Hello Readers,

In continuation to my previous post (http://isqworld.com/2008/09/08/part-1-the-human-gap-in-information-security/), in this post I am exploring human behavior and it’s links to information compromise.

I have created a short PDF titled “Human Behavior Characteristics” (please download here – http://isqworld.com/wp-content/uploads/humanbehaviorcharacteristics.pdf). Based on my experience, I have made a simple list of human behavior characteristics and they are,

1 – Desire for recognition
2 – Obedience/ Fear
3 – Reluctance to change
4 – Curiosity
5 – Self preservation
6 – Desire to help
7 – Oppression to authority
8 – Low motivation

Please note that I am not a psychologist by profession and the above list is a simple listing of behavioral traits, the way I understand it.

Now, let us look at 2 simple Social engineering tests and answer a few questions.

Instance 1: This test was conducted 4 years back in an organization that has just begun it’s ISMS implementation. Till then information security was not present in the management’s or the employees’ radar. The test was conducted as follows.

The tester, with the permission of the CFO initiated a call from the CFO’s office deskphone. This organization had deskphones for all employees with a display unit that identified the source of the phone call. The tester called 5 employees in random and repeated the following dialogue.

“I am calling from the CFO’s room and I am your ERP consultant. We are implementing a new system to process your salaries next month onwards. We need your user name and password to integrate this to your User Directory Entry”

5 out of 5 employees revealed their passwords. One employee even had the courtesy to call back and confirm that we had noted the password down carefully!

So, what are the behavioral characterestics that were exploited by the tester. From  my perspective it could be,

1 – Obedience/ Fear
2 – Self preservation

There could be other characteristics too…as there are no hard and fast rules. The reader may want to ask, “What is Self Preservation?”. The answer to this is in the form of a question – “Why do you look both sides when you cross the road?”. It is because, inspite of what you may be doing (speaking on the phone, listening to your iPod, lost in thought….) when you come to the road your subconscious mind makes you look both sides. This is because your body and mind is trained to protect you.

Instance 2: An organization hired us to test the resilience of the perimeter security team (security guards) to penetration attempts. The test was done as follows.

We asked the organization to create for us a fake employee ID card without access credentials enabled, whereas the regular employee card works as an access card as well. On a rather busy Thursday morning, at 11 am the tester wore the card around his neck and approached the door. He pretended to swipe the card and expressed his disappointment that it was not working. He shouted out across the floor for the security guard who came running. The tester questioned him rather curtly as to why the card was not working. The security guard apologized and requested the tester to approach the guard station. There the tester was asked to write his name and phone number in a register. Following this, the tester was asked to follow the security guard back to the door, where the securty guard politely opened the doors by swiping his own card and let the tester in. Further the tester was able to tailgate and approach the production area on the 4th floor, take some photographs and exit the building throuh the route he came in.

Again, what were the behavioral characterestics that were exploited ? From my perspective they are,

1) Obedience/ Fear
2) Self preservation

So, the learning for me here is that you can have the best technology and the best information security policies, but there is a gap in information security. This gap is the “human gap”.

In the next post I will talk more about dealing with end-users (read…the non-security guys) and how wonderful an experience it was. In fact how often have you listened to your employees  before drafting your security policies??

More about this in the next post.

Warm regards,

Anup

HIMIS (Human Impact Management for Information Security – www.himis.org)