Foundation Certificate in Cyber Security (FCCS)
The course is part of this learning path
This course looks at the other facets of security that come into play when thinking about cyber security in general. Starting with physical and personnel security, it then moves into the secure development process, security best practice and ends with an introduction to security architecture.
The objectives of this course are to provide you with and understanding of:
- Physical security - lighting, CCTV, fencing, intrusion detection, screening, destruction, UPS and generators, access and control of entry
- People, employees, contractors, customers (resource, vulnerability, threat), recruitment, screening, Social Engineering, Common People Exploits, T&C's, in role, change in role, termination, insider threat, supply chain challenges
- Secure by Design, Secure Development Life Cycle (SDLC)
- Reduce the attack surface, defense in depth, test security, weaknesses and vulnerabilities, secure coding, learn from mistakes
- Security design architecture, enterprise design frameworks (TOGAF, ZACHMAN, SABSA), patterns (NCSC, Open Security Architecture)
This course is ideal for members of cyber security management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications.
There are no specific pre-requisites to study this course, however a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous.
We welcome all feedback and suggestions - please contact us at firstname.lastname@example.org if you are unsure about where to start or if would like help getting started.
Welcome to this video on personnel security. We’ll examine why staff can be an integral part of a cybersecurity strategy, including:
- People: Employees, contractors & Customers,
- Joiners, Movers & leavers,
- Insider Threats, &
- Social Engineering.
The video is supported by quizzes to help your understanding.
Firstly, we need to consider what is meant by personnel. Who fits into that definition?
The obvious answer would be the employees of the organization, but anyone that interacts with the organization, whether as contractor servicing the air conditioning plant, or as a customer using the website to purchase tickets to a concert, can pose a risk to the organization’s security.
All of these people are going to be a type of resource for the organization, but they will also pose a risk. That risk could be entirely unintended - in fact one of the greatest vulnerabilities or threats to any organization is that its staff can be too helpful. Attackers can play on this willingness of people to be helpful, and gull them into divulging information they should not. Beyond this, it must be understood that some people will behave maliciously with deliberate intent. To mitigate these problems, appropriate controls must be put in place.
The first area that we can apply controls to staff and contractors is in recruitment.
It is much easier to apply consistent controls if we can ensure that only the right people are allowed through the gates of the premises from the outset. Policies or procedures should ensure that security is baked in to everyone’s everyday routine.
A rigorous recruitment process will match prospective employees to the advertised role. Prospective employees should be appropriately screened, according to the security requirements of the post, and, finally, their security responsibilities should be clearly stated from day one of employment. A good way to achieve this is through a structured induction program, where the security policies of the organization are clearly stated, and comprehension of these is verified.
Security awareness is not something that is a one-time deal; the induction program should not be the last that any employee hears of it. Security threats are always changing so it is vital to have an on-going program of training to keep staff current. Staff should always know how to report a security incident, even if they do not fully understand the ramifications of the incident itself. This can only ever be achieved with management engagement.
One of the areas in which all organizations struggle is that of the Joiners, Movers and Leavers process, or JML.
- Joiners: New members to an organization
- Movers: Members moving through an organization i:e promotion or role change
- Leavers: members leaving an organization
Where things become complicated is with people changing roles within the organization. If a member of staff moves out of the Human Resources department, it is vital that their access to sensitive staff data is revoked, yet in the majority of organizations this simple step is likely to be missed. They will be granted the appropriate access for their new role, but the old permissions will remain in place.
If this member of staff has several role changes throughout their career, it is likely that they will amass a large number of access rights which are wildly inappropriate. This is sometimes known as permissions creep. It can be exceptionally time-consuming to unravel years of permissions creep, so most organizations will not bother.
Finally, when someone leaves an organization it is vitally important that they are unable to leave the premises with any equipment or access to systems. If the organization uses a webmail solution for its e-mail requirements, then that user can still access their e-mails even when they no longer have possession of their work machine. JML is a challenge, but a robust approach to every element of it can help ensure that personnel security worries can be kept to a minimum.
Having established that people can be a risk to the organization, let’s examine some of the ways in which those risks can manifest. Everybody can make a mistake. This mistake could involve sending data to the wrong e-mail address, through to errors in the coding of a website that handles the booking of, and payment for, flights, and allows attackers to insert their own code that can steal payment card details.
It is an unfortunate fact that not all people are trustworthy and honest. There are individuals that may be deliberately working against the best interests of their employer, known as Insider Threat actors.
Finally, what the insurance industry terms as “Acts of God” may also have a human involvement. A fire could be caused by someone making a mistake and leaving combustible rubbish in a location where it could catch fire and cause damage.
Insider threats fall into two broad categories:
The vast majority will be accidental insiders. They will make mistakes, such as failing to follow the organizations policy on password complexity, or falling prey to social engineering, often due to the natural human desire to be helpful or trusting.
