Spying Against Those You Want to Protect
In the paper, El-Harmeel asks, "Why don't we have people in our organization whose main job is to detect and react for human-based attacks? We may have a firewall box that can defend against computer-based attacks, but we still need a new trend that defends against human-based attacks."
El-Harmeel's paper reminds me of a story told by Arik Friman, a man who understands much about the human nature of information security. Friman spent 25 years in the Israeli intelligence community, recently retiring as a brigadier general after heading the spy network's human-intelligence training. Now CEO of the counterintelligence firm DMOS, Friman told a delegation of American CIOs visiting Israel a story that explains why guarding against an individual's frailties is crucial in securing data:
Unknowingly, Leah became a corporate spy for the competition...
Leah is a plain looking sales clerk of 20 or so who works in a retail store operated by a telecom giant. The only interruption to her humdrum life came every few days when the dashing customer Joshua would visit, and flirt, when purchasing a few items. Joshua, a decade older than Leah, said he was the purchasing manager buying electronic wares for a fast-growing startup.
They became friendly, and after a month, he knew she wanted to grow their innocent liaison into something less platonic. Joshua asked Leah to lunch, but what she heard from him wasn't what she expected. "You're a nice girl, but I'm not interested in you as a friend. I'm on a secret mission from your company's CEO, and we need your help."
Joshua told Leah that a manager at the telecom had been stealing trade secrets from the company, and they needed her help to duplicate his methods. At the retail outlet, Leah had access to a PC that was connected to the corporate network, and Joshua instructed her how to retrieve confidential files. Joshua swore Leah to secrecy, telling her that only the CEO and a vice president knew of this operation. This was another lie.
Joshua worked for her company's rival. Unknowingly, Leah became a corporate spy for the competition and dutifully forwarded files to a secret e-mail account Joshua maintained.
Weeks passed. Joshua told Leah that the vice president wanted to meet her. It was a ruse. When they arrived at a restaurant, Leah saw the VP sitting at a table across the room with a man she didn't know. Joshua walked over to their table and, out of her earshot, began chatting with the VP's companion. Unbeknownst to the executive, the man was another agent for the competitor, who had arranged to meet the VP to discuss business. The VP had no knowledge of Leah, Joshua or, until that afternoon, his luncheon companion.
Joshua returned to Leah and told her the VP had second thoughts about meeting in public, afraid it would compromise the operation. He said the vice president wanted to acknowledge her cooperation, so Joshua asked Leah to glance over at the VP. When the sales clerk turned around her back was to the VP's table and could no longer see Joshua, he waved to the VP. The executive waved back, as if he were recognizing Leah.
More time passed, and Joshua gave Leah a $15,000 bonus as valued member of the anti-fraud team. Months later, he gave her a $30,000 bonus. She was hooked and would do anything Joshua asked. That's when Joshua told Leah the truth. She was astonished and saddened, but was too deep into the operation to back out. She continued to spy on her employer. Leah longed for her humdrum existence that was no more.
The names in this story were changed to protect the guilty. Friman contends the story is true, and tells it to show that anyone can be recruited to spy on those they believe they'd protect.
This tale also is a harsh reminder that guarding against the people who have access to corporate data is the first line of defense in information security.