THE WEAKEST LINK

Hello guys, how many of you have ever thought of copying some official data in your personal pen drive for future reference? ow many of you ever thought of keeping official email data with you on the last day in office? Have you ever prepared any RFP or presentation copying from your previous organisation’s document? Did you ever keep official data - may be presentation, or network drawings or any sales data in your personal laptop? Casual questions but have some hidden significant values! 

No wonder, in Information Security, we, insiders have been considered as the weakest link for years and we all somehow agree to this fact. We often discuss about educating end users, conducting periodic awareness campaign, carry out background verification, use technology like DLP to monitor internet & email activities, prevent usage of USB, endpoint firewalls, identity & access management ensuring no privilege escalation and our last fort - last but not the least - is to get well drafted confidentiality agreement signed off.

I am sure we are well aware of different threat vectors - social engineering, phishing, shoulder surfing, dumpster driving, malware infection, device loss - that applies to all user groups; to normal users to managers to C-suite to contractors. Different impact at different levels if end-user security is compromised; and therefore different technical and process controls. Well, still question remains whether we are really safe or it is “security through obscurity” ! 

Let’s think of few scenarios.

Non-IT Users / Normal Users: During course of their job, they gain knowledge about process, products and carry that knowledge inside brain where ever they go. Fair enough! But what if they carry this knowledge in form of pictures? All smart people have smart phones! All laptop users can carry their laptops at home where no monitoring (CCTV!) or colleague or manager to watch out. Well. Let’s not be so septic and have TRUST on employees’ HONESTY! 

Question is, if we can trust employees, then why so much investment in technologies like DLP or IAM? Answer may be RISK REDUCTION not RISK MITIGATION. So, here is ‘No Trust’ security model comes into play.

IT Users / Privilege Users / Administrators: They are the champions in technology. They have the power to play with system security settings. So there are Segregation of Duty (SOD) and Administrative Log Monitoring to rescue. Well enough! 

But what if they misconfigure some firewall or end-point security controls? After all to err is human! Are we relying heavily on Change Management process and quality audit? All are mostly reactive in nature. And in case of emergency Change, situation is more dicy. How much proactive and preventive is Administrative Log Monitoring? What if multiple administrators join hand during a lay off or organisation spinoff! Can SOD play as preventive control in such scenario? 

Answer may be same - RISK REDUCTION not RISK MITIGATION. So, here is again ‘No Trust’ security model comes into play. We cannot have complete TRUST on administrators, who are guarding the wall.

C-Suite: They are policy makers. However, what if they become policy breakers! Say, CIO is traveling and in a meeting with customer. He needs to share clients some documents that cannot be transferred in mail due to size limitation. Should we increase allowable email size temporarily to deliver the mail? Should we upload the documents in some instantly available public FTP site? Should we allow USB usage for him momentarily? Or should we say NO to his requirement? 

Now that eternal question hits the floor! Business vs Security! Leaning on exception and wondering attackers, malware or anyone else who might misuse this temporary change are busy in somewhere else!

Let’s think for a while. If it would be a case of normal users, what would be answer! If CIO takes some critical data in his personal USB! If that USB is lost! However, in most cases what we follow is Not To Follow ‘No Trust’ model for higher ups.  

Contractors: Ohh Outsiders! How we can trust outsiders when we cannot trust our insiders! No way. All possible security & process controls along with DND agreement. Is that enough?

Let’s ask ourselves whether we are scared of adopting and adapting total ‘No Trust’ security model. Well. For time being, on pen and paper, let’s look at the situation with some different perspectives. 

1. What will happen if we say ‘NO’ to any kind of policy exception until entire business comes to halt (For example, disaster recovery or business continuity)?
2. How much effective and cost beneficial to have Maker-Checker for any and all change execution?
3. What will happen if we enable camera on all laptops and carry out regular sample remote monitoring through this camera for laptop / WFH (work from Home) users? Could be this a deterrent solution to the problem of taking pictures of sensitive documents?
4. Can we entirely go for THIN Client solution where all data will reside only in Servers at Datacenters and users cannot save a single document on laptops/ desktops? Could this provide complete solution to Laptop theft?
5. Could a combination of Right Management software integrated to domain security provide complete solution to data theft by insiders?

Too many cooks spoil the broth! Similarly, too many situations - too many solutions - keep us wondering what is best-fit and in many cases divert us from actual scenario. We need to “Keep It Simple, Stupid” (KISS). However, simple thing is not that simple to achieve! Yes. I am talking about “Honesty is the best policy”. How many of us can resist out last day temptation to copy all important emails and data in personal pen drive with an excuse of future reference and forget the impact that the organisation would be bearing in case the pen drive is lost and the data in wrong hand? Trust you who are reading this article never had such temptation. We might have lots of technical and process controls; however, if the most important pillar of Information Security; i.e., PEOPLE are not honest, there is no mechanism, which can prevent an organisation from 'Insider Threat', the weakest link in Information Security.