two types of malicious threats: outsider threats and insider threats.
Outsider malicious threats are generally people with criminal intent. These people target your users with the intent to exploit them. Either they intend to get your users to commit actions on their behalf or they essentially assume the identity and access of your users. For example, an outsider might attempt to trick employees into sending them sensitive information. Alternatively, outsiders might steal credentials through phishing attacks and then use those credentials, appearing to be your own user, to steal information.
We can further breakdown malicious outsider threats by the scope of their ability and resources. Nation-states have nearly unlimited resources and ability. When North Korea targeted Sony, they poured an incredible amount of resources into finding a way into Sony's corporate network. They eventually compromised administrator credentials and, once in, had a large enough team to quickly scour the Sony network to both steal information and create massive damage.
On the lower end of malicious outsider threats, you have opportunists who take what is easily available. From an IT perspective, low-skilled hackers target people randomly with tools available on the Internet. If they are successful in gaining a foothold, they take whatever they find available.
Beyond the malicious outsider threats, we have malicious insider threats. These can be employees within an organization, users, business partners, customers, or any other type of user who deals with your organization. Some of these users steal equipment, software, or materials for personal use. Other malicious insiders sabotage the organizations' products, services, or reputation. Others actively try to undermine the morale or productivity of other users.
People often focus on malicious outsiders when they think of threats. But from the perspective of reducing UIL, one of the primary threats is the user. That might sound counterintuitive, but consider the following points. The DBIR reports that 28% of incidents are the result of malicious insiders. Add to that the number of malicious outsider threats that are attempting to exploit the user in some way, and the user as a malignant “who” threat that unwittingly (or uncaringly) enables those attackers. Then add to that the number of other ways that users function as a malignant “who” threat and accidentally or unknowingly initiate loss. Obviously, it is important to address malicious outsider threats. However, it is equally important to address users, as they have the potential, intentional or otherwise, to be involved in your organization experiencing vast amounts of loss.
Vulnerabilities
Without a vulnerability to exploit, threats would be irrelevant. The reality, though, is that vulnerabilities are plentiful in just about any business environment. If you do any business at all, there will be vulnerabilities.
When we give presentations, we sometimes ask the audience, “Can anyone describe how to achieve perfect computer security?” The most common answer is, “Unplug the computer.” Our response is, “Congratulations! You just committed a denial-of-service attack against your own computer.”
There can never be a complete absence of vulnerability. You need to provide users with the ability to perform their job functions, and that will inevitably create vulnerabilities. Increasing the depth and breadth of functions provides an ability to provide more value, but doing so also provides the opportunity to create more loss. It all boils down to finding the right balance.
Different categories of vulnerabilities are more prominent than others in various organizations, and it is important to be aware of each of them and consider their relevance to your users. The following sections address some basic types of vulnerabilities to consider as you look to mitigate UIL. These include physical, operational, personnel, and technical vulnerabilities.
Physical Vulnerabilities
Physical vulnerabilities are tangible in some way. Such vulnerabilities allow for access to an organization or its resources.
Most organizations have buildings, and many have outside properties where materials are stored. These facilities generally have perimeters that are protected by walls and fences. While people assume perimeters keep outsiders out, the reality is that the perimeters usually possess many vulnerabilities.
Such vulnerabilities may include doors and gates that are not closed and locked, unmonitored entrances, materials left on the property but outside of the protective perimeter, information visually exposed due to open windows, materials exposed to the weather, poor monitoring of visitors, and so on. All of these physical vulnerabilities present opportunities for your resources to be damaged by the environment or by outsiders.
Sometimes organizations take their physical perimeter for granted, and they unknowingly circumvent it. One example of this is leaving materials on the property but actually outside of the protective perimeter. Another example is having users work remotely. If users can access the facility without having to cross the physical perimeter, that is effectively a physical vulnerability.
Often, organizations put some level of faith into perimeter security and then leave resources vulnerable inside their facilities. In reality, internal physical vulnerabilities are as important as external vulnerabilities. If a malicious outsider makes it past your perimeter security, they can pass as an insider. And it is a rare organization that has absolutely no malicious insiders.
What vulnerabilities might a malicious threat see inside your perimeter? Things that come to mind include equipment to steal, computers left logged in and unattended, papers left on printers in public areas, unattended desks, file cabinets unlocked, sensitive information left on whiteboards, telecommunication equipment rooms left unlocked, USB drives untracked, and countless other things. You don't have to be a world-renowned penetration tester to see how your organization leaves resources vulnerable to anyone with malicious intent.
At the same time, you also need to recognize what leaves you vulnerable to accidental compromises or damages. For example, do people leave coffee cups on printers? Is fragile equipment transported in an unsafe manner? Is information stored on USB drives that are easy to lose? Accidental damage to resources sometimes creates greater loss than malicious actions.
Vulnerabilities are not just relevant to equipment, materials, and data. You must also be concerned about physical vulnerabilities of your environment that put people at risk. Unattended doors allow for intrusions where outsiders can enter and do harm to your people. Obstacles and sharp edges can cause injuries. Moving vehicles can hit people. While there are some freak injuries, with an open mind, you can identify a great deal of vulnerabilities that can result in injury. These factors relate to safety science, which we discuss in Chapter 7.
Operational Vulnerabilities
Operational vulnerabilities are vulnerabilities in business processes that can cause loss. Within every business operation, there are some steps that allow for human error or facilitate malicious activity. For example, the collection of information itself is a potential vulnerability, but collecting excessive information is an additional, unnecessary vulnerability.
There will always be a vulnerability in any business process. You need to identify the vulnerabilities to potentially proactively account and prepare for their potential exploitation. You also need to watch for operational vulnerabilities that do not need to exist.
Websites are an example of this. You need to provide information. However, that information does not have to be excessive. Social media is an extension of this concept. Individuals want to share their lives, yet at the same time, they share so much that they expose themselves unnecessarily
