29 Apr 2016
Stringent security policies are necessary in an organisation to prevent incidents
of misplaced trust leading to an attack from intruders

Trust is a word closely associated with both physical and logical security, after all, knowing who to trust is a key part of any security policy. However, when trust is wrongly assumed it rapidly becomes a key problem and a significant weakness in the security regime.

Often the weak link is human nature itself. This means that to begin to guarantee effectiveness it’s vital to have the right policies in place and to ensure that staff follow them, however draconian they may seem to the people operating and being subjected to them.

Testing security in the real world

A good example of misguided trust was recently documented. A so-called ethical hacker was employed to test the security regime of a client company. The management deliberately kept the operation a secret from the security team and staff at the business, to assure the accuracy of the results. Initially the hacker tried to gain access through online channels, which proved to be well guarded and highly secure.

The next step was for the hacker to enter the business facilities personally. This is where psychology played its part, the perpetrator kept up a friendly appearance and politely asked the reception team if he could use the toilet facilities, whereby the person behind the desk happily allowed him access to a non-public area. Bear in mind this was a complete stranger with no security credentials who had walked in off the street!

Perhaps the most disturbing part of the story is what happened next - the hacker left two USB keys in the toilet area for staff or visitors to find. On each drive he had included a specially designed piece of software that would auto-run and execute once accessed via a computer, stealing login credentials from the user and covertly sending them to the hacker. This effectively offers open access to the most secure parts of the company’s network! Inevitably, somebody who found the drives tried them in their computer and the hacker was informed shortly afterwards.

 

One example of misguided trust saw a hacker leave a USB in a company building. When an unsuspecting employee used it, malware was added to the company computer

Human nature as a weakness to security policy

What the example above really highlights is just how much human nature can play its part in the way security is upheld (or broken) in the real world. The hacker explained that his other choice may have been to hand the USB keys in to the reception and simply to say he had found them in the restrooms – which would, in all likelihood, have resulted in a similar outcome.

It is debatable whether the staff were complacent or simply used misguided judgement on what appeared to be a harmless visitor, albeit an unexpected one. The fact the hacker didn’t appear to be personally involved with this potential threat perhaps lowered the guard of the reception and security team still further. Of course those individuals that recovered the USB keys weren’t in any way coerced into using them, but curiosity got the better of them and the fact the uploaded malware gave no indication it was present (literally just silently taking security data) meant the company could have suffered some serious problems had it been for real.

Misuse of authorised access

The consequences of misplaced trust in a secure environment can be severe, particularly with physical and logical security being so closely tied together now. It’s all well and good having impenetrable external IT security in place, but if this level of vigilance isn’t continued on the premises it can leave worrying vulnerabilities.

The example above shows how apparently good-natured assistance can be taken advantage of, but of course legitimate access can be misused by intruders in other ways too. The attacks on the Paris offices of Charlie Hebdo in January 2015 are a prime example of authorised access being hijacked, when an employee was threatened and forced to enter a code to help the terrorists gain entry and attack other members of staff.

Other examples include the ‘passback’ of security tokens between individuals (to gain multiple entry) and tailgating of unsuspecting members of staff as they enter secured areas. In a highly secure facility the protection measures need to anticipate these potential intrusion methods and provide solutions to combat them.

 

Tightened security policies can also prevent cases of people sharing access
credentials and tailgating – both of which can be serious access security risks

Security measures for countering intruder attacks

The most important lesson to be learned from all of these examples is that the culture of security within an organisation is vital - the entire team needs to be vigilant and involved.  This culture needs to be regularly assessed and, if needs be, revised to close any gaps or potential loopholes of vulnerability. It is also not good practice to purely rely upon the intuition of staff, security or otherwise. In the ethical hacker example, there was no reason for staff to be suspicious but that is exactly how the planned attack succeeded. 

This is where a stringent and water-tight security policy is so important. Rather than making a judgement, staff follow procedure and a stringent policy will tell them not to simply plug an unknown USB stick into a company device or network! Added to this, staff won’t feel the same pressure to be a ‘Good Samaritan’ to unknown visitors – policy is policy and nobody will feel guilt for denying access in these circumstances.

The layout of security measures within a business facility is also very important. The reception area should be inviting (as the name suggests) but it should also show a strong defence to those not authorised to enter. Access control systems also need to be resilient, with automated monitoring for signs of tailgating and people counters to alert the security team of any abnormalities. Equally, its good practice to ensure these measures extend inside the secure areas of the facility too, just in case intruders gain access through another entry point.

Making trust trustworthy

Despite the potential problems from wrongly assuming trust, it is still an essential element of all business transactions and excellent security recognises this. Taking the personal element out of security allows it to be more robust and to ensure trust is proven, rather than simply being assumed. Often the deadliest threats to security are the least obvious ones.