An external attacker identifies a system administrator with far-reaching access rights and contacts him through an anonymous channel. The offer: 50,000 euros for setting up a hidden VPN access to the internal network. The administrator declines — but the fact that the attack was possible shows: technical security measures protect only as long as the people behind them act trustworthily.
Coercion, extortion or corruption (G 0.35) target the human component of information security. Technical controls can be circumvented when an insider is pressured or bought.
What’s behind it?
Coercion, extortion and corruption turn people into tools for security violations. Where technical attacks exploit weaknesses in software or configurations, these threats target the motivation and behaviour of the people involved.
Attack vectors
- Coercion — Threat of violence or other disadvantages to force a person to disregard security policies. Can be directed against the person themselves or against family members.
- Extortion — Exploitation of a compromising situation (incriminating information, financial difficulties) as leverage for security-violating actions.
- Corruption — Targeted bribery of employees or service providers with money, gifts or other advantages. Goal: access to confidential information, manipulation of systems or installation of backdoors.
Impact
The damage is potentially unlimited, because a corrupted person acts within their permissions and can bypass technical security measures. All three protection goals are affected: confidential information can be leaked, data manipulated and systems sabotaged. Particular danger exists for people in positions of trust — administrators, security officers, executives — whose actions are less questioned.
Practical examples
Bribery of a data centre technician. A competitor offers a technician working in a cloud provider’s data centre money for copying customer data onto a USB stick. The technician has physical access to the servers, bypassing all logical access controls. Only video surveillance and a four-eyes principle for access to customer systems could have prevented the incident.
Extortion of an administrator. An attacker obtains knowledge of private information about an administrator and threatens to publish it. In return, the administrator is supposed to create a specific user account with elevated rights. The administrator reports the incident to his manager, who involves the responsible authorities.
Corruption in the supply chain. An employee of an IT service provider responsible for maintaining a firewall is contacted by an attacker. In exchange for payment, he sets up a subtle firewall exception that allows certain external IP addresses access to the internal network. The change goes unnoticed in the regular change log because it is formally documented as a maintenance action.
Relevant controls
The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 12 mapped controls below in the section ‘ISO 27001 Controls Covering This Threat’.)
Prevention:
- A.6.1 — Screening: Background checks during hiring, especially for positions requiring elevated trust.
- A.5.19 — Information security in supplier relationships: Contractual security requirements for service providers, including personnel screening.
- A.5.23 — Information security for use of cloud services: Specific requirements for personnel integrity at cloud providers.
- A.5.15 — Access control: Least privilege limits the damage a corrupted person can cause.
Detection:
- A.8.15 — Logging: Complete logging makes even “legitimate” actions of a corrupted person traceable.
- A.8.17 — Clock synchronization: Synchronised timestamps enable the forensic reconstruction of event chains.
Response:
- A.5.20 — Addressing information security within supplier agreements: Contractual handle for security violations by service provider personnel.
- A.5.21 — Managing information security in the ICT supply chain: Oversight over the entire supply chain, including sub-contractors.
BSI IT-Grundschutz
G 0.35 is linked by the BSI IT-Grundschutz catalogue to the following modules:
- ORP.2 (Personnel) — Requirements for background checks and trustworthiness.
- OPS.2.3 (Use of outsourcing) — Security requirements for external service providers.
- OPS.3.2 (Providing outsourcing) — Requirements for service providers delivering outsourcing services.
- NET.1.2 (Network management) — Protection of network administration against manipulation by insiders.
Sources
- BSI: The State of IT Security in Germany — Annual report with findings on insider threats
- BSI IT-Grundschutz: Elementary Threats, G 0.35 — Original description of the elementary threat
- ISO/IEC 27002:2022 Section 6.1 — Implementation guidance on screening