ITS 4210 - Access Control, Authentication, and PKI
Chapter 7, Human Nature and Organizational Behavior
This lesson reviews needs for access controls to manage expected behaviors.
Objectives important to this lesson:
- Human nature as a cause for access controls
- Organizational model for access controls
- Separation of duties
- Responsibilities of access owners
- Employee training
- Handling behavior
Chapter 7 returns to the discussion of the effects that human behaviors
have on our organization. The text seems to be on the nature side of the
vs. Nurture argument. If you don't know what I mean, follow that link
to some ideas about a concept that has bothered scientists for a long
time. Are some aspects of humans determined completely by their environment
(nurture) or by their biology
(nature)? I suspect that the answer is usually a combination of the two,
but there is a third idea as well,
that we can determine our own
outcomes or actions in some cases. I may not be able to wish myself into
being another kind of creature, but I hope I can decide
to be a better man than I might otherwise be. So, when the authors talk
about some aspects of human nature, we should allow that the meaning of
the passage is about observable human behavior, regardless of its cause.
Some threat types are described in the first pages of the chapter:
- Unintentional threats - People
often do not think about security.
They don't worry about opening an email attachment,
following a link, leaving equipment
unprotected, or exposing themselves
and their workplace to other threats.
They don't mean to cause any harm, but they can become the vulnerable
avenue for an exploit without meaning harm themselves. The text warns
us to train people in security awareness,
to remind them often enough
to do some good, and to install security
controls to minimize these risks.
- Hackers - This text simplifies
hackers into two caategories: those who are after money and those who
are after status. The ones who want "money" may be after something they
want themselves (and would not pay for) or something they hope to sell
or ransom back to the owner.
- Social engineers - A social
engineer is what we used to calll a con artist. He or she is someone
trying to get someone else to do something they should not do. On the
other hand, you could use social engineering techniques to get someone
to do something they should do, but that is another topic. The text
presents an outline of features commonly seen in social engineering
- Assumed identity - The social engineer often pretends to be someone
the victim will or should trust, such as an IT support person, an
executive with a problem, or a new employee who needs help.
- Believability - A background story that explains what the social
engineer is doing there, why we should supply what they want, and
why we should do it right away is very helpful in getting the victim's
cooperation. In con artist terms, this part may be called telling
the mark the tale.
- Multiple contacts - Some social engineering exploits involve one
contact with the victim, because that is all it takes to get the desired
outcome. Others require a bit more familiarity with the victim, so
the social engineer may make a series of contacts, either gathering
data with each one, or preparing the victim with the earlier contacts
for the moment of trust that the real exploit requires.
- Request for help - The classic exploit involves a request to grant
access, to change a password, or to reveal something the victim can
access or already knows. The social engineer presents a reasonable
need for that information or access, which should be granted as a
favor for the poor helpless person they are portraying.
The text has a few pages with ideas about hiring the right people for
sensitive positions. From the perspective of a student looking for work,
you will want to know about the generally accepted factors that go into
a hiring decision. Read this material, and believe that the prospective
employer really will ask for and check this data.
The next main topic in the chapter links back to the material on social
engineering. The text explains that an organization's structure usually
has three or more layers.
- Staff, who have the fewest
- Operational management, who
have more access rights
- Upper level or senior
management, who typically have the most rights
This common structure explains why a social engineer may pretend to be
a member of senior management, who has forgotten a password, or who has
lost rights to some asset that is needed for a pressing task immediately.
Of course, the poor victim will feel the need to do the senior person
a favor, if the request is made artfully.
A better model to follow is to grant access based on the needs of one's
job. Of course, this makes it more difficult for the social engineer,
but it only means the grifter
has to do deeper research to find the right person to impersonate. Three
suggestions are presented to counteract this problem:
- Job rotation - If people in
sensitive positions are moved on a regular basis, a rogue employee will
only be in one position for the time allowed, and a social engineer
may have trouble finding out who to impersonate currently.
- Required vacations - This
concept addresses the same one thatt rotation does: don't allow anyone
to continue in a sensitive role indefinitely. A required vacation presumes
a substitute or backup person, who must know the job well enough to
do it and to notice if the usual person were doing anything inappropriate.
- Separation of duties - As
noted in most texts, a common controll on money is to make sure it cannot
be moved or spent without the cooperation of several agents. This does
not apply equally in terms of data. Money cannot be copied, but data
can. This concept applies to the world of data by making sure that reviews
and audits are done regularly, by people in a different branch of the
The text makes a point of explaining that the people called access
owners (or data owners,
or other titles) have a responsibility to protect
their data, which includes the proper oversight
of granting access rights. In practice, this may mean that such a person
is interviewed by IT staff who translate the owner's business requirements
into program code or procedures that IT staff can follow. You should review
the bullet points about this, and understand that the actual performance
of each of those points will involve business staff, general IT staff,
and IT security staff.
The text moves on to discuss training employees in security issues, such
as resisting social engineering (the authors seem very afraid of this)
and maintaining awareness of security needs. The main idea is that there
should be clear training, employees should be able to look up rules when
they are needed, and there should be multiple ways to ask for help in
this area, including web resources, other employees, and security staff
who may be consulted with questions.
The text offers two suggestions that cover many situations:
- Acceptable use policy - A well crafted acceptable use policy should
give employees a sense of how protective of our environment we need
to be. It is a starting point, in many cases, not an end point.
- Security awareness policy - This is a daily problem, so one session
talking about security is not enough. Reminders, preferably in different
formats and media, should be offered to employess regularly.
As we have discussed before, the security policies of your organization
should be made available to all employees, and efforts should be made
to make compliance a default behavior.