The Biggest Risk to Security Might Be You...

Sunday, April 04, 2010

Theresa Payton


Everyone asks me what the greatest theat to security is. They are visibly disappointed when I give them my answer.  

I think most of them expect me to say, "China!  They are out to get us!" or, "The Russian Business Network - they are wicked smart!"or, "Cybercriminals, they are always after your money."

These are real threats and you need to protect yourself from them.

I believe there is a bigger threat, and dear reader, I believe it is you or maybe your co-worker.

Are you Mr. Incredible?  You do it all - juggle kids, work, family obligations.  This requires you to take work with you everywhere you go.

Imagine this...

You have work to do but your kid's soccer game is coming up. Well, just download 3.3 Million borrower records to your thumb drive and you are in business.  Can work anywhere. You might be able to work in the car while your kid's team warms up.

Well, Mr. Incredible, if you worked at ECMC, you just created the largest most incredible breach ever.

We don't know why an employee downloaded to a thumb drive, 3.3 million people's student loan records, but we will soon.  3.3MM people equates to as many as 5% of all federal student-loan borrowers.  

Their data is on a thumb drive that is now missing.

Not to worry, students, I think it only had on it your Names, addresses, Social Security numbers and other personal data.

This particular Mr. Incredible works in St. Paul, Minn., at the headquarters of Educational Credit Management Corp., a nonprofit guarantor of federal student loans.

You will be glad to read this quote from the ECMC spokesperson, Paul Kelash:  "It was simple, old-fashioned theft.  It was not a hacker incident."  Wow, that is comforting!

This is right on the heals of another data theft earlier in March 2010, a former employee of HSBC Holdings PLC allegedly stole data on about 24,000 Swiss private-bank accounts.

The conversation about the insider threat, is the non-sexy side of security but it can cause some of the greatest chinks in the armor.  The “insider threat”, is often like carbon monoxide poisoning, silent and hard to detect.  I break the threat down into three character profiles:

1.  Robert Hanssen
2.  Eve from Wall-E
3.  Mr. Incredible

Robert Hanssen – Intentional:

Robert Hanssen was a former U.S. FBI agent who turned over information to Russian intelligence services for cash and diamonds.  

It is also suspected he did it because he wanted to prove something to himself and others.

This employee-type knowingly wants to cause harm either because they want to make a buck or because they feel it is their version of payback time.

Eve from Wall-E – Unintentional Public Disclosure (Think Millenials):

Eve is on a mission and she wears that mission on her chest. She’s after plantlife and she does not care who she broadcasts that mission to.  

She cannot keep a secret and she is overjoyed and beams when she finds plant life.  The generation joining the workforce now and for the next 10-15 years is a lot like Eve.

When they experience emotions, they will wear them openly via cyber space.  That openness may also include blogging, tweeting, and Facebooking posts about the latest project they are working on.

Recently, an over exuberant Microsoftie was caught talking about the virtues of Windows 8.  

His posts have been removed.  Before they were, we did manage to learn that the next version will be “unlike anything users expect of the operating system”. And that they are moving to 128-bit.  

A tough blow for their competitors and for bad guys that want to be ready to hack the new version the moment it arrives.

Mr. Incredible – Accidentally Breaks Your Defenses:
Your model employee, the hidden threat until it’s too late:
I love Mr. Incredible.

 He has great strength and a heart of gold.  He wants to take on the world and use his talents but was forced to hide his talents within the system.  

In one scene, in striving to do what is right and just, he accidentally injures his own boss.

I tell organizations that their biggest threat may actually be their Mr. Incredible employees.  These are the people that will do whatever it takes to work for you days, nights, weekends, and holidays.

They are the fearless defenders of creating the latest report or implementing the last technology for your company.  If that means downloading tons of information to a portable device so they can work on their vacation, they will.

 If it means throwing the laptop in the car on the way to pick up their kids with a stop at the grocery store and the laptop is left unattended…whoops!  

They do not mean to put the company at risk but their drive to get it done exposes your data.

The missing data costs your reputation, puts your intellectual property at risk, may expose innocent people to identity theft, and can create lengthy, costly lawsuits.

Just ask the VA.  A model employee was working on VA business at home and their home was burglarized.  

A VA laptop was among the stolen goods and had the Social Security numbers of 26.5MM active duty military and veterans on it.

