Chapter 15
The Human Intrusion Detection System
Abstract
Every person within an organization should be considered part of the detection system. However for this philosophy to be successful, people have to know what is right and wrong, know what to report, know how to report what they believe is a potential incident, and then feel comfortable going through with the report. To accomplish this, the security program must create an environment that fosters the promotion of the required information, as well the required level of comfort. When you can create this type of environment, an incident detection program is exponentially stronger. Additionally, the organization has a stronger ability to react. This chapter walks readers through the issues involved with creating an environment where all people are coopted to support the security program.
Keywords
Detection; Gamification; Human firewall; Incident response; Intrusion detection system; NSA; Reporting
When we talk to organizations about the goals of their security awareness programs, one of the top outcomes should be that every person within their organization is a human intrusion detection system (IDS). Every user should be both able and expected to have the awareness to identify potential security issues, know how to report the issues, and then be expected to actually do it. While most security teams feel overwhelmed with everything they have to worry about, consider how much better it would feel if they believe that if there is a potential incident, that any person within the organization would be able to detect and report it, and potentially stop it.
In Chapter 11, we highlight the importance of creating a strong security culture, which fosters an environment where users are aware of their responsibilities to properly protect information and related assets, and also to detect and respond appropriately to potential incidents. While there is a fine line between protection and detection in some cases, it is important to reiterate each.
Consider that if a user choosing a good password would be considered Protection. When someone calls up a user and asks the user to divulge the password, while a user saying, “no,” would be Protection, the user should also detect that there is something wrong with the request itself.
Put in other terms, Protection is when a user prevents malignant threats from compromising the organization, while Detection kicks in when a malicious threat is attempting to compromise the organization.
Users should also be able to detect when a malignant threat can be prevented from causing damage. For example, if they see an unsecured door, they should know to secure it. If they see documents unattended on a printer, they should know to secure the document and find the owner. In other words, Detection with regard to malignant threats is noticing when others failed to take appropriate actions, so they can mitigate the damage.
Perform Positive Outreach
One of the best things any security team can do is create a positive relationship with the organization as a whole. The better the relationship, the more likely people are to detect potential security incidents, and especially report those incidents.
When people feel a reasonable connection with the security staff, they will better engage with them. Anything that can be done to ensure that the security department does not just appear when there is a problem will improve the willingness of people to approach the security team when something goes wrong.
There are many ways to instill such goodwill. For the purposes of this section, we will focus on two primary methods: providing useful information and outreach. Regarding providing useful information, the security team should provide awareness information that helps individuals to secure their home, family and personal resources. This gives people the belief that the organization cares about them, and provides a useful benefit back to them as well. It helps to foster a sense of both belonging and responsibility to the well being of the organization.
When preparing security awareness programs for some organizations, we find that there are two type of organizations: those that want to provide information relevant to employees for personal and business purposes, and those that state all information provided should be specific to workplace security. We find that the organizations that state that they are interested in protecting information at home tend to have better overall security.
For example, just like safe drivers will drive as safely in company cars as they will in their personal automobiles, people who practice safe computing practices at home will likely have safer computing practices at work. Minimally consider that employees who fall victim to computer related incidents in their private lives will be distracted at work, and will need to spend time to clear up the resulting problems. So we always advise that organizations should reconsider any limitations on their awareness programs.
Topics that are specific to home use include how to protect children on the Internet, how to securely configure your home network, and protecting your cellphone. Clearly, any topic that appears not to have a work related aspect to it will be welcomed by individuals for what it is. Employees appreciate any information they can apply in their personal lives.
The type of resources to distribute can include newsletters, tip cards, handouts, and more creative materials. For example, you can provide mobile device security kits, which may include privacy shields, tip cards for securing mobile devices, and subscriptions to anti-malware software for mobile devices. Many companies also give away annual subscriptions to anti-malware subscriptions for personal computers and laptops. All of these materials demonstrate an interest in the individual's well being.
Additionally, the security team should hold events as a form of outreach. These events can be as traditional as booths in public areas to hand out information, holding contests, showing movies that could have a security related theme and bribing them to attend with popcorn, holding lunch and learn briefings for employees, providing briefings to different departments within the organization to highlight concerns specific to those departments, among any other creative endeavors. Remember, food always helps.
Any time you can engage with employees or other insiders, in a way that does not involve an incident or confrontation, makes those people more willing to seek you out when there is an incident. For this reason alone, the security department should encourage its staff to engage in non-work related committees and efforts, so that people have more opportunities to engage with the staff and have ready access to the security team. This is similar to the Police Athletic League, where police departments set up athletic opportunities for children, so that the children develop positive feelings toward police in general, but also get to know some police officers personally, so that they trust them and know they can go to them should they ever have a problem.
If You See Something, Say Something
The title of this section should be, “Making People Feel Comfortable Enough to Report Incidents”. However, the Department of Homeland Security's If You See Something, Say Something campaign embodies that sentiment. It gives people the impression that it is their duty to report any questionable activities.
If people are not comfortable reporting potential incidents, then it doesn't matter whether or not they detect the incidents in the first place. It is critical to both empower people to report potential issues, as well as to make them feel comfortable enough to actual report the incidents. Otherwise, they will actively try to ignore potential issues.
