Trust Me15th October 2018
All too often I hear something along the lines of "they are our employees, so therefore we have to trust them". Well in this day and age, trust is no longer a suitable control for security. It simply will not stand in this day and age of sophisticated and organized criminal groups.
Trust is a vulnerability
If you have a moment, read this excellent post by Palo Alto Networks, Trust Is a Vulnerability. All too often we assume that our employees have the organization's interests at hand and will always act in the best interests of the organization. While this is true for the vast majority of times we have to remember 2 things.
- People make mistakes
- Not all people are good people
Mistakes are bound to happen
This is a fact, people are human. And humans make mistakes. In fact if you look at many security incidents and findings, there are many examples where an employee (a human) made an honest mistake which was then exploited by the bad guys. No matter how much we trust our employees, this simple fact is not going to change.
Take for example the recent FitMetrix breach. This was due to some sophisticated attack, right? Wrong! The attack was made possible due to an employee error. How many open S3 buckets have we seen, and continue to see?
People make mistakes. We therefore have to put appropriate controls and processes in place to ensure that when a mistake undoubtedly happens, the risks of the mistake can be reduced to an acceptable level. People can also be socially engineered to do things which they wouldn't ordinarily do. There are threat actors out there who are extremely good at doing this.
Some people are bad
Again this is a simple fact. Thankfully the vast majority of people are honest and have the organization's best interest at heart. But unfortunately there are people who are not so honest and are willing to exploit other people's weaknesses for their own personal gain. Yes you can try vet employees but this is not a sure way of ensuring your employees remain trust worthy.
Take the National Security Agency (NSA) for for example. One should expect any employee working for them would have been thoroughly vetted, right? Well no. In 2013, Edward Snowden began to publicly release documents relating to the NSA's global surveillance. In another instance, a NSA employee bought hackings tools from NSA home. Then there is the story of Reality Winner who was a NSA contractor who was jailed over her leaking of classified reports.
One thing that many people lose sight of is that peoples' motivations can change over time. They could become disgruntled employees (who I regard to be the highest risk to an organization). There are countless examples of current and former employees who performed an attack against their current/former employer:
- The Morrison's breach where the disgruntled employee Andrew Skelton, published the company's payroll details to Tor. Andrew had full access to this data at the time.
- There is also the case of Christopher Victor Grupe, 46. He was an IT administrator at Canadian Pacific Railway who sabotaged the organization's network.
- Another example is a former employee who disclosed Tesla's company secrets.
So I've given and highlighted several examples where placing too much emphasis on trust as a means of a security control utterly fails. Yes logging and auditing can help, but guess what; they only help after the fact. And to be honest I doubt most customers would be comfortable knowing that your only control is trust and some basic auditing capabilities (it worked well for Target afterall?). This does absolutely nothing to prevent their data from being leaked. In light of recent regulations such as GDPR, there are also potentially significant financial repercussions as well. So while expecting to place trust in employees may seem like a noble idea and greatly help with employee efficiency, it greatly increases the risk to the organization. Ensure that you have appropriate separation of duties as well as follow the principle least privileges.
Remember that mistakes and bad threat actors are not concerned about what is right and what is wrong.