The VA has agreed to pay $20MM to settle a class action lawsuit.  In a true miracle mix of skills and luck, the FBI managed to recover the stolen laptop and it is believed the data was not used by the criminals.

Until we deal with the insider threat, I will not run out of blog posts!

As always, would love your comments and feedback. 

Enterprise Security Security Awareness Privacy
Post Rating I Like this!
K S Abhiraj Yes! The caption being very true...
The weakest vulnerability in a million dollar firm, is its 'PEOPLE' !
Cr00zng Around People always had been the weakest link in anything, well before computers even existed. It's been that way ever since the beginning of human kind. The only difference nowadays is the magnitude of the loss, thanks for the technology making it easier every day for everyone, instead of the selected few in the past.

The "26.5MM" sounds more like a firearm caliber, a big caliber at that, than million; especially when blog talks about "active duty military and veterans". While it is used in finance, the Roman numeral "M" stands for 1,000, while "MM" stands for 2,000. For me, poor security conscious souls, a single "M" would be just fine to indicate million. Thank you...
Stephen Cheney The Pirate Ship.
When a Boss pushes his staff to deliver in short time frames he is setting up a conflict of interest. Something must get sacrificed by staff to cut corners, and often what is sacrificed is security, as security imposes restrictions on information and the time needed to get it. Security causes delays, and the boss has just ordered that there is to be no delay. Giving dictatorial orders without looking at what is to happen to achieve them is poor management and self-destructive to any organisation. Often a manager's management style is a problem to an organisation, but who cares if the Board doesn't? Those at the top care about results and for failures they will kick butt. Drowning starts at the bottom. Those at the top of the ship can always, and do, jump ship if it is sinking, often taking a lot of the profits from the treasury with them in bonuses. Caring about staff is a different management style with more consultation and less extreme behavior. There is more, not less control. A driver may steer his vehicle and expect it to always do as he commands. But a more intelligent driver will consult when needed with his mechanic to see what the current capabilities of his vehicle are, and if it is not capable then to discuss what is first needed to enable the vehicle to do as he wishes.

Staff, being human, will take risks when they have been put into a crisis by uncaring boss/es. Staff will weigh up what is the greater risk. The greatest risk for them is failure to deliver as the boss will be aware of that result and the failure cannot be hidden. The risk of security breaches and other cutting-corner measures, this being done in good faith by trusted staff, who see no danger as it is they themselves who are in control of the process, are deemed risks worth taking. As any skirting around security for the good of the boss may be deemed a worthy cause, and a risk that can be hidden. Such risks would not be the most prominent thing in their minds at present, they have problems to solve. Has not the Boss just given his sanction? If such a Boss were approachable for discussion of his orders then perhaps a process to obey difficult orders could be worked out together.

But the type of Boss in question does not allow his orders to be questioned or discussed, he expects to be Obeyed and rates his staff and determines their future careers on that. He is power mad and does not expect others to do their job unless He instills fear and retribution. Left to their own devices and the commands binding them, staff seek out any and all means to obtain the result required. They understand that it is only the result that the Boss really cares about, not the means to get it. How it is done is now the staff's responsibility and risk, and the Boss doesn't want to know and He can then blame staff if what they do causes damage. After all the Boss didn't actually Tell his staff to do wrong, he only gave them a directive forcing them into a corner where most ways out involve wrongdoing. The choice of what they do is in the staff's hands, and they are expendable. O' but it's great to rule the world: a General can watch from on high, his many followers below struggling and dying to carry out his commands, while he considers his next move up the ladder. Information security should be a standard tick-box item to be considered before doing any task. Considered by Boss and staff mutually.
Theresa Payton K.S. Abhiraj - thank you for your post. Always interested in hearing real stories as well.
Theresa Payton Cr00zng Around: Thank you for your post. I agree that people are the weakest link in many areas beyond infosec.
Theresa Payton Stephen Cheney, thank you for your post. You bring up some great points about leadership, discipline, attention to quality and security, and making sure your board "gets it" and cares.
Candice Gabriels Stephen Cheney, I think you've highlighted some very relevant issues leading to data security breaches in this regard. Being a Mr Incredible myself, I can relate to the article 100%. Trying to get the job done to meet deadlines is always going to be an issue, its about formulating data safety guidelines and educating staff about these guidelines and ensuring processes are in place to deal with any breaches. As an Organisations employees we all have a responsibility to ensure the data in our possession is kept secure, regardless of our best intentions as Mr Incredibles!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.