Cyber­at­tacks pro­ceed just as they did in the ana­log world over 100 years ago. They are based on com­mu­ni­ca­ti­on and know­ledge of con­fi­den­ti­al infor­ma­ti­on. While appli­ca­ti­ons, net­works and other tech­ni­cal details are always the sub­ject of inten­se dis­cus­sion in the Inter­net age, peo­p­le for­get about the parts of infor­ma­ti­on secu­ri­ty that have litt­le or no pro­tec­tion: The inter­ac­tions bet­ween peo­p­le. The­se hap­pen regard­less of any secu­ri­ty mea­su­res, becau­se every com­pa­ny recei­ves e‑mails and pho­ne calls all the time. How do you deal with this inter­per­so­nal flow of infor­ma­ti­on? More spe­ci­fi­cal­ly: How do you help sen­si­ti­ve depart­ments like Human Resour­ces — HR make secu­re decisions?

Attacks past IT technology?

When it comes to com­mu­ni­ca­ti­ons and infor­ma­ti­on secu­ri­ty, many think of anti-virus or spam fil­ters. The­se are basic com­pon­ents of basic secu­ri­ty. But neither poli­ci­es nor con­fi­gu­ra­ti­ons ans­wer the real­ly important ques­ti­ons for imple­men­ta­ti­on. What con­tent in what lan­guage does your com­pa­ny pro­cess? Do you have to ans­wer all let­ters in every form? As soon as it comes to the digi­tal world, howe­ver, not ever­y­thing beco­mes dif­fe­rent. Of cour­se you recei­ve busi­ness let­ters every day. What looks like adver­ti­sing or paper on prin­ted paper usual­ly looks like it digi­tal­ly. The secu­ri­ty pro­blems that ari­se from com­mu­ni­ca­ti­on are just unfort­u­na­te­ly pas­sed on to the IT depart­ment. Of cour­se, the HR depart­ment wants to accept new appli­ca­ti­ons from all pos­si­ble input sources becau­se talent could be missed. Poten­ti­al atta­ckers also know this and will use exact­ly the chan­nel that makes an attack the easiest.

Spy­ing via the per­son­nel depart­ment / human resour­ce / HR

In addi­ti­on to the tech­ni­cal level, the­re is also the social engi­nee­ring level. Inco­ming docu­ments such as the CV or refe­ren­ces are che­cked. Howe­ver, even with the latest tech­no­lo­gy, it is not pos­si­ble to deci­de in minu­tes whe­ther it is a genui­ne appli­cant or an appli­cant for the pur­po­se of spy­ing. Cle­ar­ly, you can’t suspect all new hires equal­ly, but that’s not the point. It’s about how you pre­sent yours­elf to the out­side world and how you hand­le the risk that every poten­ti­al busi­ness let­ter car­ri­es. Espe­ci­al­ly when pene­tra­ti­on test­ing wit­hout know­ledge of the inter­nal struc­tu­re, an appli­ca­ti­on is a gre­at way to gain insight into a company.

The fin­dings can be summarized:

IT lacks the infor­ma­ti­on to imple­ment measures.
Cer­tain depart­ments will always need to be filterless/publicly accessible.
Atta­ckers will always exploit the­se circumstances.
Secu­ri­ty from head to toe — or the other way around?

Poli­ci­es and com­pli­ance alo­ne won’t help with this pro­blem. You need clear pro­ces­ses that the tech­no­lo­gy and the affec­ted depart­ments, e.g. HR, are awa­re of. If it’s clear what lan­guages docu­ments are allo­wed to have that are pro­ces­sed, then that helps the IT depart­ment con­fi­gu­re fil­ters, to give one example.

Unfort­u­na­te­ly, some start secu­ring at the end­point and imple­ment mea­su­res wit­hout start­ing at the busi­ness pro­ces­ses. In secu­ri­ty con­sul­tanci­es, you should use con­sul­tants who have both the orga­niza­ti­on and the tech­ni­cal imple­men­ta­ti­on in mind when con­duc­ting their rese­arch. Ulti­m­ate­ly, imple­men­ting infor­ma­ti­on secu­ri­ty is just fin­ding and fil­ling gaps that ever­yo­ne has some­whe­re. You can’t for­get the human fac­tor and its role in the company.

Fur­ther information:

Cau­ti­on! Social Engineering
Der Unsinn von Social Engineering
Semi­nar IEC 62443
Semi­nar: IT-Secu­ri­ty / Infor­ma­ti­on Security