In the last 30 days, a single individual in the Raleigh/Durham area has managed to bypass the security protocols at two area companies and two government facilities. (Read more about that here.) Recently, I attended an invitation-only business reception at a local restaurant when an uninvited guest joined the group and began networking when she clearly did not belong. In both cases the individuals were successful in penetrating the closed spaces by acting like they belonged until such time that it was realized that they did not.
We are not talking about facilities that don’t understand the principles of security, a comprehensive security program, or layers of security. They get it, and they have solid security programs and protocols. How could this happen, and how can we stop it from happening again?
Answering these questions and addressing the conflicting forces in the workplace that lead to security breaches of this type requires an understanding of human nature and the laws of complacency and diminishing returns. First we need to begin with Billy Green’s Security 101 lesson that does such a good job describing the concept of security. Security is protection from injury or loss caused by the deliberate actions of people. It all boils down to people and intent, and this is true whether we are talking about physical security or cyber security. In these recent events, there was a motivated person who wanted something (physical asset, intelligence, electronic assets, damage to reputation) and believed he had a good chance at being successful in attaining it without negative consequences.
What he wanted is irrelevant, and we should instead focus on how access was obtained in order to identify vulnerabilities and anticipate future events.
According to the Information Bulletin put out by the North Carolina Information Sharing and Analysis Center (NC ISAAC), the individual was confronted by security and escorted off the premises. In addition it is believed that the individual either entered a door by following closely behind an employee of the company/agency who had the appropriate access (piggy-backing) or used social engineering techniques to gain entry into areas that were controlled spaces.
Social engineering is the art of manipulating people into performing actions or divulging confidential, sensitive, or controlled information. In the workplace it is a method of trickery or deception for the purpose of gathering information, committing fraud, or gaining access to computer systems or other assets. The effective social engineer is an astute student of human nature and adapts to the environment to develop a level of trust and capitalize on human vulnerabilities and nature. (Source: Wikipedia)
None of us is completely immune to social engineering because as human beings we tend respond to stimuli in predictable ways depending on our age, experience, training, and other characteristics, and that is what the social engineer is counting on. In addition, the social engineer is most successful if they are adept at changing their manner and demeanor based on the situation. Studies show that a female voice is more effective in generating information from men, and a young inexperienced employee will be more responsive to someone who appears to have authority. How someone dresses, how they behave, what accessories or equipment they carry – all of these non-verbal features affect the response a social engineer is going to get.
The ability of an employee to easily separate those who belong within the work environment and those who don’t is a powerful tool to counter the attempts by an outsider. If only visitors wear identification badges, they can “become” an employee simply by removing their badge. If contractors are not required to wear badges, someone just needs to look like a contractor to easily blend in with the population.
The social engineer will use their persuasive skills to convince someone to give them what they want. The same traits that you may value in your employees are tools for the social engineer including:
- Good customer service and helpful responses
- Belief that most people are good and are looking for good
- Fear of being made to look foolish or the desire to belong
- Efficient, bypassing security protocols to get more done faster
- Assumption that everyone thinks like I do (if I obey the rules than everyone else will too)
Effective social engineering countermeasures begin with first understanding human nature and how the law of diminishing returns will affect your employees’ responses to security events. Over time, human beings who have been oriented or trained in certain concepts or expectations will reach a certain level of performance followed by a decline in effectiveness or an increase in complacency.
In order for a company to have a chance of protecting critical assets, security awareness training and reinforcement needs to be continual process.
George Bernard Shaw once said that “The single biggest problem in communication is the illusion that it has taken place.” It is not reasonable to expect that employees will understand their responsibilities as they pertain to company assets based on a single briefing on security at orientation. Security programs protect the reputation, people, and hard and soft assets of the company that provide the income generation for the business to exist.
Has your management communicated to its stakeholders that the security program exists to protect them and the company’s ability to compete?
Employees expect there to be a method to lock their office, suite, or building. Other security tools such as lighting, cameras, and access control devices are the norm in today’s workplace and are elements of a comprehensive security program.
Do your employees recognize that they play a key role in the company’s security program and their own protection? Or do they view security as a game that someone came up with to make their job more difficult?
The security breaches described in this article were recognized by quick acting people who understood their responsibilities in the protection of the assets. Some of them were security professionals but in most cases of social engineering, it will not be your security employees who are approached by someone trying to elicit information. The employee who will “give away the farm” in most cases will be someone who is trying to do a really good job for the company by providing information or a good customer experience, responding to a command, enhancing their value, or looking for a way to move up in the organization by helping someone out. The moral of this story is security is everyone’s business. Good security begins with understanding what the company’s assets are and sharing the responsibilities for protecting them with all the stakeholders through awareness, training, responsibility, and accountability.