ITS 4210 - Access Control, Authentication, and PKI

Chapter 7, Human Nature and Organizational Behavior

Objectives:

This lesson reviews needs for access controls to manage expected behaviors. Objectives important to this lesson:

  1. Human nature as a cause for access controls
  2. Organizational model for access controls
  3. Separation of duties
  4. Responsibilities of access owners
  5. Employee training
  6. Handling behavior
Concepts:

Chapter 7

Chapter 7 returns to the discussion of the effects that human behaviors have on our organization. The text seems to be on the nature side of the Nature vs. Nurture argument. If you don't know what I mean, follow that link to some ideas about a concept that has bothered scientists for a long time. Are some aspects of humans determined completely by their environment (nurture) or by their biology (nature)? I suspect that the answer is usually a combination of the two, but there is a third idea as well, that we can determine our own outcomes or actions in some cases. I may not be able to wish myself into being another kind of creature, but I hope I can decide to be a better man than I might otherwise be. So, when the authors talk about some aspects of human nature, we should allow that the meaning of the passage is about observable human behavior, regardless of its cause.

Some threat types are described in the first pages of the chapter:

  • Unintentional threats - People often do not think about security. They don't worry about opening an email attachment, following a link, leaving equipment unprotected, or exposing themselves and their workplace to other threats. They don't mean to cause any harm, but they can become the vulnerable avenue for an exploit without meaning harm themselves. The text warns us to train people in security awareness, to remind them often enough to do some good, and to install security controls to minimize these risks.
  • Hackers - This text simplifies hackers into two caategories: those who are after money and those who are after status. The ones who want "money" may be after something they want themselves (and would not pay for) or something they hope to sell or ransom back to the owner.
  • Social engineers - A social engineer is what we used to calll a con artist. He or she is someone trying to get someone else to do something they should not do. On the other hand, you could use social engineering techniques to get someone to do something they should do, but that is another topic. The text presents an outline of features commonly seen in social engineering exploits:
    • Assumed identity - The social engineer often pretends to be someone the victim will or should trust, such as an IT support person, an executive with a problem, or a new employee who needs help.
    • Believability - A background story that explains what the social engineer is doing there, why we should supply what they want, and why we should do it right away is very helpful in getting the victim's cooperation. In con artist terms, this part may be called telling the mark the tale.
    • Multiple contacts - Some social engineering exploits involve one contact with the victim, because that is all it takes to get the desired outcome. Others require a bit more familiarity with the victim, so the social engineer may make a series of contacts, either gathering data with each one, or preparing the victim with the earlier contacts for the moment of trust that the real exploit requires.
    • Request for help - The classic exploit involves a request to grant access, to change a password, or to reveal something the victim can access or already knows. The social engineer presents a reasonable need for that information or access, which should be granted as a favor for the poor helpless person they are portraying.

The text has a few pages with ideas about hiring the right people for sensitive positions. From the perspective of a student looking for work, you will want to know about the generally accepted factors that go into a hiring decision. Read this material, and believe that the prospective employer really will ask for and check this data.

The next main topic in the chapter links back to the material on social engineering. The text explains that an organization's structure usually has three or more layers.

  • Staff, who have the fewest access rights
  • Operational management, who have more access rights
  • Upper level or senior management, who typically have the most rights

This common structure explains why a social engineer may pretend to be a member of senior management, who has forgotten a password, or who has lost rights to some asset that is needed for a pressing task immediately. Of course, the poor victim will feel the need to do the senior person a favor, if the request is made artfully.

A better model to follow is to grant access based on the needs of one's job. Of course, this makes it more difficult for the social engineer, but it only means the grifter has to do deeper research to find the right person to impersonate. Three suggestions are presented to counteract this problem:

  • Job rotation - If people in sensitive positions are moved on a regular basis, a rogue employee will only be in one position for the time allowed, and a social engineer may have trouble finding out who to impersonate currently.
  • Required vacations - This concept addresses the same one thatt rotation does: don't allow anyone to continue in a sensitive role indefinitely. A required vacation presumes a substitute or backup person, who must know the job well enough to do it and to notice if the usual person were doing anything inappropriate.
  • Separation of duties - As noted in most texts, a common controll on money is to make sure it cannot be moved or spent without the cooperation of several agents. This does not apply equally in terms of data. Money cannot be copied, but data can. This concept applies to the world of data by making sure that reviews and audits are done regularly, by people in a different branch of the organization.

The text makes a point of explaining that the people called access owners (or data owners, or other titles) have a responsibility to protect their data, which includes the proper oversight of granting access rights. In practice, this may mean that such a person is interviewed by IT staff who translate the owner's business requirements into program code or procedures that IT staff can follow. You should review the bullet points about this, and understand that the actual performance of each of those points will involve business staff, general IT staff, and IT security staff.

The text moves on to discuss training employees in security issues, such as resisting social engineering (the authors seem very afraid of this) and maintaining awareness of security needs. The main idea is that there should be clear training, employees should be able to look up rules when they are needed, and there should be multiple ways to ask for help in this area, including web resources, other employees, and security staff who may be consulted with questions.

The text offers two suggestions that cover many situations:

  • Acceptable use policy - A well crafted acceptable use policy should give employees a sense of how protective of our environment we need to be. It is a starting point, in many cases, not an end point.
  • Security awareness policy - This is a daily problem, so one session talking about security is not enough. Reminders, preferably in different formats and media, should be offered to employess regularly.

As we have discussed before, the security policies of your organization should be made available to all employees, and efforts should be made to make compliance a default behavior.

 

Assignments for Chapter 7

  1. Continue the reading assignments for the course.
  2. Complete the assignments and class discussion made in this module.