Insider Threats to Cyber Security
The Enemy Within
“We have seen the enemy and he are us!”
The foregoing adage, oft thought of as the whimsical perspective of a fictional swamp dweller (“Pogo”), is a truism and a warning when considered in the realm of cyber security. The common perception that cyber threats are usually external to the target system ignores the reality that the system user, administrator or vendor is frequently an essential element in the waging of a successful cyber-attack. The Hollywood image of the lone hacker sitting in a dark bunker cleverly using a multitude of high tech machines to single handedly, forcefully penetrate and control a distant computer system couldn’t be farther from the truth. Having participated with my wife in raising seven children, I can take analogies from family life that mirror all of the issues and threats that owners and users of modern computer systems face in the cyber world.
Like its biological counterpart, the computer virus, or malicious program has to penetrate a computer system in order to effect a cyber-attack. In the biological world, families with children, especially small school age children, are all too familiar with the experience of a child catching and bringing the latest viral agent home from school, virtually guaranteeing that every member of the family will be similarly infected.
In the cyber world of “plug & play”, users often bring devices such as thumb drives, memory sticks, and personal media players to the office, and connect them to their work computer without considering that their personal device may be infected with hidden malware. The most well publicized attack on an automated control system is alleged to have occurred when an infected USB device containing the STUXNET virus was plugged into an Iranian desktop computer.
The Door Opener
Penetrating an otherwise secure home is difficult if all of the “doors” providing access are locked and guarded. The same applies to computer systems.
Unauthorized access of an otherwise secure system requires assistance from within. In the case of a family home, children have been known to open otherwise secure doors to the outside world and allow strangers into the home if the stranger appears “nice” (and mom or dad can’t get to the door before the child). This is especially true if the stranger at the door is a four footed, tail wagging fury carnivore from next door (particularly if the stranger appears forlorn as a result of being wet and muddy).
In the cyber world, the hacker disguises his “stranger” in a phishing email sent to an unsuspecting system user. In most cases, the phishing email carries either malware hidden in an attachment, or a link to a malicious site which will automatically download malware to the target system. For the attack to succeed the user must open the attachment or click on the link. Like the cute wet/muddy dog from next door, the phishing email is crafted to seduce the recipient to open the email, and click on the attachment or link in the email thus bypassing the system security.
Sharing the Key
Secure homes and computer systems only allow access to individuals possessing an authorized key. In the case of a home, children will occasionally tell their friends (or even a perfect stranger) where mommy and daddy hide a spare key for the house in the front garden. In the cyber world, users can be tricked into providing their corporate email identity and password to a hacker as a result of receiving a carefully crafted email that appears to originate from an internal source (such as the IT help desk).
Adolescent children sometimes lose or loan their set of house keys to a “friend” who needs to drop by your house during the day to pick up something that the “friend” previously left at your house. System users echo this behaviour by writing down system IDs and passwords on a piece of paper which they then stick on the front of the computer monitor or on wall beside their company PC. System users have also been known to allow an associate to use their ID and password.
Leaving Doors Unlocked
Every parent is familiar with the nighttime routine of having to walk around and check to make sure the front, back and patio doors of the house are closed and locked to compensate for the inability of the dependent occupants of the house to understand the concept and purpose of door locks. Occasionally system administrators and system vendors suffer from the same learning disability – especially when it comes to industrial control systems. These systems are often left connected to the internet with little or no protection that would prevent a hacker from accessing the system.
In some homes, an otherwise secure door is compromised by the home owner installing a “pet door” which allows four footed members of the family unfettered access in and out of the home. Unwittingly the home owner is also providing a means of access to unwanted guests (such as the neighbour’s dog, the local skunk or youthful burglar). Software vendors will sometimes install the cyber version of a “pet door” in their products. Known as “backdoors” these special portals are intended to allow the vendor access to the software after installation to facilitate easy system maintenance and upgrading. The hacker, (the cyber version of the local skunk) finds such backdoors of equal value and utility.
Show & Tell
Family secrets are sometimes intentionally shared outside the home by an exuberant child (who, for example, elects to take dad’s box of condoms to the grade one “show & tell”). Adolescent children may help themselves to the keys to mom’s car. In the cyber world, system users may utilize their access to files and data on the system for purposes that could be regarded as harmful or inappropriate to the system owner. A careless system user may send out an email containing sensitive information to a third party without encrypting the contents or attachment. A disgruntled or corrupt employee may actively seek and remove valuable or sensitive information from the system they have access to.
Design, Training, & Audit
A diligent parent will set up the family home with a foundation that supports family security. Good quality door locks, proper external lighting, an alarm system, vehicle key lock box, even a safe for valuables may be included in the physical design of the home. System owners should ensure their system setup and design incorporates robust system access controls, separation/securing of critical databases, real time firewall traffic monitoring, internet access controls, and other tools that will provide a secure foundation.
Effective home security requires indoctrinating and training all residents of the home in the purpose, principles and use of the security devices and set up. Regular reminders prove essential to ensuring that even the smallest family member fully participates in keeping the home safe and secure. System users should be regularly reminded of the tools, principles and purpose of system security. Face to face training (rather than the tired practice of sending out an instructional email) is essential for effective system security training of users.
Periodic reminders and re-training sessions on areas of security that are being ignored by users should occur as required, and without delay. In the physical world, a careless adolescent who fails to appreciate the importance of locking the front door when he arrives home after midnight will become a convert to the theory and practice if made to stand guard at the front door with dad for a night. Similar methods for dealing with users having issues with “link clicking” on phishing emails may prove beneficial.
Finally, just as a diligent parent checks all doors before going to bed at night, system owners need to audit the security of their system, and the security behaviour of their users regularly. Back doors left by software developers, careless clicking on phishing email, poor system access password management, and various other internal security demons can only be excised, without paying a high penalty, if caught BEFORE a system security breach occurs.
Children eventually grow up and strike out on their own. System users are here to stay, as they are the reason for having a computer system. Unfair comparisons of system users and children aside, the pace of cyber threat evolution surpasses the ability of cultural adaptation for most of us. When I began my career in 1977, a “hacker” was a chain smoker. A laptop was a tray that you put your TV dinner on. Computers still filled entire rooms and were the haunt of exotic professional nerds. Today, computers have become ordinary objects that we rely upon hourly without realizing the full extent of their impact. The adversary, on the other hand, realizes the potential of our computer systems. His ability to adapt to new technology and use it for his own ends is in lock step with the evolution of this technology.
We all rely on myriad systems every day and, in order for them to remain secure from the adversary, we have to incorporate the culture of cyber security as part of the design, administration and use of these systems, at all levels.
Above all, security starts with the user. As the adversary has shown, the weakest link in system security is the user. The principle around which every system owner should build his system’s security is: “Cyber security is every user’s responsibility”.
Mike Chernichen is currently Manager of Corporate Security at Canadian Natural Resources Ltd in Calgary Alberta.
© FrontLine Security 2014