“Never attribute to malice that which is adequately explained by stupidity.” - Hanlon’s Razor
Network security is an inherent problem to any connected web of computers, and recent developments have shown that even truly isolated computers—those not present on any network—can still be compromised. It is therefor vital that any and all electronic devices, isolated or networked, be subject to some degree of risk management.
Risk management in itself is a straightforward concept. All actions performed will result in an outcome; the likelihood of that outcome having negative consequences is the risk one takes performing such an action. As risk increases, the likelihood of malicious activity also increases. It’s almost inevitable for some risk to exist when working with and around computers, but steps can be taken to mitigate both risk and malicious fallout.
Isolated or air-gapped devices are of little use to most of the world. While “air gapping,” or removing all external inputs and outputs to the device is almost an impenetrable defense, the system can still be compromised. As documented by Mr Greenburg, “If an attacker can plant malware on one of those [air-gapped] systems… every blink of its hard drive LED indicator can spill sensitive information to any spy with a line of sight to the target computer[.]” The methodology uses a fast-blinking LED indicator light, that is often found to be blinking in normal computer usage as the device reads and writes memory, to transmit data. This technique has one simple flaw: the attackers must first initiate a toe-hold in the device.
Phishing and other scams are another key vulnerability to any system or network. These prey on a different aspect of the same vulnerability as the one Mr Greenburg documents: fallibility of humans. A simple header on an email that looks like it comes from someone in a position of power, their bank or a government agency, something that evokes an emotional response, and that changes how the person subjected to the attack responds. As Hitler knew well, “It is always more difficult to fight against faith than knowledge.”
Aside from isolation, Education is really the only defense against attacks that play on the emotions of someone who has access to your network.
These are just a couple reason why personnel management is a primary factor in risk management. Education and documentation is key to loss prevention. Users, meaning anyone who has access to or interacts with the system, including technicians and loss prevention personnel, need to be aware of the risks their actions pose and the costs of fixing the problems that arise from irresponsible or unintentional choices.
There will always be the malicious flaws in any system or network. People will always try to circumvent rules, fall prey to scams, and/or try to scam others. There will always be a better virus designed to latch into unpatched weaknesses in firewalls and operating systems. But all of these things need one thing to get started: someone on the inside who behaves less like a respectful guest who is “borrowing” access and more like someone who feels like they deserve what they can take.
Greenberg, Andy. “Malware Lets a Drone Steal Data by Watching a Computer's Blinking LED.” Wired, Conde Nast, 1 Feb. 2018, www.wired.com/2017/02/malware-sends-stolen-data-drone-just-pcs-blinking-led/.