Can an organizations greatest security asset also be its most serious threat? Yes it can.

The Greatest Asset
I manage information security for Intel’s mergers and acquisitions. Recently, I was evaluating an acquired company and delivering information security training to our newest employees on their collective hire date. As I was presenting the fundamentals of how to keep the company, their work, and our industry safe from cyber threats, an important security maxim was exemplified.

In interacting with the audience, I understood how they were accustomed to conduct business, the scope of information they handle on a daily basis, and their views on the value of security. I began to emphasize how the employee base was the greatest asset to information security and the combined force of a well informed, properly trained, and security savvy workforce dwarfs the efforts of the dedicated security staff. My recruitment speech sunk in and their faces glowed with pride. I saw a bit of excitement from the audience, that of empowerment and newfound responsibility. I was setting them up. Although absolutely true, a few slides later in my presentation I unveiled the stark reality.

The Greatest Threat
I asked to my newly recruited security champions what the greatest threat to the company was. Amid different answers, I revealed that THEY were the greatest threat. Not just them, but the entire workforce. The glow in their faces dimmed a bit. How can this be? How can our employees be both the greatest asset and the worst enemy in the cyber warfare trenches? They were shocked. They were dumbfounded. They were intrigued. I gave a dramatic pause. It is not often people are captivated by the boring and bothersome topic of information security. I savored the moment.

The real battlefield is in hearts and minds of employees. These new employees, more than any, represent the greatest challenge. They are accustomed to their previous ways, inundated with new-hire information, and are not familiar with the security expectations of their new corporate parent. Security policy is a distant concern on their first day. Every subsequent day, the separated cluster of workers will not benefit from the social reinforcement of good security practices as they are distanced from the collective body of experienced employees who exhibit secure behaviors.

We discussed how apathy, laziness, and circumventing policy for a quick gain, can cause significant weaknesses in security. Every employee has a responsibility to be secure and reinforce those fundamentals with their peers. A single employee through malice or carelessness can cause more damage than a legion of hackers. They must decide, through their actions, if they are the security marshals or the villains of the story. The battle is with the mindset of the employees. The finest security policy is worthless in the hands of an apathetic workforce.

In the end, the discussion was a success. It was not just training; it was an interactive dialogue talking to what is important and how every employee, now including them, work as a team to be Intel’s greatest security asset.

So, who do you market to?

To defeat cyber attacks, we must first understand their characteristics and how they come about. Deconstructing threats is a way of comprehending the factors which drive information security strategy. Without understanding the nature of attacks, an organization is destined to thrash about trying to effect change, only addressing symptoms and oblivious to the root causes of the problems.

In the Beginning
The most important aspect to comprehend is all malicious security threats and attacks begin with a person who has an objective. This represents the attacker, or sometimes referred to as the ‘Threat Agent'. Make no mistake, a virus is not the attacker. The author and implementer of the virus is the attacker. Eliminating a virus is a short term solution to the symptom of the problem, leaving the threat agent to find another method to achieve their objectives.

Threat agents are people and therefore driven by human nature. People compelled to expend energy manifesting in an attack on your organization have some desired outcome, a goal in mind. Their objective may be vague or precise, motivated by passion or logic, it may be inspired by emotional, intellectual, or economic needs. Their actions may target you directly or your organization may simply be caught in their sweeping net of activity. The permutations are mind boggling, especially when you take into account attackers include trusted persons intimately associated with the organization. Most importantly, they are thinking opponents who may plan, react, adapt, weigh options, and make decisions necessary to achieve their objective. Security success is heavily dependant on never losing sight of this key perspective. Attacks and threat agents are irrevocably tied together.

Building a Model
So if you have an attacker and their objective, the only component missing is the means for this person to achieve their goal. This path is the method. In reality, it most likely is a number of methods which are evaluated and one or more eventually employed. The term ‘vulnerability' is a catch-all phrase attached to express these methods. The term itself is far too broad to be meaningful. Anything can be a ‘vulnerability', including a security control itself. If you have a deadbolt on your door and someone kicks it in, an expert may declare the deadbolt is the vulnerability. Somewhat absurd, which is why I personally dislike using the term. So don't expect to see that word much from here forward.

What do methods look like? It depends on the attacker, what opportunities are available to them, and their objectives. If an attacker is seeking personal satisfaction through ego gratification of power, they may decide to employ a Denial of Service attack to show they can affect a target network. An accounts payable employee may secretly use their legitimate access to issue checks to collaborators for their personal financial gain. Again, the possibilities and permutations are as vast and varying as the people involved.

Threat Model
This basic model is straightforward. A threat agent, willing to effort an attack, has an objective in mind and selects one or more methods to succeed. Once committed, they initiate their plans and the game begins. Defenders may put up obstacles, close possible methods and the attacker, if still motivated, will respond.

Defeating the Attack
The game continues until the attacker succeeds, the attacker is removed or demoralized, the methods are rendered ineffective, or the objective is removed. Removing the attacker is a good but very difficult prospect, usually involving some type of law enforcement. More often the attacker is demoralized by making the prospect of achieving their objective very costly, so they either give up or move to an easier target.

Prevention activities are heavily weighted toward closing the most likely methods. A good strategy, which scales across many different attackers, but the simple fact is an attacker only needs one winning method to triumph. Much of the efforts to close different paths to the objective are intended to make it progressively more difficult for attackers to succeed. Not every path or vulnerability (ugg, hate that word) must be eliminated, only the ones which the attackers are willing to effort. The more inconvenient and inhospitable the environment is for the attacker, the better it is for the defending organization.

Lastly, removing the objective from temptation makes an attack pointless. The famous bank robber Will Sutton purportedly replied to the question "why do you rob banks?" with "because that's where the money is". The same no-nonsense principle applies to information security. Take away the objective, and the very reason for the attack is undermined.

Understanding the characteristics of attacks is paramount to good security strategy. It helps clear the fog of effectiveness and provides a perspective on how attacks can be stopped in a coordinated manner.