People and Technology: An Analysis for Part 3
In our imaginary unethical hacker's third confession, we can see he is pretty smart. He's created a
problem and showed up to fix it. If you've ever seen an employee's reaction to the network going
down, it is quite similar to a hungry person's reaction when their food gets stuck in a vending
machine. The higher the priority of items that an employee is working on, the more stress a network
outage causes. Stress usually causes poor security decisions to be made. Our unethical hacker has
created a situation in which he has just been granted the authority to do just about anything with the
networking equipment on that remote site. Any technology that can be deployed may prevent some
attacks (e.g., 802.1X), but may not prevent others (e.g., keystroke loggers). There are too many
attacks possible for someone with physical access to your networking equipment and more than likely
he is not being monitored – or if he is being monitored, it is by individuals without any technical
knowledge of what he is doing. Remember, the employees want to help him.
Training often needs to increase substantially for remote office employees – verification of service
personnel using the yellow pages, their name, and any type of identification possible (e.g.,
description, badge number, and so on). There are some things we can do to help remind our
employees. For instance, if the LAN equipment is locked up, rather than simply putting the key on a
ring with other keys, a separate box for that key could be used – with the words "Call IT Security at
123-456-7890 before using this key" printed on the box. Signs on the locked door could also say
The bottom line is that a good unethical hacker is going to use skills that allow people to compromise
technology. They can do it through induced stress or through using the helpfulness of people against
them. This isn't to say that they don't use technology to exploit vulnerabilities – it is to say that some
of the most devastating attacks may not involve cracking the technology at all. Putting people in a
position to be successful under such conditions requires a lot of work in itself.
How Security Technology Can Help People
After reading this far, one may get the impression that this whitepaper is anti-technology. It is not. It
is striving to recognize the proper place of technology for security strategies rather than placing
technology on a pedestal as a solution regardless of what people do. Let's go through an analysis of
a workplace situation in which technology can help.
A small company with about 50 employees has standardized on three MFP models to handle their
printing and imaging needs. To save costs, they also standardized on laptops with docking stations
for personal computers. From a physical access control perspective, the company's building is badge
accessed controlled and their LAN equipment and servers are in a locked room controlled by their IT
department. About 15 of these employees are working on a next generation product that is critical to
the success of the business. The MFPs are serviced by an outsourced company. This outsourced
company keeps the MFPs up and running and deals with supplies for the next two years. The IT
department believes it is a good idea to protect company's intellectual property by purchasing
encrypting hard drives.
Here is a very plausible case where a company may want to deploy an encrypted hard drive.
However, there is more to do.
Make sure that they have a contract with the outsourced company in regards to legal liability
concerning obtaining or distributing information. Remember, a person with authorized
access to the MFP's hard disk drive also has access to the printed documents that have not
been picked up, the recycle bin, and any other non-volatile storage.