|
|
01-11-2010
Registered User
26,240,
27
Lessons from counter-terrorism
While being firmly based in the world of physical security and anti-terrorism, Eagle Eyes, a US Air Force Office of Special Investigations program, has worthwhile lessons for us in information security.
Through the Air Force program, civilians (as welll as military people, presumably) are encouraged to be alert towards, and report, suspicious activities such as:
- Surveillance -- someone recording or monitoring activities, including the use of cameras or binoculars.
- Elicitation -- anyone trying to gain information by mail, fax, telephone or in person about military operations or people.
- Tests of security -- attempts to measure reaction to security breaches or to penetrate physical security barriers or procedures.
- Acquiring supplies -- purchasing or stealing explosives, weapons, ammunition, uniforms, decals, flight manuals, passes or badges.
- Suspicious persons out of place -- people who don't seem to belong in the workplace, neighborhood or business establishment.
- Dry run -- putting people into position and moving them about without actually committing a terrorist act.
- Deploying assets -- people and supplies getting into position to commit the act.
- Surveillance -- someone snooping around the facilties, offices or IT systems, taking an unusual interest in CCTV cameras, alarms, access control systems, procedures for issuing staff passes or network IDs etc., and maybe photographing things. This includes "lookouts".
- Elicitation -- anyone trying to gain information by email, fax, phone, letter or in person about commercial operations, people, facilities, IT systems and networks. Anyone casually inquiring about sensitive projects, activities, facilities, systems or sites should immediately raise eyebrows at the very least.
- Tests of security -- people claiming they are 'just checking for vulnerabilities' or 'testing the security arrangements' should invariably be reported via the normal incident reporting process (generally, a quick call or email to the IT Help Desk or Security), even if they are legitimately employed to do this and present authentic credentials [employee awareness and incident responses are often part of such tests]. How often do we blithely ignore "IT people" or "maintenance engineers" fiddling around in the network cupboards or computer systems: they could easily be installing bugs, network sniffers or taps.
- Acquiring supplies -- copying or stealing employee credentials, staff passes, visitor IDs, passwords, user IDs, directories, site maps etc., and acquiring knowledge in other ways such as asking probing questions on the phone or on mailing lists, email, blogs, IM, Skype or whatever.
- Suspicious persons out of place -- people who don't seem to belong in the office/site, no matter what clothes they are wearing, toolboxes they are carrying, passes they present or whatever. Report them anyway - better safe than sorry and - if your security function is truly switched on - you might even earn yourself a prize or commendation. Again, this includes "lookouts".
- Dry run -- accessing facilities, networks, systems or whatever without apparently committing an attack as such. The most effective types of social engineering and walk-in intrusions are over before anyone realises anything has happened. Yes, they happen "in broad daylight". Brazenly. Even old-school bank robbers (who are renowned more for the size of their gonads than the size of their brains) case the joint first, and - again - post lookouts.
- Deploying assets -- putting people (lookouts), malware, bugs, systems and/or miguided trust relationships into place as a prelude to a full-blown attack. A classic example would be unauthorized privileged accounts on a system, curious new rules appearing on a firewall, and new employees, contractors, consultants, advisors or auditors who seem just a bit too eager to find out all there is to know about security, sensitive projects, customer lists, secret recipes etc.
Kind regards,
Gary Hinson
NoticeBored.com
More...