Pierluigi Paganini
May 31, 2015
What is Layer 8?
Layer 8 is a term utilized by information security professionals and techies in general that represents the weakest link of every organization: the users. While an organization may be extremely secure and locked down with the finest, state-of-the-art security controls at both a physical and technical level, it is far too common—and likely the case for most organizations still today—that management neglects the entire concept of operational security (also referred to as procedural security). Before we proceed any further, let’s stop and review the three categories of security controls that I previously mentioned.
The Three Categories of Security Controls
There are three general categories that security controls fall under; these categories are physical, technical, and operational (or procedural) security controls. These three categories are described below.
Physical security controls are those that supplement the security of an organization in a physical manner, but not necessarily at the technical level. While many firewalls are certainly deployed as physical devices, physical human interaction with them are limited to the team that manages them; often limited to their deployment, with further management activities carried out electronically via a remote access service or web console. Physical security controls are those that they every-day user, or person, has to encounter or interact with. Examples of physical security controls include:
Technical security controls are those that supplement the security of an organization in a technical manner, but not necessarily at the physical level. What I mean, is that these controls are most often designed to be transparent to the user, but are often deployed as physical appliances within the organization’s network infrastructure. These controls are also, increasingly so as technology advances, deployed as virtual appliances. These controls are not physically accessible by the every-day user, or at least shouldn’t be, but do in fact interact with the network traffic that is transmitted inbound to and/or outbound from the devices housed within the organization’s physical location. Examples of technical security controls include:
Operational security controls are those that supplement the security of an organization in a manner in which both physical and technical elements are utilized. Operational security, also referred to as procedural or administrative security, encompasses the creation and enforcement of policies, procedures, and also includes documents such as guideline documents. These documents outline the organizational structure and detail how the organization is to be run, the type of activity that is permitted and/or prohibited, procedural documents and various other facets that define normal business operation. Remember that document that you signed when you were hired by the technology company? That was likely an Acceptable Use Policy, and your signature implies that you have read and accept the presented policies. Policies such as an Acceptable Use Policy are often leveraged in cases where an employee is terminated; where violation of the policy is cited as the reason for the employee’s dismissal. Examples of operational security controls include:violation of the policy is cited as the reason for the employee’s dismissal. Examples of operational security controls include:
The Weakest Link of Every Organization
Humans are naturally naïve. Regardless of whether you are the Chief Information Security Officer (CISO) of a top information security company, or a new employee within the security company, or a new employee within the Sales department of that same organization, we are all viable targets. Humans can be and often are manipulated by one another every day, whether for malicious purposes or a “little white lie”; the combination of technology and the human mind is exceptionally dangerous. As the sophistication of the Internet and technology in general grow, the effectiveness and capabilities of security controls increase; however, a correlation between the good and bad sides of information security exists. As our inventory of tools used to mitigate and prevent vulnerabilities grows in complexity and sophistication, unfortunately, so does the inventory of the attackers that seek to evade our security controls and do harm to our network(s).
While a biometric device may prevent an unauthorized person from gaining entry to your building or your office, it does not prevent them from accessing your network. Besides, with the potential to virtualize essentially all elements of your organization, such as using encrypted servers rather than locked file cabinets to store documents, paperless banking, virtualization of devices, etcetera, cybercriminals generally aren’t looking to gain access to your physical place of business. Why would an attacker risk trying to get past the armed guards and biometric devices to steal personal information when the documents containing the desired information is also stored on an unencrypted network file share? The key word that we sometimes forget is that we are dealing with cybercriminals.
In addition, let’s consider a web proxy that acts as the gateway for end-user traffic within the organization’s network. The proxy may prevent the user from browsing to sites that host malicious content, but what if the attacker decides to call the user? What if the attacker mails a USB device to the organization that appears to be from a vendor? What about e-mail attachments?
Furthermore, let’s consider a firewall that prohibits access to port 3389 (Remote Desktop Protocol [RDP]) on a critical server to all but those who first authenticate through an administrative virtual private network (VPN). Sure, that is certainly a security best practice, but this alone does not take into account the users themselves that permitted to access that server. What if a user with administrative privileges, that manages that server, has their device infected with malware that grants a remote attacker full access and control of the target device? Then the attacker has found a way into the critical server, thought to be inaccessible to all but those who are permitted to access the server.
What if a user with administrative privileges, that manages that server, has their device infected with malware that grants a remote attacker full access and control of the target device? Then the attacker has found a way into the critical server, thought to be inaccessible to all but those who are permitted to access the server.
An important, often overlooked facet of securing an organization’s infrastructure, involves the creation, continuous updating, and enforcement of operational security controls such as policies and procedures. In addition, guideline documents can prove to be highly beneficial to the efficiency and fluency of an organization.
