August 13, 2007

Balancing Security and Usability: The Human Factor

Social Engineering: n. the act of obtaining or attempting to obtain otherwise secure data by conning an individual into revealing secure information

One element of digital security that is typically over looked is the human element. People, for the most part, are trusting and want to help others in need. While this may be good for the human race in general, its not good for security, and thats what we are talking about.

Training staff members to recognize and protect sensitive data is imperative to keeping it a secret. In addition to recognizing what should be considered sensitive, a staff member must also recognize an attempt from a non authorized person to obtain that data.

For instance, most companies post the names of their executives or other prominent members of their organizations on their website. If a person were to call in to one of your smaller offices, or call someone low in the company answers the phone (we'll call her "Jen") and says they are the VP of sales, most employees probably wouldn't challenge that fact unless they happen to know the VP personally or have at least met enough times to recognize the difference in voice etc. Because of this Jen is probably going to be on her best behavior and want to help as much as possible. If the person calling says they are on a business trip and cant seem to find the number for the IT department or Help desk and needs his password reset, I'm sure Jen would happily turn over that information, because what harm could that do? Now the caller can call that inside phone number, but instead of saying they are the VP of some department, they say they are a new employee (with another phone call a person can obtain the name of an employee) and Jen told them to call here to get their password reset. This gives the caller some perceived credibility since they seem to know a person in the company and also because they are new, people want to help them. So the person taking the call, if not properly trained, or if no checks are put in place will reset their password for them and the intruder now has a user name and password to access company info.

This is a really simplified example, but unfortunately its not unrealistic. Without proper training, staff wont challenge someone the perceive to be their superior. So staff need to both know they should do this and also feel comfortable doing it. In the military soldiers are trained to challenge those who approach an area they are guarding, they are taught that they should respectfully demand proof of identification if one claims they are a superior. This is the thought process staff should be trained with. No one wants to inconvenience another person, especially one who is their superior, but for the sake of security and confidentiality, it is sometimes necessary.

So how do we prevent things like this from happening? There are a few things that can be done.

* Teach staff to identify sensitive information. And properly label items as "internal use only" or "confidential" to prevent any confusion.
* Be sure staff know never to share their password, not with anyone, not even the IT staff. Your IT department can reset the password if they need access to your account, its rare they will actually need your password.
* Put policies and procedures into effect that control how user names/passwords are controlled. Who can do password resets? Who can authorize them? and how do you verify the identity of the person who is requesting it?

But primarily what you need to do is educate you staff and have them understand the reason these things are considered sensitive. Saying "this is bad" doesn't mean much to a lot of people, explain why its bad, explain what can happen if that data is released to the wrong people, and be sure they understand it. Have consequences for when data is mistakenly released, but do not rely solely on the fear of consequences to get staff to follow these rules. And of course treat you staff well. People who feel appreciated, who are happy at their jobs, and who feel they are a part of the company will protect it's interests. A guy you yell at, who hates where he works, and doesn't really give a damn will probably give up what ever info is asked for just because it makes no difference to him.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google