People are naturally hesitant to report unusual circumstances and especially other people, who may be committing security violations. There are many reasons for this. In the first place, some people don't want to get involved. They are hesitant to stick out in any way, and prefer to keep to themselves. If something happens, and it might draw attention to themselves, these people will ignore the incident and hope it goes away.
There are also very few people who will readily report the potential transgressions of others. Even if you believe a person reporting an incident is not callously reporting a third party, and it might even be to the third party's benefit, there is a natural hesitance to report someone else to security. Bringing another person to the attention of the security department rarely has positive benefits for the person reported.
Some people may also fear retribution, should it become known that they reported a coworker. The retribution could be direct, if the reported individual wants to get even, or it could be ostracization by the entire organization for reporting the individual. No matter what the potential reason, you need to acknowledge and expect this type of hesitance.
Some people are self-conscious about potentially being wrong. They don't want to raise an alarm that proves to be wrong, and then they appear “stupid.” For example, if a person sees another individual wandering around the facilities who they believe might not belong there, if they report it as an incident and it turns out the person actually belongs there, the reporter will be embarrassed. The reporter might also believe they look like the proverbial, boy who cried wolf.
A common concern for many people is that if they report an incident, they might be somewhat culpable for the incident. For example, if they saw something unusual, but thought about it for awhile before reporting it, they might believe that their lack of action allowed damage to be larger than it should have been.
In many cases, an individual might actually be responsible for damage, and they will create negative consequences for themselves. For example, if a person clicks on a phishing email and causes malware to be loaded, and realizes it after the fact, if they report the incident, they are highlighting how they caused damage to the organization. Similarly, they may have divulged their user credentials to an outside party.
In some cases, the user might have created a situation, where they are the only person who might know that an incident happened. For example, if a user loses a USB drive, it is extremely likely that the organization will not realize it. However, it would be critical for the organization to know that there is some risk to the information that was on the USB drive.
There are many situations where individuals are hesitant to report it. It is therefore critical to ensure that people feel as comfortable as possible to report incidents. This is admittedly not easy, but the security department should provide a feeling of safety, not dread.
Knowing What to Look for
People need to be informed about what you want them to report. It is not as obvious as you would assume. While there are clear issues that stand out to most people, many issues are not as obvious to the average person. For example, doors that should be locked that are not locked. People should know to report individuals in unauthorized areas.
While it is not possible to identify every specific circumstance that should be reported, circumstances should be grouped and generalized to make things simple for people. While you can tell people, “If you see something, say something,” it doesn't mean that they know what they should be seeing.
For example, in airports, people are told that they should look for unattended luggage. They should be on the alert for strangers that ask them to carry something onto an airplane. There is some specificity provided with the buzzwords. You need to provide similar guidance in the workplace.
In Chapter 8, we discuss governance and specifying appropriate behaviors. Ideally this information should serve as a base for helping people understand what they should be reporting.
It's Better to Be Safe Than Sorry
When you promote, If You See Something, Say Something, you need to ensure that people understand that it is always preferred to report something, even if there are doubts that it is a concern, than not report it. Stories abound where after some major incident, coworkers or other witnesses invariably say, “I thought there was something unusual about that person,” or, “I knew that would be a problem someday.”
Whenever there is some type of outreach program, you need to ensure that the motto, “It's better to be safe than sorry,” comes across strongly. There will always be a hesitance to report incidents for fear of being wrong, however there must be an instillation of the belief that the security team wants to hear about any suspicions, and will not belittle or punish anyone for being wrong.
Dealing With Ignorance
Around the time of this writing, there was an incident where a woman on an airplane reported the person next to her, because she thought he was writing cryptic comments in Arabic. The plane was delayed for 2 hours, while the airline investigated the man. It turns out that the man was mathematics professor at the University of Pennsylvania, and was solving mathematical equations. The professor was also Italian, and not Arab, as the woman reported.
Unfortunately, incidents like this are becoming common. There are clearly some people who are racist. At the same time, there are some reports that the people thought the San Bernardino terrorists were behaving suspiciously, before the attacks, but they did not report them for fear of being perceived as racist. This demonstrates the importance of reporting things, even when there could be the perception of racism, or just being silly.
The potential for people to vindictively report others cannot be discounted. In the workplace, some people report others for theft and other transgressions for revenge or to cover their own transgressions. While these cases are rare, they do happen. We fully realize that while we write that while people should be encouraged to freely report incidents without fear of retribution or penalty, we also state that, in some cases, reports may be without merit and potentially malicious. This is just a fact that must be accounted for.
The burden falls upon the security team to handle reported concerns properly, and with discretion. People will be people. There will be people who are just ignorant, such as the woman who cannot tell the difference between Arabic and mathematical equations. Frankly, even if the person was writing in Arabic, that is in no way an indication of a would be terrorist. Ignorance should not however mean that a plane should be significantly delayed on the basis of mathematical equations.
It falls to the security team to determine how to triage potential incidents. It is understandable that an airline would not just want to walk up to an individual and say, “We have a report that you might be a terrorist.” There should be an expedited review process to determine the likely validity of concerns versus ignorance.
