Published on July 16th, 2015 | by admin
Security and the Human Factor
Many people talk about security. And when they do, they talk of encryption and digital signatures, access control, malware and software vulnerabilities. It is true that security is all of these things and more. But software vulnerabilities are nothing compared to human vulnerabilities and patching those sorts of vulnerabilities can be difficult, but not impossible.
At some point, somewhere, in any security breach or any implementation of a security tool, or in the processing of security information, a human being will be involved. It is this human factor that is perhaps the most difficult one to mitigate for in any security management program or security strategy.
Human beings are, after all, quite vulnerable creatures – vulnerable to making mistakes, vulnerable to taking bribes, vulnerable to clicking the wrong web link at the wrong time.
I’m going to explore the various affects of human vulnerabilities within the security chain and how we can attempt to mitigate them.
Insider Threats and Making Mistakes
Insider threats are a massive deal. They are the cause of more financial losses due to cybercrime than any outsider threat. A study by the Ponemon Institute, 2014 Global Report on the Cost of Cybercrime, found that insider initiated cybercrime was not only more costly than other cyber threats (the average annual cost of an insider attack being $213,542), but it also took longer to contain than other types of attack.
One of the ways that insider threats succeed is through simple mistakes, or employees not being aware of a security policy, or good security policies simply not being implemented.
Accidental insider threats are perhaps the most common. These actors may unknowingly send out an email containing sensitive information to the wrong person. Most employees have done this with no ill-intent at some point or another.
CERT produced a report on Unintentional Insider Threats: A Foundational Study, which outlines four main areas that came under the heading of unintentional insider threats:
- Accidental disclosure – like the email leak mentioned above
- Malicious code installation – entry by, for example, a phishing email
- Accidental or improper disposal of paper records
- Lost or stolen data storage, such as laptops, USB keys and so on
Making a mistake is a human vulnerability and one that is very difficult to prevent. Setting good security policies in place, having strong authentication, limiting access and setting privileged users and using encryption all help, but having visibility of the movement of information and communications, and being alerted when issues occur is part of a robust security strategy that lets you know if that leaked data was malicious, or simply an accident and a one-off incident.
Further, it’s imperative to have a post-attack action plan in place to quickly stop the bleeding. This is where your communications analytics and network forensics solution comes into play.
Insider Threats and Cyber Espionage
The recent spate of OPM breaches, which stole the Personal Identifying Information from around 22 million government employees, has left people wondering if some of those people may end up being unwittingly co-opted into committing cyber espionage.
Cyber espionage, is where proprietary information and intellectual property is stolen, often being sold onto competitors, or even governments for malicious intent. This is a crime that has massive financial and business costs. Symantec has estimated that the U.S. economy was affected to the tune of around $250 billion from theft of intellectual property. As Robert Bryant of the National Counterintelligence Executive noted, “Insider threats remain the top counterintelligence challenge to our community.”
A report by Booz Allen Hamilton into the Cyber Theft of Corporate Intellectual Property has identified ‘disgruntled employees’ as being one of the threat vectors in the loss of intellectual property, with some of these employees having links to Chinese companies. People get upset and angry at their job, other workers, and their bosses and some people, not many, but enough to cause serious problems, will steal sensitive information as retribution.
Controlling cyber espionage attacks by insiders isn’t easy. However, one thing in favor of controlling these types of insider threats is that they are often planned. The employees will often take months, even years to prepare for the theft and this means they leave footprints as evidence of their intent. This can be in the form of outward, visible behavior changes, but it can also show up in events within the company network. You can create event records of data communications that point to unusual behavior or misalignment with company policies, and all of this evidence can help to prevent a major breach.
This person-centric approach to data security may seem new, but it is based on fundamental ways that human beings build up trust and relationships.
Social Engineering – You’re Only Human
Trust is one of the methods that hackers will use to manipulate people into believing a phishing or spear phishing email is legitimate.
In the case of phishing emails, they are sent out, usually en masse, without any real targeting, in the hope someone will believe it really is from PayPal, for example. Once they click on the link in the email, they enter a malicious website where they enter their PayPal credentials, which immediately compromises their actual PayPal account.
Spear phishing emails, on the other hand are far more clever. The recent ‘Hawkeye’ spear phishing episode is a case in point. Two Nigerian hackers perpetrated this hack by targeting SMB call centers. The hackers were able to establish a trusting relationship between themselves and an email recipient. They then picked a particularly hectic time period and sent out their coup de grace email containing malware, to which the unsuspecting email recipient, now thinking they knew and trusted this emailer, double clicked the attachment and installed the software. In this case, they installed a key logger, which gave access to login credentials for network resources.
Using human behavior to pull off a scam is a familiar tactic, and it’s now being used regularly as the weapon of choice by cybercriminals. It is responsible for initiating Advanced Persistent Threats (APT’s), supply chain hacking and is behind some of the biggest hacks of all time, including the Sony PlayStation hack.
Social engineering, like all human vulnerability based threats is a difficult one to manage. The obvious way forward is to educate your users about social engineering threats; let people know what a phishing email looks like and how real it can seem.
Patching software is another way to manage some types of threats that have their basis in the manipulation of human behavior. But ultimately, behavioral analysis and monitoring – knowing your workforce and their habits, understanding and recognizing unusual events and changes in your environment – removes the fundamental flaws in pushing the responsibility of behavioral management onto the individual, which is ultimately what training does and where this method has its Achilles heel.
Learn more about communications analytics and network forensic solutions. Download Rapid Remediation: Actionable Insight, Analysis, and Visualization for the Enterprise here.