You CAN Stop Stupid. Ira Winkler

Чтение книги онлайн.

Читать онлайн книгу You CAN Stop Stupid - Ira Winkler страница 22

You CAN Stop Stupid - Ira  Winkler

Скачать книгу

to criminal activity. For example, online banking account reset security questions include questions such as the name of your pet or your birthday, which are frequently available on social media.

      Physical inventory is also affected by operational processes. When you are dealing with physical inventory, sometimes there are good accounting practices to ensure that every piece is properly tracked from the manufacturing to final sale to a customer and all steps in between. More often, there are less effective processes in place, and loss occurs over time.

      Operational processes should be defined by organizational governance through policies, procedures, and guidelines. Governance should specify every process in your organization and should tell people how to specifically perform their job responsibilities and how to make decisions. Chapter 13 discusses governance further, but at this point it suffices to say that most governance is poorly defined and increases operational vulnerabilities.

       Personnel Vulnerabilities

      Personnel vulnerabilities are vulnerabilities in the hiring, management, and termination of personnel involved with the organization. Obviously, you want to hire law abiding and ethical employees. However, hiring processes frequently are flawed. Poor background checks can let people slip through the cracks. Even when there are processes in place, they are sometimes ignored.

      Such was the case with Edward Snowden. Snowden resigned from the CIA in anticipation of being fired due to a variety of troubles. However, he was able to obtain a job as an NSA contractor, because USIS, the company responsible for performing his background check, did not interview Snowden's CIA co-workers, who would have disclosed his questionable activities.

      Most environments do not typically see behaviors and circumstances as egregious as those of Manning and Snowden. However, there is a great deal of mismanagement of employees who give signs of concern. While you do not want to overreact to less than ideal circumstances and behaviors, you do not want to let them go unexamined. It is important to have policies and procedures in place to govern personnel vulnerabilities, and these should be driven by the balance of your risk equation.

      Similarly, there needs to be a process when people leave an organization, regardless of whether they are fired or leave voluntarily. When people depart, they frequently take information with them. They can cause other damages. There need to be specific processes implemented for employee separation.

      You also need to have criteria for anyone else with access to your organization. Contractors, vendors, temporary employees, and any other individual who has any involvement with sensitive processes or data, or might be able to create loss, represents the same potential vulnerability as your employees.

      Much as with operational vulnerabilities, poor governance and its implementation are significant vulnerabilities with regard to the management of personnel.

       Technical Vulnerabilities

      Technical vulnerabilities can be software, hardware, or firmware based. They can also be vulnerabilities in equipment that cause injuries. Generally, with technical vulnerabilities, people assume they can bypass the users. However, we need to expand the discussion of technical vulnerabilities to include how technology is configured or maintained.

      As we are primarily interested in UIL, it is also important to recognize that technical vulnerabilities include the user interface design. While this can refer to computer interfaces, it can also refer to any interface on any piece of equipment. Such technology can cause users to initiate a loss. Interfaces can be confusing and almost force errors. For example, the DBIR highlights that a significant percentage of data breaches are caused by the email address autocomplete function filling in the wrong email address, after which sensitive data ends up being sent to the wrong person.

      Generally, you can consider a technical vulnerability as anything in the organization's environment that can be exploited or can cause an error or damage. This is an important distinction to embrace as too many people are intimidated by the underlying technology (such as esoteric programming languages), but it is the surface technology (such as user interfaces) that they regularly interact with that can be the most damaging.

      THE TWO WAYS TO HACK A COMPUTER

      People are in awe of computer hackers, believing that they are some form of modern-day magicians who can manipulate computers at will. The reality is that these hackers in general know a few extra tricks that the average person does not. Fundamentally, there are two ways to hack a computer: take advantage of problems built into the software (or hardware) or take advantage of the way that users or administrators set up and maintain the computer.

      Regarding problems built into a computer, everyone can accept that all programs have bugs. Some bugs cause the computer to crash. Other bugs create bad output. Some bugs cause elevated privileges or information leakage. These are all examples of security vulnerabilities.

      Regarding how users and administrators set up and maintain a computer, consider how bad passwords can be guessed by another party. Administrators can configure computers to provide users with unnecessary privileges. They can leave the computer open to people from outside of the organization. They can fail to enact encryption on files. There are countless ways that such user actions can make a device vulnerable.

      Again, all technology fails either by its design or through its use. Other than researching the track record of known vulnerabilities in software and hardware before you acquire it and knowing what patches can be applied to existing problems, there is little that you can do to affect technology design. That makes it all the more important to do what you can to help protect your users from hackers.

      Countermeasures

      When you look at the risk equation in Figure 4.1, you can see that countermeasures can be used to mitigate threats and vulnerabilities. However, you must consider that mitigating threats is frequently not possible or realistic. For example, you are not going to prevent hurricanes. Hurricanes will always exist. You are not going to prevent a nation-state from existing, unless you are likewise a nation-state and willing to invest significant resources. The average organization is not going to prevent outside criminals from making attacks. Even if you

Скачать книгу