For First Responders, Avoiding Breaches Starts with People

Personal behavior and accountability are an integral part of an organization’s larger information security (InfoSec) efforts. That statement has proven true countless times in the private sector, where employee lapses make possible “many, if not most” of the breaches businesses suffer, or at least easier to carry out. For example, one of 2016’s most notable breaches, an attack against computer hardware manufacturer Seagate, occurred when a single employee oversight touched off a rash of identity theft, tax refund fraud, and other illegal behavior.

The story is much the same in the public sector. Because modern police departments, emergency medical responders, and other first-response entities provide online transactions and other services mirroring those offered by private enterprise, they must rely on similar front- and back-end computer systems, and thus must digitally store and transmit the same type of data hackers target from private businesses. These factors alone put first responders at risk for attacks that capitalize on human error. Combining the ever-present risk of cyberattacks with political or personal motivations, first responders and other public entities would be well advised to make personal security awareness and subsequent behavior a keystone of their attempts to stay digitally secure.

DOJ breach illustrates the relationship between people- and tech-focused security efforts
Indeed, a quick look at 2016’s public-sector breaches underscores just how high the ability to provoke human error factors in the cyber-attacker’s playbook. Although it is impossible to say just how many breaches could have been prevented with more secure behavior or improvements upon the policy that governs it, there is no question a lack thereof made many of these attacks easier.

Such was the case when a Department of Justice (DOJ) breach resulted in some 29,000 employees — including those from subordinate agencies like the Federal Bureau of Investigations and independent agencies like the Department of Homeland Security — having their information leaked online. The attacker, who posed as a new employee on the phone, fraudulently gained authentication, exploiting human and technical oversight to capture the data. Though the DOJ should not have granted authentication to the hacker over the phone, TechTarget notes, poor “isolation of sensitive data on [DOJ] intranet” made such a broad-scale leak possible after trust was exploited.

Of course, the point here is not to criticize the DOJ — it is worth noting that the hacker first compromised an employee’s email, which undoubtedly helped his credibility during the phone call — but to point out the interplay between technical security and the tech-savvy employee. Had any one of the links in this chain of criminal activity proven harder to compromise, the attack might not have been possible at all. As with the above-mentioned Seagate attack, the events show how bad policy, employee ignorance, willful disobedience of procedure, or other behavioral factors can break even the strongest technical measures.

Training, policy, and awareness “set the table” for better security, but problems persist
While it is relatively easy to get employees to follow basic security steps — and while research indicates training on security awareness can have a positive effect on overall employee security knowledge (PDF) — even simple awareness requires an ever-evolving base of knowledge and savviness that can be difficult to maintain.

Recent developments in ransomware, a breed of malware well known for its prevalence in law enforcement settings, serve as one startling example of this concept. Unlike other versions of malware, which encrypt and hold files ransom after users click a bad email attachment, advertisement, or image, a new variation called Popcorn Time takes an even more devious path. If the infected user tricks two people into downloading the malware (and if the two new victims pay up) the hackers claim they will release the original infected user’s data.

From an awareness perspective, such a malicious take on an already-nasty malware is a potential nightmare waiting to happen. Any officer or EMT can be trained to look out for telltale signs of suspect emails, but what happens when they receive a normal-sounding email from a less-than-honest (or desperate) acquaintance or family member? On the physical-access front, the same perceptive officer that would never insert a flash drive he finds on the precinct floor may be fooled by that new county IT employee’s name badge and clipboard, only to discover his folly after the department’s computers have been bricked by a “USB killer.”

Other potential breach situations require a more opportunistic approach, but they are no less harmful to the organizations and individuals that suffer their effects. In one instance, a laptop containing unencrypted case files and other critical information (including info on victims and crime suspects) was stolen from an undercover detective’s pickup truck, putting data pertaining to roughly 2,300 people at risk. In another, a British police officer sent an unencrypted Excel file containing personal data on 10,000 people, including criminal records, to a journalist after an email error.

In both cases, the parties responsible were in violation of standards and faced sanctions for their mistakes. Yet, the gap between policy and policy compliance can be substantial as it pertains to security. Training and perpetual awareness efforts are critical, because one mistake is all it takes to cause a highly problematic situation.

Stricter controls may supplement attempts to raise awareness
Thus far, the best mitigating factor for this ever-increasing need for awareness appears to be more technology. Whether modified or off-the-shelf, numerous tools employed by first responders and other public-sector entities provide greater control, sometimes to the chagrin of end-users.

Take the (hypothetical) officer or firefighter who hates a particularly strict passphrase policy, and decides to keep her work-provided laptop unlocked as often as possible to avoid typing it in. If it seems small on paper, these sorts of minor indiscretions can have serious consequences when the right factors convene.

Bring your own device (BYOD) policies and corresponding mobile device management (MDM) tools have proven to be another approach. As an alternative to “shadow IT” — otherwise known as employees going against policy to access digital work resources on their personal devices — allowing public employees to connect their own phones and laptops to work networks has unquestionable allure. The department or governing body saves money on devices, employees get to work in the digital environment they are most comfortable in, and management gets greater control over how the devices are used.

Nevertheless, concerns remain. Looking past ethical concerns (such as, “Can my captain look up what I am doing on my phone when I am at home, even though it is technically against the rules?”) and potential financial disputes (“You owe me overtime for all the emails I read when I am off the clock!”), the security concerns are indisputable. For instance, the officer who uses work email on his personal iPhone could potentially open his department to risk every time he accesses his favorite coffee shop’s public Wi-Fi, even if he does not so much as pull his phone from his pocket while he is there: if his email updates during his visit, any data transferred over the network is potentially accessible by malicious actors in the same range.

As with security itself, the intersection of organizational control and individual ownership provides few easy answers. In police departments, where chain-of-command and order following are already de rigeur, the best bet may simply be setting expectations. The City of Albuquerque’s BYOD policy (PDF), which covers police and other first responders, bans personal devices that “[connect] to the city infrastructure” from viewing illicit materials; further, it disallows users from performing off-warranty modifications (“jailbreaking”) on personal devices, and stipulates that the city can monitor and wipe data from those phones connected to its infrastructure via MDM tools.

Personal behavior remains an integral part of overall security
As tenets of information security go, the presumption that a breach is inevitable and mandate that the organization do everything they can to stop it, is one of the most important. When police, fire, and emergency medical departments make every effort to imbue awareness along every part of the security “chain,” it has a much better chance of withstanding avoidable attacks and breaches.

To this end, making sure every employee is aware of key security topics, practices, and policies is one of the most security-forward things a first response organization can do. With more entities falling victim to attacks every day, providing employees with the knowledge they need to make good decisions (and letting technology solutions bridge the gap) can help prolong the inevitable — perhaps to a point where it never comes at all.

Posted on Feb 27, 2018