Ira Winkler - You CAN Stop Stupid

Clearly, brand reputation has distinct value to the organization. You need to be able to identify how user actions can potentially compromise the brand's value so that you can get the support you require to protect the brand.

The road to business hell seems to frequently begin with, “Nobody would bother attacking me.” We once heard this from the CEO of a credit union that had assets of “only” $20,000,000,000. His thought was that criminals would go after bigger banks. While this is clearly an extreme case, every organization has some people who believe they don't work with anything of value that people would target.

Many people don't realize that a seemingly inconsequential computer or website can be used as part of a botnet to serve malware to others. The location of the computer is irrelevant to the criminals. Excess equipment may seem outdated, but such units frequently contain hard drives that still contain sensitive information. Printers, for example, might have a copy of every document that they ever printed.

Clearly, successes are critical to protect. However, even failure can provide valuable data to potential attackers. In research and development environments, knowing the details of your failures can show your competitors where they should not waste time and effort in their own endeavors. In a sales environment, even rejected proposals can give a competitor an idea of your pricing structure and methodologies.

As you begin to create your business case, it pays to consider how your threats look at the value of your organization. It helps to understand what is actually at risk. It might also help you more completely determine what is truly valuable to your organization. Every so often, it pays to refresh your perspective regarding what you have to protect.

A threat is a person or entity that will do you harm if provided with the opportunity. While the common assumption is that threats are malicious people or groups, they are just one type of threat. There is a wide variety of threats that any given organization has to address.

As opposed to listing all possible threats, we focus on categorizing them. Threats can be malicious or malignant. A malicious threat is one that intends to do you harm. A malignant threat is one that causes harm by its mere existence.

Malignant threats can further be broken down into “who” threats and “what” threats. There are many examples of malignant “who” threats. Users accidentally delete or enter the wrong data. Administrators make mistakes. Travelers lose their laptops or USB drives. Workers are careless on factory lines. There is no malicious intent on the part of any of these people, but ultimately these users are still malignant threats.

Besides the “who” malignant threats, there are also “what” malignant threats. Computers crash. Machinery breaks. Power outages occur. Natural disasters, such as hurricanes, earthquakes, floods, and tsunamis, cause incredible damage. Consider the deaths and damage caused by Hurricane Katrina, for example. A large hurricane causes tens of billions of dollars of damage. That does not include its impact to businesses within the area that lose revenue and suffer other losses. And of course, how users react to such “what” threats is also a “who” factor, which has the potential to compound the malignant threat.

Beyond malignant threats, we also need to consider malicious threats. There are two types of malicious threats: outsider threats and insider threats.

Outsider malicious threats are generally people with criminal intent. These people target your users with the intent to exploit them. Either they intend to get your users to commit actions on their behalf or they essentially assume the identity and access of your users. For example, an outsider might attempt to trick employees into sending them sensitive information. Alternatively, outsiders might steal credentials through phishing attacks and then use those credentials, appearing to be your own user, to steal information.

We can further breakdown malicious outsider threats by the scope of their ability and resources. Nation-states have nearly unlimited resources and ability. When North Korea targeted Sony, they poured an incredible amount of resources into finding a way into Sony's corporate network. They eventually compromised administrator credentials and, once in, had a large enough team to quickly scour the Sony network to both steal information and create massive damage.

On the lower end of malicious outsider threats, you have opportunists who take what is easily available. From an IT perspective, low-skilled hackers target people randomly with tools available on the Internet. If they are successful in gaining a foothold, they take whatever they find available.

Beyond the malicious outsider threats, we have malicious insider threats. These can be employees within an organization, users, business partners, customers, or any other type of user who deals with your organization. Some of these users steal equipment, software, or materials for personal use. Other malicious insiders sabotage the organizations' products, services, or reputation. Others actively try to undermine the morale or productivity of other users.

People often focus on malicious outsiders when they think of threats. But from the perspective of reducing UIL, one of the primary threats is the user. That might sound counterintuitive, but consider the following points. The DBIR reports that 28% of incidents are the result of malicious insiders. Add to that the number of malicious outsider threats that are attempting to exploit the user in some way, and the user as a malignant “who” threat that unwittingly (or uncaringly) enables those attackers. Then add to that the number of other ways that users function as a malignant “who” threat and accidentally or unknowingly initiate loss. Obviously, it is important to address malicious outsider threats. However, it is equally important to address users, as they have the potential, intentional or otherwise, to be involved in your organization experiencing vast amounts of loss.

Without a vulnerability to exploit, threats would be irrelevant. The reality, though, is that vulnerabilities are plentiful in just about any business environment. If you do any business at all, there will be vulnerabilities.

When we give presentations, we sometimes ask the audience, “Can anyone describe how to achieve perfect computer security?” The most common answer is, “Unplug the computer.” Our response is, “Congratulations! You just committed a denial-of-service attack against your own computer.”

There can never be a complete absence of vulnerability. You need to provide users with the ability to perform their job functions, and that will inevitably create vulnerabilities. Increasing the depth and breadth of functions provides an ability to provide more value, but doing so also provides the opportunity to create more loss. It all boils down to finding the right balance.

Different categories of vulnerabilities are more prominent than others in various organizations, and it is important to be aware of each of them and consider their relevance to your users. The following sections address some basic types of vulnerabilities to consider as you look to mitigate UIL. These include physical, operational, personnel, and technical vulnerabilities.

Physical vulnerabilities are tangible in some way. Such vulnerabilities allow for access to an organization or its resources.

Most organizations have buildings, and many have outside properties where materials are stored. These facilities generally have perimeters that are protected by walls and fences. While people assume perimeters keep outsiders out, the reality is that the perimeters usually possess many vulnerabilities.