1. Home
  2. Training Library
  3. Procedural and people security [CISMP]

Threats and vulnerabilities associated with people

Threats and vulnerabilities associated with people 

Humans are naturally forgetful, the debate on how many items the average person can hold in their short-term memory ranges from a maximum of four to seven items.

Many of the digital slip ups spoken about are said to be due to complacency or human error, as happened recently with the Government breach seeing the addresses of more than 1,000 New Year Honours recipients mistakenly shared online (BBC). It’s incidents like this that remind us how important measures like limited access to data, duel sign off, and other mitigation techniques really are. Let’s move on to read more on people-based controls so you have some mitigation processes in your tool kit.

4 photographs showing People-based controls. Photo ‘Access to data’ shows staff standing at desk looking at documents and laptops; Photo 2 ‘Separation of duties’ view of diaries and documents on desk with staff in background; Photo 3 ‘Mandatory vacations’, staff working at desk, some sitting some standing; Photo 4, “Job rotation’ staff member dressing in red looking at camera, while at board meeting.

Mitigating threats and vulnerabilities   

The foundations for mitigating people-based threats and vulnerabilities can usually be found in employee contracts and code of conduct agreements. These see employees signing non-disclosure agreements and agree to specific organisational expectations, and as useful as these measures are, they’re not enough. Some of the other people-based controls you can use to minimise risk are:  

  • Providing access to data and systems within the principle of ‘least privilege’ and ‘need to know’ (which is ‘least privilege’ applied to information access). Staff should be given adequate privileges to do their jobs but no more. 
  • Separation of duties - No individual should be able to carry out all the tasks which might be used to commit a fraud. For example, the person who places an order should not be the one who authorises payment. Dual control is an extension of this, which requires two individuals to carry out a single critical task, such as requiring two signatures on cheques over a certain value.  
  • Mandatory vacations which can be used to audit staff in sensitive posts while they’re away from work. 
  • Job rotation to prevent individuals from becoming too entrenched in a post and ensure that expertise is spread among staff rather than being concentrated in a few individuals. 

Of course, one of the most common ways to keep ourselves safe in the digital landscape is by using passwords, but are they as safe as you think?  

Passwords  

In theory, passwords should be a secure mechanism for protecting data. However, as passwords have been the primary means used to authenticate users to systems since the dawn of computing, hackers have developed many ways to bypass this control.  

There are three primary ways that passwords can be cracked: 

  • They can be guessed - password guessing is one of the most common attacks. Using your mother’s maiden name or your pet’s name is clearly a bad idea and a little digging around on Facebook is likely to uncover this information. Complex passwords should always be used.
  • They can be programmatically attacked - there are many tools that launch targeted and brute force attacks (a repetitive attack using a list) to programmatically identify passwords. A brute force attack might start at ‘aaaaaaa’ and work up to ‘zzzzzzzz’, with one character changing at a time. A dictionary attack relies on trying passwords from a pre-compiled list which can grow to be many gigabytes in size and be created quickly using data mining applications from social networking sites, like Facebook and LinkedIn. 
  • They can be socially engineered - social engineers use all the skills of a typical con artist. They might use a pretext, like pretending to be from the service management team, or someone from the user’s bank, to encourage a target to give away their password. They could also insert a USB drive into a computer to install a key logger to retrieve the user’s password. 

These attacks can only be effectively countered through education; users must know exactly what to do if they become suspicious of any kind of unsolicited approach. Advice from the UK National Cyber Security Centre is not to use long complex passwords which must be changed frequently. This is because people generally write down difficult passwords and tend to use the same password on multiple sites. Ways to overcome this are to: 

  • Use long passphrases, composed of words (at least three) that can be easily memorised
  • Use a password manager, which is software that creates and stores long complex passwords, so the user doesn’t need to remember them
  • Protect accounts by locking them after a stated number of failed login attempts. This eradicates brute force attacks
  • Use two-factor authentications with tools such as SecurID, which provides a pin number that must be entered at the time of log in

When making the digital security considerations in your own organisation, come back to this piece and use it as a checklist to ensure you’ve got the tools and procedures in place to protect you.

3 Photographs showing Password threats. Photo 1: Password guessing, front angle of hands typing on laptop keyboard; Photo 2 ‘Programmatic attack’ Over the shoulder shot of laptop screen and hands typing on laptop. Photo 3 ‘Social engineering’ Photograph of three colleagues talking together on a break in office

Biometrics

Iris scanning and retinal scanning. A retinal scan is a biometric technique that maps the unique patterns of a person's retina using a low-intensity light source. Through a delicate sensor, a retinal scan examines the pattern of retina blood vessels, which remains unchanged from birth until death.

What’s next?

Now you know more about how to minimise the people-based threats to your organisation, you’re going to move on to read about people-security implications, and the benefits of fostering a healthy security culture in the workplace.  

Difficulty
Beginner
Duration
45m
Students
67
Ratings
5/5
starstarstarstarstar
Description

Procedural and people security is a key part of Information Assurance. Threats are not only external; they may also originate with or involve staff/ex-staff members. Therefore, it’s essential that all staff follow correct policies and procedures so they foster an appropriate security culture.

About the Author
Students
29680
Labs
125
Courses
1418
Learning Paths
37

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.