some basic types of vulnerabilities to consider as you look to mitigate UIL. These include physical, operational, personnel, and technical vulnerabilities.
Physical Vulnerabilities
Physical vulnerabilities are tangible in some way. Such vulnerabilities allow for access to an organization or its resources.
Most organizations have buildings, and many have outside properties where materials are stored. These facilities generally have perimeters that are protected by walls and fences. While people assume perimeters keep outsiders out, the reality is that the perimeters usually possess many vulnerabilities.
Such vulnerabilities may include doors and gates that are not closed and locked, unmonitored entrances, materials left on the property but outside of the protective perimeter, information visually exposed due to open windows, materials exposed to the weather, poor monitoring of visitors, and so on. All of these physical vulnerabilities present opportunities for your resources to be damaged by the environment or by outsiders.
Sometimes organizations take their physical perimeter for granted, and they unknowingly circumvent it. One example of this is leaving materials on the property but actually outside of the protective perimeter. Another example is having users work remotely. If users can access the facility without having to cross the physical perimeter, that is effectively a physical vulnerability.
Often, organizations put some level of faith into perimeter security and then leave resources vulnerable inside their facilities. In reality, internal physical vulnerabilities are as important as external vulnerabilities. If a malicious outsider makes it past your perimeter security, they can pass as an insider. And it is a rare organization that has absolutely no malicious insiders.
What vulnerabilities might a malicious threat see inside your perimeter? Things that come to mind include equipment to steal, computers left logged in and unattended, papers left on printers in public areas, unattended desks, file cabinets unlocked, sensitive information left on whiteboards, telecommunication equipment rooms left unlocked, USB drives untracked, and countless other things. You don't have to be a world-renowned penetration tester to see how your organization leaves resources vulnerable to anyone with malicious intent.
At the same time, you also need to recognize what leaves you vulnerable to accidental compromises or damages. For example, do people leave coffee cups on printers? Is fragile equipment transported in an unsafe manner? Is information stored on USB drives that are easy to lose? Accidental damage to resources sometimes creates greater loss than malicious actions.
Vulnerabilities are not just relevant to equipment, materials, and data. You must also be concerned about physical vulnerabilities of your environment that put people at risk. Unattended doors allow for intrusions where outsiders can enter and do harm to your people. Obstacles and sharp edges can cause injuries. Moving vehicles can hit people. While there are some freak injuries, with an open mind, you can identify a great deal of vulnerabilities that can result in injury. These factors relate to safety science, which we discuss in Chapter 7.
Operational Vulnerabilities
Operational vulnerabilities are vulnerabilities in business processes that can cause loss. Within every business operation, there are some steps that allow for human error or facilitate malicious activity. For example, the collection of information itself is a potential vulnerability, but collecting excessive information is an additional, unnecessary vulnerability.
There will always be a vulnerability in any business process. You need to identify the vulnerabilities to potentially proactively account and prepare for their potential exploitation. You also need to watch for operational vulnerabilities that do not need to exist.
Websites are an example of this. You need to provide information. However, that information does not have to be excessive. Social media is an extension of this concept. Individuals want to share their lives, yet at the same time, they share so much that they expose themselves unnecessarily to criminal activity. For example, online banking account reset security questions include questions such as the name of your pet or your birthday, which are frequently available on social media.
Physical inventory is also affected by operational processes. When you are dealing with physical inventory, sometimes there are good accounting practices to ensure that every piece is properly tracked from the manufacturing to final sale to a customer and all steps in between. More often, there are less effective processes in place, and loss occurs over time.
Operational processes should be defined by organizational governance through policies, procedures, and guidelines. Governance should specify every process in your organization and should tell people how to specifically perform their job responsibilities and how to make decisions. Chapter 13 discusses governance further, but at this point it suffices to say that most governance is poorly defined and increases operational vulnerabilities.
Personnel Vulnerabilities
Personnel vulnerabilities are vulnerabilities in the hiring, management, and termination of personnel involved with the organization. Obviously, you want to hire law abiding and ethical employees. However, hiring processes frequently are flawed. Poor background checks can let people slip through the cracks. Even when there are processes in place, they are sometimes ignored.
Such was the case with Edward Snowden. Snowden resigned from the CIA in anticipation of being fired due to a variety of troubles. However, he was able to obtain a job as an NSA contractor, because USIS, the company responsible for performing his background check, did not interview Snowden's CIA co-workers, who would have disclosed his questionable activities.
Personnel vulnerabilities extend beyond hiring and into the day-to-day management of employees. Some organizations fail to review employees on a regular basis and fail to take action when warranted. Chelsea Manning reportedly had violent confrontations with her parents before enlisting in the U.S. Army, which included threatening her stepmother with a knife. Before Manning stole classified information, she was involved in several incidents, including assaulting a supervisor and sending an email to superiors that literally stated she was emotionally troubled. There should have been adequate enforcement of policies in place so that these incidents would have resulted in rescinding access to classified information long before she stole it.
Most environments do not typically see behaviors and circumstances as egregious as those of Manning and Snowden. However, there is a great deal of mismanagement of employees who give signs of concern. While you do not want to overreact to less than ideal circumstances and behaviors, you do not want to let them go unexamined. It is important to have policies and procedures in place to govern personnel vulnerabilities, and these should be driven by the balance of your risk equation.
Similarly, there needs to be a process when people leave an organization, regardless of whether they are fired or leave voluntarily. When people depart, they frequently take information with them. They can cause other damages. There need to be specific processes implemented for employee separation.
You also need to have criteria for anyone else with access to your organization. Contractors, vendors, temporary employees, and any other individual who has any involvement with sensitive processes or data, or might be able to create loss, represents the same potential vulnerability as your employees.
Much as with operational vulnerabilities, poor governance and its implementation are significant vulnerabilities with regard to the management of personnel.
Technical Vulnerabilities
Technical vulnerabilities can be software, hardware, or firmware based. They can also be vulnerabilities in equipment that cause injuries. Generally, with technical vulnerabilities, people assume they can bypass the users. However, we need to expand the discussion