Security Breach: the human factor

02/15/2010 13:51

A few weeks ago, it was reported that one of our local school districts was the victim of a security breach. This breach resulted in wire transfers totaling almost $3 million from their bank accounts to various foreign banks; reportedly 20% of the school's annual budget. While the school district has recovered most of the funds, and is working with the FBI and the State Police to recover the rest, this incident brings home the pressing need for Information Security in today's environment. (https://www.timesunion.com/AspStories/story.asp?storyID=885104#ixzz0bwm3keRx)

How this happened has not been disclosed, although the above article speculates on two likely scenarios.

One is through "phishing". This involves an email message or website that tries to fool the reader into entering protected information such as user names/passwords or account numbers. These can be very sophisticated, looking identical to the real website and sometimes pulling information from the real source so account balances look correct. In this case, they speculate that the attacker may have targeted this school district in a process known as "spear phishing" by sending to likely email addresses, with carefully crafted messages that appear to be legitimate.

Many banks and other organizations have implement security measures against this, such as choosing an image or a code for the website to display, thus identifying itself to you.

Another likely scenario is through malware (MALicious softWARE) that was installed on a critical computer. If the computer system, anti-malware and all the other applications are not up to date with the latest patches and fixes, this type of intrusion could have been installed from any number of sources. Malware can come from infected emails, social networking applications (not the sites themselves, but the silly little apps they try to get you to use on Facebook, MySpace, Linked-in, Twitter, etc.) or just being randomly scanned and having a missing patch noted, then exploited.

Think of keeping your anti-malware and other software patched and up to date as a vaccine: while it doesn't guarantee you won't catch a bug, in dramatically reduces your chances of catching one.

This incident is one of many that further highlights one of the greatest challenges in Information Security: the human factor. The risks are very real, and can have devastating effects. Below are just a few scenarios and their possible consequences:

Identity theft

What is it? Someone accesses your personal and protected information and pretends they are you to commit fraud.

Results? Criminal investigation, bad credit, lost money, and lost time as you work to prove your innocence to the creditors who were defrauded.

Stolen funds

What is it? Someone accesses an accounts and removes money

Results? Criminal investigation, lost money, lost time dealing with the issue, lost confidence in competence and trustworthiness of your organization.

Missing protected information

What is it? You cannot reasonably guarantee the security of information protected by law or regulation (e.g. medical information, financial information, personal information, etc.)

Results? Regulatory or law enforcement investigation, lost time, lost reputation, and possible mandated notifications to those affected (public disclosure).

As with any system, Information Security is only as good as those using it. The best performing car on the planet will still end up in a ditch if not driven correctly, and the strongest safe in the world is useless unless it's actually locked. As the technical sophistication of Information Security measures have increased, the nasty elements of the world have responded by changing their targets and methods: their attack vectors.

These new attack vectors are increasingly leaving the systems themselves alone and instead targeting the people using the systems. This is nothing new in human society, cons (confidence tricks) and scams have probably been around since the first humans learned to communicate. Wanna buy a magic bean?

So what can we do?

First, make sure our organization's written security policy is up to date and your people are familiar with it. This policy should be straightforward and easy to understand as it should define what your people think is appropriate behavior. Who has keys to the office? Should they access social networks (Facebook, MySpace, Linked-in, Twitter, etc.)? Can they receive personal email? Can they install programs they download? Can they access the office from home? Can they listen to internet radio? How long should passwords be?

Next we need to enforce the above policies as much as possible from a technical level. Many networks have these types of filtering capabilities and policy enforcement, but they may need to be configured and implemented to enhance the written policy. This is an investment that should save money in the long run as it can reduce the number issues with your computers.

Finally, and most importantly, we all need to adopt a security mindset. We need to make security a part of our thinking as much as other aspects of our work. Where should I save this document and who should have access to it? Does it contain any protected information? Does this email look legitimate and do I know who it is from? Do I really want to allow this program to access my computer?

Tips:

• When in doubt, don't click.
• If an email has a link, try to browse directly to the site yourself. This can bypass any hidden misdirection.
• Know your system: is that anti-virus pop-up from your anti-virus , or is it actually a virus trying to fool you?
• Reputable organization should not be sending emails that have you login from a link