Procedural and people security [CISMP]
Policies, processes and contracts

Procedural and people security is a key part of Information Assurance. Threats are not only external; they may also originate with or involve staff/ex-staff members. Therefore, it’s essential that all staff follow correct policies and procedures so they foster an appropriate security culture.


Voiceover: Smith continues their nefarious journey, walking confidently into the lounge area of the office. This is a space where employees can relax, play ping-pong, and have informal meetings. It's also a great spot for people like Smith to find vulnerabilities to exploit. On the way to the vending machine, Smith catches a few bits of a conversation. It sounds like three colleagues are trying to access prohibited websites from their corporate laptops, sending links through to each other from their phones. Smith sidles over. They want to figure out who these employees are and find out what they're up to. If they're breaking company regulations, Smith can use this information to target their reputations. The threat of a reputational attack could be just the thing Smith needs to blackmail one of them, forcing them to help Smith get into systems or other parts of the business. Sipping on a coffee near the trio, Smith realises that what they're up to is a serious breach of the business's acceptable use policy and code of conduct. On their phone, Smith opens up a worm and sends it burrowing into one of the trio, Ashley's, laptop.


Mark: So, this is a continued social-engineering attack. He's continuing his attack, he's following people into an area which they would probably feel more relaxed about because it's their social area where they let their guards down as such, and he's going to continue listening to conversations. He hears a conversation which obviously he sidles up-, sidles on-, goes alongside to hear what they're saying, and they're talking about accessing prohibited sites, maybe BitTorrent, some of the sites that really the, the policies, processes, and procedures would prohibit them going to-, going to those type of sites, but they're thinking about ways of bypassing, getting around it, some techniques they're trying to get around it. So, he then decides, 'okay, that's an opportunity. That's a vulnerability which I could exploit', so he uses his worm, probably through a phishing email. He launches his worm to one of the employees with the intention of probably blackmailing or coercing them into doing things for him, and that's what basically has happened in that scenario.


So, obviously, policies and procedures from a soft and hard control perspective are important. So, the policies should be quite explicit about what people are allowed to do or not allowed to do. From a technical perspective, we can put in controls to blacklist or prevent certain sites from being accessed, so these prohibited sites could be blocked from the users themselves. Obviously, these terms-, these terms when we talk about black and whitelisting, which is where lists are accepted and disallowed, have been changed now. So, we have-, we do have a deny list, which is the blacklisting, and we have an accept list now as well. So, from a technical perspective, that could also be used as well. We can enforce the policy through training and awareness, we could do penetration testing to see if people are maintaining the level of security, to see if they're vulnerable to these type of attacks. We could also do mobile device management on the physical devices, because the physical devices themselves, they may be using company assets for that, and we can prevent them from adding stuff into the device itself without authorisation because that could open up a vulnerability. If you download a program which is not authorised onto your phone, it could open up a massive concern for the-, for the business.


Obviously, I've come across this situation myself. So, I was on the Underground, I heard someone talking with their friend very vocally, talking about, 'I got access, access to this, this, this, this and this site. I can't believe they've given me access to all these other things. I've never had this in these type of roles and responsibilities before', and she was quite explicit in the information she was telling about, and the amount of information she shared, if I just followed her and if I was a hacker, I could quite easily get access to those systems, and unfortunately because of her-, the loose tongue, it's a-, causes a massive vulnerability which could be then exploited, which is exactly what we're talking about here.


About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.