By Giri Sivanesen, senior security consultant at Pentura, an IT Security Consultancy.
People will always be the weakest link in the battle to protect corporate information and data from attackers. Attacks by hackers on businesses are increasingly being committed with a similar modus operandi to corporate espionage carried out by foreign states and state sponsored attackers. As the capabilities of security technology improve, hackers are now targeting individuals to get at the electronic information they want — this raises an intriguing mix of problems and issues for today’s corporate security managers.
Who’s a target?
In many ways, the most valuable and effective attack vector for an attacker is a person; people have characteristics that can make them particularly vulnerable and useful to those who want to carry out attacks. Insider knowledge and access can increase the impact of an attack significantly even where the role of the attack vector is only one of facilitation, for example, a cyber attack.
Human sources such as disgruntled employees or low wage, temporary staff — who perhaps have less loyalty to their employer — may be more easily convinced to obtain confidential documents as part of elaborate attacks that they may not be fully aware of.
How it’s done for espionage
The cultivation of human sources begins with a planned acquaintance with the target, which the adversary will try to make appear as normal and unpremeditated as possible. There have been espionage cases in the past where cultivation and recruitment of the target has taken place over a matter of weeks, months and in some cases, years. Through any means necessary, the target will be cultivated and prepared for their role as an agent of espionage
There have been other cases where the process has been much quicker; “cyber recruitment”, can be almost instantaneous. In some instances the targets might not even be aware that they have been exploited and may become an ‘unconscious’ agent for an attacker. This process takes time, meticulous planning and skill but once ready to assume the role, the human source can provide a rich and versatile source of information and intelligence whether they are ‘conscious’ or ‘unconscious’ of their role.
A typical example would be:
“You are attending an industry conference overseas as a key member of the research team for a large technology company. During the trip you meet an old colleague that you know personally and hold in high regard. At the conference, your colleague introduces you to a friend who shares similar technology interests and is very flattering with respect to your published work. Over the duration of the event, you get to know him well and he is keen to learn more about your technology research at work.”
Question: How can you tell a normal business introduction from premeditated espionage?
For espionage an introduction to the target is often sought through someone with direct access to the target — an access agent — such as the mutual friend cited in the example above. It is far more likely that the target in this example would trust a friend of a colleague more than a complete stranger.
Why it works
The motivation of people who abuse their access to provide confidential information to business competitors and criminals is complex and varied. But there are indications that the growing trend of fraud and insider vulnerabilities vilifies the threat for human targeting and cultivation. As a method of attack this area is growing.
In a downward market, when employment prospects may be uncertain or rewards less substantial, the risk from insiders being involved in an attack increases if personal income may be under threat. Employees are far more likely to accept cash bribes or gifts as part of a cultivation process.
How to avoid it
Employment vetting is arguably the most common way that organisations try to mitigate against insider threats. A detailed employment screening and psychometric profile may help to identify personality traits that suggest an employee is susceptible to cultivation. But in the majority of cases, vetting activities are limited to only basic security checks; conditions for a new employment contract rather than an ongoing requisite for employment and these are often concentrated on more senior positions or higher wage earners who are therefore less likely to be interested in taking cash bribes than perhaps support, temp or even cleaning staff.
Aside from vetting, many organisations choose to instate segregation of duty controls that require two or more employees to complete a business task. Whilst this may increase the administrative burden, these types of controls can make it significantly harder for an attacker, by requiring the complicity of two or potentially three people. Whistle blowing procedures are also commonly used in large organisations to detect insider threats.
Clear and concise security policies that are accurately aligned to an organisation’s security risks should underpin all efforts to effectively manage against insider threats and attacks to exploit an organisation’s personnel. Together, with a strong organisational security culture, thorough background checks and after care, organisations can develop an effective risk management programme to counter insider and other types of adversarial attacks.