There must be established procedures to evaluate any reported incidents. The risk posture and the potential severity of the incident should drive the speed of the investigation.
Eliminate Punishments When Reporting Incidents
While this may not always be possible, when it is, the security team should try to avoid punishment for individuals when they report security related incidents. This should be a well-publicized policy.
As previously stated, many people are hesitant to report potential incidents, as they fear retribution. Even if there is culpability, amnesty should be provided if at all possible. There are clearly circumstances, such as outright criminal activity, where amnesty is not appropriate, however in general the organization being made aware of a potential security concern outweighs the need to punish wrongdoing. The policy should be that by default, amnesty is granted barring other concerns.
Implement Rewards for Detection
While it is unfortunately more important to eliminate punishments as much as possible, when people report potential incidents, it is even more desirable to reward people for reporting incidents. As people have detected potential incidents, and then properly reported them, they should be rewarded for these behaviors.
We discuss gamification in Chapter 11, as a method of rewarding desired security behaviors. By default, people reporting incidents should be thanked for their diligence. Ideally, there should be some trinket or material acknowledgment as well. This goes further than verbal thanks, and serves as a reminder of the appreciation of their detection. Depending upon the severity of the incident reported, cash rewards or gift cards should be considered.
Bug bounty programs are an example of gamification to reward people for finding and reporting problems with software. The US Department of Defense implemented the Hack the Pentagon campaign, which rewards people for finding bugs on Department of Defense assets. Many software and Internet companies, such as Google and Facebook, have implemented bug bounty programs. They allow people to report vulnerabilities without being accused of attempting to commit a crime.
When Ira worked at NSA, NSA had a suggestion program that provided financial rewards. He reported that there was a bar on top of the fence. The bar was above the barbed wire, which could allow a would be intruder to climb over the barbs. While Ira's recommendation to remove or lower the bar was valid, even he admits it was a relatively innocuous suggestion. However given the validity of the suggestion, Ira received a $100 cash award and pubic recognition.
Publicly Recognize Those Rewarded
The NSA example clearly demonstrates that not only does NSA reward desired behaviors, it publicizes those rewards. Additionally, such rewards are considered during promotion evaluations. That encourages other people to constantly look for security concerns.
Public acknowledgment shows that security does not just punish people, but again looks for ways to benefit everyone. The fact that such rewards can positively impact promotions adds long-term incentives for people to detect incidents, besides of generating tremendous goodwill.
Knowing How to Report Things
When people detect potential security related issues, they need to know how to report those issues. The reporting mechanisms should be as plentiful as possible. Generally, there should be internal email addresses that are well known and publicized. Email is readily available in most traditional office environments, and should be exploited.
Frequently, there is a security portal on organizational intranets that can be designed or enhanced to provide a capability for people to report potential incidents. Many organizations have IT or HR Help Desks that can be used to also receive security related reports. If there are already other security or emergency hotlines, you can refer people to them. The people working those reporting venues can then be instructed on how to handle the calls that you are concerned about.
There will always be a preferred mechanism for receiving reports. Wherever possible, that preferred mechanism should be promoted. For example, you can list preferred email addresses, websites, and/or telephone numbers on posters and newsletters that are regularly distributed throughout your organization.
Establish Anonymous Reporting Channels
As stated, there is a predisposition for some people not to get involved. Additionally, when potentially reporting other people, they do not want to be blamed by, or face being ostracized by, coworkers. There are many other reasons that people may not want to take credit for reporting incidents. For this reason, security teams should provide a mechanism for employees to anonymously report potential incidents.
Previously there were suggestion boxes that allowed people to write something on a piece of paper and drop it in a conveniently located box, which provided reasonable expectation of anonymity. Today, most security reporting mechanisms involve the Internet and provide for tracking. For example, sending an email to a general inbox would provide the sender's email.
If there is a webpage that allows people to enter a potential incident, most people understand that the location of the person submitting the report can be readily determined. It is possible for people to use the Internet with a reasonable expectation of privacy, however that requires specific expertise that most people do not have.
Currently, the way to report things with the greatest perception of anonymity is a telephone hotline. People can make a call from their own telephone, borrow a phone, or find a payphone.
Inside companies, there are frequently interoffice mail systems, and you can just address a letter to a department without providing the sender's information. This depends upon the distribution mechanisms inside the organization.
Clearly, you need to provide as many reporting mechanisms as possible. Also, you need to state that even if there is no anonymity provided by the reporting mechanism, the person's identity will be protected. There should be a clearly stated policy, with clearly stated procedures, as to how a person's identity will be protected throughout the investigation process, when reporting was not via anonymous means.
Summary
If you have 1,000 people in your organization, you should have 1,000 intrusion detection systems. You can only expect this type of circumstance, if you properly nurture the people. You need to create an environment where people believe that their detection capabilities are expected and welcomed. People need to know what to report, and most importantly, how to report it.
When you consider the potential benefit of having everyone in your organization detecting issues of concern, it can justify significant resources to create such an environment. While it may not be an easy task to accomplish, it is worth the trouble if you can implement it effectively.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.