Are People a Security Asset or Liability?
April 03, 2018
Introduction
In the security world, people get a bad rap. And it’s not hard to see why. Between social engineering, insider threats, and straight up human error, there are plenty of ways for your users to put the organization at risk. In fact, according to many reputable sources, human error is the single greatest cause of data breaches.
So why, then, when we look at the average organization’s security budget, do we see so little attributed to security training? After all, budgets are supposed to be allocated according to need, so what gives?
Part of the problem is that the security world is saturated with highly complex technologies, and fancy-sounding buzzwords. And most organizations, understandably, don’t have the expertise to judge the relative value of “next generation firewalls,” “endpoint security,” or “real-time threat intelligence.” Not that there’s anything wrong with these technologies. Quite the opposite, they can be highly valuable in the right setting.
The real problem is that all these buzzwords and marketing campaigns are tremendously distracting, and they tempt many organizations to overcommit resources on advanced controls before they’ve really mastered the basics of cyber security. In simple terms, they try to run before they can walk.
How Can Your Users Hurt You?
If you’re going to solve the human security conundrum, it’s important to understand how exactly your employees can hurt the organization. While some of these risks will be very familiar to you, there are several potential vulnerabilities you may not have considered.
Data / Asset Loss
This is the quintessential “human error” case. Maybe someone left a company laptop on the train, or failed to shred important documents before throwing them in the trash. Maybe they accidentally emailed sensitive data to the wrong recipient, or held a confidential phone call in a public area.
Sadly, there are so many different ways for employees to accidentally compromise your sensitive data. In a world where cyber crime and traditional crime have started to overlap it’s easy for malicious actors to capitalize on these mistakes.
Data Asset Theft
Everybody knows that stolen devices are bad news, but most organizations don’t spend a lot of time considering the possibility that their precious assets, data, or proprietary code could be stolen by their own employees.
In fact, there have been many cases of both technical and non-technical staff being caught and prosecuted for stealing from their employers. In some cases employees have been approached (and possibly threatened) by nation state actors, but in others they were simply looking to make a quick buck.
Social Engineering
If you look into the statistics surrounding data breaches caused by what we’ll loosely term “hacking,” you’ll quickly notice that almost every single attack contains one element: social engineering. Whether it’s a phishing campaign, malicious advertising (malvertising), a phone-based attack (vishing), or something else entirely, most threat actors feel their easiest path into a target network is through people.
And, for the most part, they’re right. The vast majority of normal users are woefully unprepared to cope with even the most basic phishing attacks.
Poor Web Browsing Behaviors
One of the big issues for organizations security is that many people simply don’t consider that their normal daily activities of browsing the web and reading email could be hazardous. If something looks interesting, they click first and ask questions later.
Unfortunately, tactics such as watering hole attacks, typosquatting, and malicious advertising have made the once (relatively) safe pastime of randomly following links a lot more dangerous.
It’s not just leisure browsing that can cause problems. Threat actors routinely target both entertainment and business traffic with a whole variety of attack vectors, making secure browsing behavior even more important than ever.
Social Media Faux Pas
Again, this isn’t something that many organizations worry about, but it’s extremely easy for employees to put the organization at risk through chance comments on social media sites. For the most part you wouldn’t expect the average user to reveal sensitive information directly via social media, at least not to the extent that it would be considered a data breach, but there are other hazards you might not have considered.
For instance, when a threat actor is “scoping out” an intended target, they will routinely check employees’ social media profile in search of information. Most commonly, the details they find will be used to develop highly targeted social engineering attacks, which are far more difficult to identify and defend against than more generic alternatives.
Password Reuse
Everybody knows that the average quality of passwords is a joke. Heck, even John Oliver made fun of how “embarrassingly bad” most passwords are on national TV. So, like most organization, you likely require users to select passwords that meet certain criteria on length and content.