Policies, Standards, Procedures and Guidelines
Operational Controls: Policies
A policy, by definition, is a “deliberate system of principles to guide decisions and achieve rational outcomes”. Policies are overarching documents that lay out the foundation for a certain aspect of an organization. For example, an Acceptable Use Policy will dictate what activity is permitted by users within an organization. A Mobile Device Policy may prohibit employees from bringing certain or all mobile devices to the workplace, or rather, may simply prohibit employees from simply using their cell phones while in the office. Each policy document often references a policy owner, or, an employee that is in charge of policy maintenance and/or enforcement. Any consequences that may result from policy violation may also be outlined within the document.
The creation, maintenance, and enforcement of policies is integral to an organization. Policies serve as guiding documents for several general organizational functions. Additionally, they may serve as the basis for current or future procedural and guideline documents.
In short, policies serve as foundational documents, and provide users with the reason(s) why they must adhere to the enforced operational controls.
Operational Controls: Standards
A standard is best described as an acceptable level of quality within an organization. Standards define the minimal set of low-level controls employed within the organization. Standards are a vital part of developing, hardening, and maintaining the security posture of an organization. Standards can be set by regulatory bodies (i.e. for organizations within the healthcare industry, etc.) or can be set by upper management. Standards that existent in most organizations include simple, basic standards such as password complexity standards or a hardened image of an end-user device, for example, deployed as the baseline standard image for all new and re-imaged devices.
Standards simplify an organization in maintaining consistency.
Operational Controls: Procedures
Procedures, or rather, procedural documents are documents that are often derived from a policy that consist of step-by-step instructions to assist an organization’s users in achieving a specific goal or to assist employees in performing actions such as filing a complaint or reporting a spam e-mail. Procedures are specific in nature in that they detail exactly what to do and how to do it.
Procedures provide the user with a proper set of instructions to following to achieve a desired end-result.
Operational Controls: Guidelines
As are procedures, guidelines are non-mandatory sets of instructions that describe how something should be done; the proper steps to follow to achieve a desired end-result. Guidelines are similar to procedures but are more granular than procedures in that they often go into much greater detail than procedures.
Guidelines provide the user with a detailed set of proper instructions to follow to achieve a desired end-result.
Where Most Organizations Fail
Now that I have outlined and explained the various components of operational security—policies, procedures, standards and guidelines—it should be clear as to how these four guiding documents complement each other and provide for a secure, efficient environment. As I stated previously, the manipulative nature of us humans is often overlooked. Most if not all organizations (you would hope) has at least some variation of a Security Policy, and most (especially in the IT realm) require new employees sign an Acceptable Use Policy during the on-boarding process, and perhaps when the policy is amended. However, ink on text; or pixels on a screen, are often either not read or simply are not retained by the users that are exposed to them, often times being mandated to read/sign an important document once during their entire career with the company. Many organizations lack an efficient Security Awareness Training program; or rather, do not have one altogether. Those that do have one, even one that is updated regularly, often have no policy in place that mandates users to partake in such trainings, whether during the on-boarding process, at set intervals, or as a result of an incident that occurred within the organization.
I am a firm believer that users must be trained at regular intervals; at a quarterly basis at the least. In addition to mandating users participate in training courses at regular intervals, a procedure should be put into place that instructs the appropriate group within the organization to distribute bulletins or notices upon the occurrence of an incident or after intelligence of a new threat found in-the-wild becomes available. Keeping our users informed and up-to-date on new and emerging threat information along with regular trainings—educating our users—is the best defense an organization can implement. Phishing is on the rise again, and this is attack falls under the social engineering umbrella of attacks; arguably the most dangerous type of attack. Phishing e-mails come in various shapes and sizes in today’s world. From the “Nigerian Prince Scam” to the generic “invoice” or “tracking number” phish, to the now advanced capabilities of attackers to spoof the e-mail addresses of legitimate users, phishing is certainly one of—if not the most—successful attack method utilized by attackers today. Attackers spoof the addresses of legitimate users or organizations, construct detailed e-mail messages that are extremely close if not equivalent to legitimate e-mails with great accuracy, and have been observed delivering malicious payloads in new and advanced forms; SCR files, PIF files, heavily obfuscated Javascript and VBScript files, and PDF files with embedded scripts. The older technique, Microsoft Word documents with malicious embedded macros, have become prevalent in-the-wild once again.
The regular training and education of our users with regard to past, current, as well as new and emerging threats observed in-the-wild is imperative for an organization’s success. The users are the weakest link of any organization; the foundation of an organization—the creation, maintenance, and enforcement of policies, procedures, guidelines as well as the existence of standards—is essential to develop and maintain operational efficiency, establish security, and ensure the consistent operation of an organization.
About the Author Michael Fratello
Edited by Pierluigi Paganini
(Security Affairs – cyber security)