A minority of insider threats will actually be malicious, and these are one of the greatest threats to security that any organization could face. These people are already within the walls; they have already passed the robust vetting procedures employed at the time of recruitment and they are already trusted with access to the organizations information. They will be accessing this information as part of their everyday duties, so how is it possible to spot when they are misusing their access?
Once again, we can utilize a training program, making staff aware of the types of behaviors that a malicious insider may exhibit. This can be a delicate balancing act, as organizations want to instill a healthy culture of whistleblowing over suspicious behavior, but don’t want to engender a toxic atmosphere in which every action is regarded with suspicion.
Organization’s need to ensure that access controls are correctly configured. Users moving within an organization may end up collecting more access controls and privilege’s than their role requires; this is known as permissions creep. Organizations needs to have robust procedures in place to ensure that permissions creep is not possible.
Finally, if you have a sensitive system or store of data, employ rigorous auditing of the access to that system. If any member of staff, pre-authorized or not, accesses a sensitive system, then they should be able to account for the reason that they did so.
Insider threat is now one of the top security concerns for organizations, but how has it come to be so endemic? IT is now ubiquitous within organizations, with the vast majority likely to be unable to function should their IT capability fail for any longer than an hour or two.
Whilst IT obviously facilitates the functioning of any organization, it also presents a whole raft of new challenges in the security arena. To put it bluntly, IT also facilitates the misuse and theft of information.
Every technological advance brings new security challenges. For example, organisations that allow their staff to use their own laptops or mobile phones for work purposes, in an effort to create a great working environment, are simply exposing their information to greater threat.
Having established that there are people who will act maliciously, and against the interests of their employers, what is their motivation likely to be? The most obvious answer to that is money. Unscrupulous organizations will happily pay good money to employees of their competitors if it helps them to gain a market advantage through the disclosure of product designs or financial projections.
Others may be motivated ideologically, such as Edward Snowden and Chelsea Manning.
One other major grouping concerned are employees. These may be people who feel they have been unfairly treated, or overlooked for promotions and bonuses. They may wish to prove a point – they could have been raising a security issue for some time, but feel that it has been ignored by management. Often, it may be the case that two or more of these factors come together.
To accidental insiders, the greatest threat is that of social engineering.
Social engineers will focus on abusing either the trust of their target, or the targets willingness to be thought of as helpful.
Social engineering is not a new phenomenon. The history of mankind is littered with examples of con artists and scammers. Before the advent of the Internet, a common scam involved people sending letters purporting to be looking for assistance in moving funds from one country to another. Many of these scams originated in Nigeria, and they became known as 419 scams after the Nigerian penal code that proscribed this activity. The Internet now allows these 419 scams to be perpetrated at scale, and at little to zero cost. Social engineering scams fall firmly into the category of cyber-enabled crimes.
There are many ways in which an individual can be socially engineered, whether that be through phishing e-mails which try and trick the recipient into disclosing information or installing malware onto their computer; through to people gaining physical entry to a building by pretending to have forgotten their pass, or to have their hands full and be unable to extract their pass from their pocket.
Scammers may leave USB sticks laying in the car park of an organization, labelled with interesting terms such as ‘redundancy plans IT dept’, in a technique known as baiting.
Now that so many people are enabled in working whilst on the move, shoulder surfing is the act of looking over someone's shoulder whilst they are working on sensitive documents during their commute.
The only control that can be put in place for social engineering is the training of staff. Make it easier for staff to spot and report suspicious activity and the damage caused by social engineering attacks will be reduced. Scammers will always be inventing new techniques, so this training effort, is again, not a one-time effort. Investment in training will pretty much always repay itself down the line.
That’s the end of this video on Personnel Security.
About the Author
Paul began his career in digital forensics in 2001, joining the Kent Police Computer Crime Unit. In his time with the unit, he dealt with investigations covering the full range of criminality, from fraud to murder, preparing hundreds of expert witness reports and presenting his evidence at Magistrates, Family and Crown Courts. During his time with Kent, Paul gained an MSc in Forensic Computing and CyberCrime Investigation from University College Dublin.
On leaving Kent Police, Paul worked in the private sector, carrying on his digital forensics work but also expanding into eDiscovery work. He also worked for a company that developed forensic software, carrying out Research and Development work as well as training other forensic practitioners in web-browser forensics. Prior to joining QA, Paul worked at the Bank of England as a forensic investigator. Whilst with the Bank, Paul was trained in malware analysis, ethical hacking and incident response, and earned qualifications as a Certified Malware Investigator, Certified Security Testing Associate - Ethical Hacker and GIAC Certified Incident Handler. To assist with the teams malware analysis work, Paul learnt how to program in VB.Net and created a number of utilities to assist with the de-obfuscation and decoding of malware code.