tighten up their practices, but for firms that are high-profile targets it is probably too late isn’t it?.

Responding to a breach that emanated from an insider is one of the more challenging scenarios, that does not receive enough air-play, but we have to recognize that how firms deal with malicious insiders is very sensitive territory. ‘Human firewall’ testing that we have conducted for many organisations, as part of more elaborate red team exercises has proved that the human element is typically taken for granted as a weakness in organisations’ defence but most are left with significant gaps in their perspective of how deep the problem is and what they should do about it. Testing the resilience of the ‘Human firewall’ only begins with intruder testing, and the ability to bypass physical security measures to enter a building. Needless to say, once a malicious insider is in to a server room or a control room, there a numerous ways that he/she can compromise the security of hardware and systems.

This not only highlights the frailties of physical security systems, processes, and policy: but also the human aspects that need to support the operation of these systems. This is not necessarily pointing the figure at security guards, but also the security awareness of many employees who also should indirectly share the responsibility for on organisation’s security. But let's look at the more advanced elements that can be applied, and are tried by more advanced attackers [and testers].

Social engineering is a commonly recognized term, and typically to the realm of digital or virtual identity and human intelligence gathering. In this field there will always be considerable room for attackers to exploit na├»ve employees or exploit information that is publicly available about vulnerable members of staff. Examining this aspect is a key element in assessing an organisation’s vulnerability to phishing attacks which will remain the most effective mode of intrusion to any organization. Mitigating this risk requires an integrated approach. However to look more closely at the issue of human firewalls we need to look at the threats that can be simulated and experienced by a vulnerable firm, and modes of compromise of employees to allow physical access into facilities, and virtual access into networks.

The first is the gathering of intelligence on key employees and leveraging this knowledge to subvert them. This can be the more serious of threats if that employee has access to sensitive information and systems, but more low-key employees can also present attractive targets, more easily subverted to compromise a more critical employee. The gathering of human intelligence can lead to unsophisticated attacks like the theft of a laptop of a key Vice President, but that is only a simple manifestation of this problem. The second is coercion to obtain access, or manipulated into disclosing sensitive information, whether it is passcodes to a building, information on security procedures, or passwords. Human intelligence gathering, including eyes-on surveillance can also expose the information that an attacker would need to exert leverage, like bribery, or blackmail.

A ‘planted’ insider is a third approach for an attacker with time and patience seeking a highly-valued or sought-after ‘prize’ which will test the organisations HR and hiring policies, the degree of vetting that is conducted of subcontractors as well as employees, and the awareness & of employees access. Finally there is the delivery of malware on physical devices to employees with sufficiently credible back-story not to arouse suspicion, and lead them to loading the malware on the network unknowingly, or without any suspicion whatsoever. This mirrors in many way the principles of testing vulnerability to phishing attacks.

This also alludes to the more advanced form of attack through employees mobile devices which can be used to introduce malware onto the organisations network. There are many different methods of achieving these goals, and they range from simple ploys to elaborate ruses which security technology is not able to mitigate. Hence the growing importance of the ‘human’ firewall upon which an organization relies in order to protect itself from malicious intent and intrusion. For most firms, there is a chronic lack of preparedness, aligned with a poor level of awareness. This is directly correlated to the number of employees in the organization and the dependence on IT for operations. The solution therefore requires awareness building on a broad scale before being able to gravitate to certain types of solution and regular testing is a central tenet of building awareness.

For more information about our intrusion testing as part of red team exercises and to counter espionage visit
Posted: 13 February 2014 by Optimal Risk Admin | with 0 comments
Filed under: coercion, engineering, espionage, insider, intruder, social, subversion, testing, threat