But what most people don't realize is that even good passwords can be a huge problems if they’re reused in multiple places. The vast majority of people (even those who should know better) reuse their passwords across a whole bunch of different services, from social networks to online banking. And given that most services allow the use of email addresses in place of unique usernames, that means compromising credentials from one service will give a threat actor everything they need to attack a whole bunch of other accounts.
If that seems like a big problem for security… it is. For a surprisingly accurate (albeit satirical) example of the possible consequences, take a look at this cartoon:
User Permissions “Creep”
One of the big things that almost nobody considers about the so-called “insider threat” is the level of permissions being given out within their organization. In the vast majority of cases, user access controls (UACs) are well and truly out of control. In many cases, because so many different access levels and groups have been created over such a long period of time, nobody really knows who has access to what.
Added to this, many organizations err on the side of too much access, rather than too little, because they think it improves operational efficiency. After all, who has time to request enhanced access?
But in reality, if you aren’t sure if a person or group needs access to a particular part of your network, they almost certainly don’t. And if you give it to them anyway, and their account(s) are compromised, you’ve just given away even more sensitive data to an unwelcome intruder.
Intentional Sabotage
A lot of the time, when people think about the insider threat, they’re imagining the archetypal disgruntled employee, who just wants to exact revenge by causing damage to their organization’s network or assets.
Maybe they got passed over for promotion one too many times, or they’re about to get fired. Whatever their reasons, intentional sabotage by an insider can cause tremendous damage to any organization.
Now Where Do You Think Your Budget Should Go?
Now that you know precisely how much your employees could harm your organization (and in how many different ways) you might be starting to think a little differently about the way your organization’s security budget is allocated.
Yes, some of the issues described above can be at least minimized through judicious use of technical security controls such as a comprehensive vulnerability management program, network segmentation, and a “least privilege” approach to UACs.
But, unfortunately, completely negating (or even managing) human vulnerabilities cannot be entirely achieved through technical means. The existence of zero day threats is an obvious problem, but even identifying and remediating all known vulnerabilities is functionally impossible
Ultimately, since people pose the greatest threat to your organization, at least some of your resources should be invested in them.
Why Your Security Awareness Training Sucks
We’ve all seen some truly terrible security awareness training. From SMEs to multinational corporations, the vast majority of organizations commit the minimum possible resources to their programs, which wouldn’t exist at all if they weren’t necessary to satisfy compliance.
You know the deal. Once per year you’ll receive an email explaining that you’ll need to complete an online training course. So you load it up, and what do you find? Some boring, out-of-date garbage on data protection law, a vague warning about malicious email, and a reminder not to write your username and password down on the notepad you leave open on your desk all day long.
But hey, once you’ve clicked through the tedious little slide show, at least you’ll be left alone for another year. Clearly, this approach isn’t going to mitigate any of the potential threats we discussed earlier. Here are the major problems:
It’s Nothing But a Box Ticking Exercise
If your security awareness training program only exists to satisfy a compliance framework, it’s going to achieve nothing. Worse, since you seemingly aren't taking security seriously, your employees will follow suit.
It’s Not Current or Relevant
Safe data disposal and careful transit of sensitive assets are important, but they’re far from the only threats these days. Take another look through the list of possible human-cause threats above, and make sure your program addresses all of them.
It’s Totally One-Directional
Studies into the way people learn are clear: Almost nobody really learns anything when the flow of information is totally one-way. Not only should you use multiple mediums to convey your messages (e.g., video, audio, text, in-person) but you should also be including regular tests and thought exercises to engage employees’ minds.
There’s No “Why”
If they don’t understand why it’s important for them to be security conscious, most people won't bother. And really, who can blame them?
It’s “One and Done”
There is simply no way that an annual training program will change user behaviors, particularly when the training relates to a function most people don’t understand. For the most part, people simply don't realize how great the threat of cyber attacks and data breaches is. By only reminding them once per year you’re making it very difficult for them to give security the thought and consideration it needs.