Cyber Security Awareness: You Can Patch Systems, but Can You Patch People?
It’s National Cyber Security Awareness Month (NCSAM) again. Now in its thirteenth year, NCSAM is designed to raise peoples’ awareness about the importance of cyber security. From one perspective, awareness is to people as patches are to systems. Both are designed to change behavior. A patch changes a system’s behavior; awareness should change a person’s behavior. And in many cases it does.
We all know that people aren’t as deterministic as systems. The fundamental issue is that people aren’t perfect. No matter how much awareness is raised, and no matter how much we invest in training them, we need to assume they will make mistakes. Because they will, and these mistakes have repercussions on enterprise security posture. As we build out enterprise security, we need to build it out in a way that assumes people – our customers, our employees and our bosses – will make mistakes, no matter how much awareness is raised.
NCSAM – especially this year – is focused largely on consumer awareness, and each week is focused on a specific theme. This year’s weekly ordering makes sense from that perspective but is a bit out of sorts from an enterprise perspective. IMHO, the below ordering makes a bit more sense.
Week 3: Recognizing and Combating Cybercrime
Most – though admittedly not all – cybercrime today is about money. And the monetization of the entire cybercrime industry is built upon the value of data. The foundation of the value chain is almost always either:
- extortion: ransomware, or DDoSing the apps that sit in front of data, or
- theft: exploiting a web app to get to the data behind it, or compromising a user or system and directly stealing the data itself.
In the end, cybercriminals want the data. All the other elements of the value chain of the cybercrime industry – root kits, vulnerabilities, phishing, malware – are all means to this end.
Almost all data has value to someone and therefor is at risk. In fact, the value of much data becomes super-linear. For example, as cybercriminals amass different details on individuals and then aggregate it together into a profile, the “whole” is worth much more than the sum of the parts.
Historically, the transaction costs around buying and selling stolen data were a big barrier for a cybercriminal. Stealing data isn’t worth much money unless you know someone you trust to sell it to. However, the combination of darknets and bitcoin provide highly liquid, efficient, anonymous and secure marketplaces, which pretty much solves this transaction cost problem (from a cybercriminal’s perspective). This provides even more incentive to cybercriminals to hoover up as much data as they can; there is someone out there that will likely buy it.
If we didn’t need to make data available, this wouldn’t be an issue. We’d just keep it locked in a vault. The problem is we need to make it available, and in many cases, we need to make it available to people. Which brings us to…
Week 4: Our Continuously Connected Lives: What’s Your ‘App’-titude?
We live in an app-driven and data-sharing society. Virtually everything is online, and increasingly is online and connected. This isn’t necessarily a bad thing. Many of us owe our livelihoods either directly or indirectly to the efficiencies this creates. However, there is a downside: we need to assume that cybercriminals know a lot about our customers and our employees – including things like usernames and passwords – even if our own systems are totally locked down.
The vast amount of online information, combined with the cybercrime industry’s highly sophisticated adoption of automation, has made it possible and profitable for cybercriminals to amass huge amounts of personally identifiable information (PII). This is what LinkedIn iscombatting on a daily basis. Think about:
- Privileged users, who are highly trusted and have the keys to huge troves of sensitive data
- How many of them are on both professional and personal social networking sites
- What anyone can learn about them on these sites
- How a cybercriminal can use this information, especially…
- If this information is combined with other information obtained from a prior breach
Week 1: The Basic Steps to Online Safety and Security
If we assume cybercriminals know a lot about our employees and customers, then we need to assume they will be successful in compromising some of them.
Awareness is laudable, but people will inevitably make a mistake and get tricked. It’s the law of large numbers. We are effectively in an arms race against the automation and sophistication of the entire cybercrime industry. It is automation that puts the law of large numbers on the cybercriminals’ side since it allows them to launch campaigns against millions of targets at minimal cost. Take a hypothetical organization with 10,000 employees. Even if
- the organization assumes it will be 99.9percent effective in preventing compromise (which is extremely optimistic given that when tested after phishing awareness training, it’s common for 20percent of employees to still fail)
- a cybercriminal that launches one campaign a week against 10percent of employees will still successfully compromise hundreds of employees over the course of a year.
The same math applies to customers that access web and mobile applications. Once someone is compromised, the cybercriminal behind the scenes is for all intents and purposes an insider.
According to Verizon’s 2016 Data Breach Investigations Report, 63 percent of breaches involved weak, default or stolen passwords. A valid approach to mitigating this is solutions that either detect and block malicious automated traffic, or that evaluate login attempts in real-time to prevent brute force credential stuffing, or the use of stolen credentials.
Week 2: From the Break Room to the Board Room
Employees are not different from consumers; they are not perfect, and we cannot assume they will behave perfectly. Even with the best training, we cannot expect even the best ones to do the right thing 100 percent of the time. And then there is the problem of the “threat from within”; the malicious employee. Imperva research indicates that one in 50 employees is a malicious insider, while Deloitte research states that 59 percent of employees who leave an organization voluntarily or involuntarily say they take sensitive data with them.
Gartner Inc. recently did some interesting research that concluded that about two-thirds of malicious insiders are what Gartner Inc. terms “second streamers”; insiders who have no intention of leaving the organization but have rather created a second income stream. That’s a telling, and scary, stat but not surprising. Employees are people, and peoples’ situations change. There are many life changes and stresses that can drive an employee to seek supplemental income.
That said, by definition, we have to trust employees. In a knowledge-driven economy, even relatively junior employees need wide latitude to access and work with important information. The key thing is to put safeguards in place that monitor how employees access data and identify and detect the behaviors indicative of data abuse. This provides a “failsafe” that applies to detecting and containing malicious insiders, but also for identifying compromised users as well.
Week 5: Building Resilience in Critical Infrastructure
Historically, most critical systems were built on technical protocols different from Internet protocols. In many cases, there were and still are air gaps between the Internet and these critical systems, providing another level of protection.
The Internet of Things (IoT) will likely change both. Much of the discussion around IoT security is around securing the “Thing.” This is likely futile, given that there already are, and there will be many times more, billions (trillions?) of Things. The law of large numbers applies here many times over. The danger is that the compromise of the Thing becomes a vector to compromise the back-end apps and data the Thing connects to.
Here again, the key is to put in place the safeguards that directly monitor access to the back-end apps and data, and detect the behaviors indicative of malicious activity.
Every Month is National Cyber Security Awareness Month
Every month, we hear of another breach at a prominent organization. I believe everyone is more aware, and cautious, than ever. But you can’t patch people. They will forever be the weakest link in the enterprise security posture. Our strategies need to accept this, and put in place the process and controls to monitor behavior and activity, and provide early warning and detection of abuse and theft of what matters most to us and cybercriminals: data.
To help you get #CyberAware this month, here are a few of our customers’ favorite resources:
- Top Ten Indicators of Data Abuse
- Seven Tips to Protect Your Data from Contractors and Privileged Vendors
- Database Audit and Protection Tips, eBook 1: Getting Started
- Strategies and Tactics to Engage the Board of Directors About Cyber Security
- Developing an Office 365 security plan: best practices for protecting data