to criminal activity. For example, online banking account reset security questions include questions such as the name of your pet or your birthday, which are frequently available on social media.
Physical inventory is also affected by operational processes. When you are dealing with physical inventory, sometimes there are good accounting practices to ensure that every piece is properly tracked from the manufacturing to final sale to a customer and all steps in between. More often, there are less effective processes in place, and loss occurs over time.
Operational processes should be defined by organizational governance through policies, procedures, and guidelines. Governance should specify every process in your organization and should tell people how to specifically perform their job responsibilities and how to make decisions. Chapter 13 discusses governance further, but at this point it suffices to say that most governance is poorly defined and increases operational vulnerabilities.
Personnel Vulnerabilities
Personnel vulnerabilities are vulnerabilities in the hiring, management, and termination of personnel involved with the organization. Obviously, you want to hire law abiding and ethical employees. However, hiring processes frequently are flawed. Poor background checks can let people slip through the cracks. Even when there are processes in place, they are sometimes ignored.
Such was the case with Edward Snowden. Snowden resigned from the CIA in anticipation of being fired due to a variety of troubles. However, he was able to obtain a job as an NSA contractor, because USIS, the company responsible for performing his background check, did not interview Snowden's CIA co-workers, who would have disclosed his questionable activities.
Personnel vulnerabilities extend beyond hiring and into the day-to-day management of employees. Some organizations fail to review employees on a regular basis and fail to take action when warranted. Chelsea Manning reportedly had violent confrontations with her parents before enlisting in the U.S. Army, which included threatening her stepmother with a knife. Before Manning stole classified information, she was involved in several incidents, including assaulting a supervisor and sending an email to superiors that literally stated she was emotionally troubled. There should have been adequate enforcement of policies in place so that these incidents would have resulted in rescinding access to classified information long before she stole it.
Most environments do not typically see behaviors and circumstances as egregious as those of Manning and Snowden. However, there is a great deal of mismanagement of employees who give signs of concern. While you do not want to overreact to less than ideal circumstances and behaviors, you do not want to let them go unexamined. It is important to have policies and procedures in place to govern personnel vulnerabilities, and these should be driven by the balance of your risk equation.
Similarly, there needs to be a process when people leave an organization, regardless of whether they are fired or leave voluntarily. When people depart, they frequently take information with them. They can cause other damages. There need to be specific processes implemented for employee separation.
You also need to have criteria for anyone else with access to your organization. Contractors, vendors, temporary employees, and any other individual who has any involvement with sensitive processes or data, or might be able to create loss, represents the same potential vulnerability as your employees.
Much as with operational vulnerabilities, poor governance and its implementation are significant vulnerabilities with regard to the management of personnel.
Technical Vulnerabilities
Technical vulnerabilities can be software, hardware, or firmware based. They can also be vulnerabilities in equipment that cause injuries. Generally, with technical vulnerabilities, people assume they can bypass the users. However, we need to expand the discussion of technical vulnerabilities to include how technology is configured or maintained.
For example, poor passwords can be considered a technical vulnerability as they can be technically exploited by someone who guesses the passwords. This results in an external malicious attack directly against the computer, as the result of a technical vulnerability that was enabled by a user, who in turn was enabled to do so by their IT department, which happened to be governed by the existing policies of the organization. So, as you can see, the technical vulnerability is not just something that is inherent in the software or hardware independent of any user interaction. Users are involved at many levels.
As we are primarily interested in UIL, it is also important to recognize that technical vulnerabilities include the user interface design. While this can refer to computer interfaces, it can also refer to any interface on any piece of equipment. Such technology can cause users to initiate a loss. Interfaces can be confusing and almost force errors. For example, the DBIR highlights that a significant percentage of data breaches are caused by the email address autocomplete function filling in the wrong email address, after which sensitive data ends up being sent to the wrong person.
Generally, you can consider a technical vulnerability as anything in the organization's environment that can be exploited or can cause an error or damage. This is an important distinction to embrace as too many people are intimidated by the underlying technology (such as esoteric programming languages), but it is the surface technology (such as user interfaces) that they regularly interact with that can be the most damaging.
THE TWO WAYS TO HACK A COMPUTER
People are in awe of computer hackers, believing that they are some form of modern-day magicians who can manipulate computers at will. The reality is that these hackers in general know a few extra tricks that the average person does not. Fundamentally, there are two ways to hack a computer: take advantage of problems built into the software (or hardware) or take advantage of the way that users or administrators set up and maintain the computer.
Regarding problems built into a computer, everyone can accept that all programs have bugs. Some bugs cause the computer to crash. Other bugs create bad output. Some bugs cause elevated privileges or information leakage. These are all examples of security vulnerabilities.
Regarding how users and administrators set up and maintain a computer, consider how bad passwords can be guessed by another party. Administrators can configure computers to provide users with unnecessary privileges. They can leave the computer open to people from outside of the organization. They can fail to enact encryption on files. There are countless ways that such user actions can make a device vulnerable.
Again, all technology fails either by its design or through its use. Other than researching the track record of known vulnerabilities in software and hardware before you acquire it and knowing what patches can be applied to existing problems, there is little that you can do to affect technology design. That makes it all the more important to do what you can to help protect your users from hackers.
Countermeasures
When you look at the risk equation in Figure 4.1, you can see that countermeasures can be used to mitigate threats and vulnerabilities. However, you must consider that mitigating threats is frequently not possible or realistic. For example, you are not going to prevent hurricanes. Hurricanes will always exist. You are not going to prevent a nation-state from existing, unless you are likewise a nation-state and willing to invest significant resources. The average organization is not going to prevent outside criminals from making attacks. Even if you
