Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

2/12/2019
02:30 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Cybersecurity and the Human Element: We're All Fallible

We examine the issue of fallibility from six sides: end users, security leaders, security analysts, IT security administrators, programmers, and attackers.

First of a six-part series.

We are only human; we all make mistakes sometimes. Until the day when both the offensive and defensive sides of cyberattacks are conducted entirely by machines, we need to factor in human error as part of the cybersecurity process. Generally, when the topic of the human element is discussed, it focuses exclusively on the actions of the end user. But there is far more to the story than that. Every aspect of securing, defending, and attacking has a human element, an element that profoundly affects all the other components and guarantees that there can be no silver bullet in cybersecurity.

In this six-part series, we will address cybersecurity and the human element from the perspectives of fallibility: end users, security leaders, security analysts, IT security administrators, programmers, and attackers. For each perspective, we will explore common mistakes and the underlying issues that cause mistakes to happen, the repercussions of these mistakes, the processes and organizational changes needed to minimize mistakes on the defense side, and the fundamental changes the industry needs to reshape the current paradigm.

End Users
We begin with a look at the group that is often disparaged as the "weak link" in cybersecurity defense: the end users. These are the people who use our organization's network, software, and hardware on a regular basis to do their jobs. Some are technology-savvy, others know only the very basics of how to use their devices, and many are somewhere in between. Most end users, including the technology-savvy, lack knowledge about cybercrimes.

Common Mistakes
We have all seen numerous occasions in which end users fall prey to typical attack scenarios. End users enter their user credentials on phishing sites, click on malicious links and malware attachments in spear-phishing emails, visit malware-laden websites in waterhole attacks, plug infected thumb drives into their machines, or leave laptops or mobile phones unattended (or have their devices stolen). Sometimes end users are just not thinking about security and make rookie mistakes, sometimes the attacks are stealthy and trick end users into believing they are legitimate, and sometimes the attacks are so sophisticated that only a trained eye would be able to catch them.  

Repercussions
The result of end-user error varies based on the type of attack, but a common outcome is a malware infection if the threat is not detected and remediated by the endpoint security software running on the end user's system. If sensitive data resides on the end user's system, a malware infection could lead to a data breach or business disruption. Stolen credentials can be used to access or destroy data on the network. Malicious attachments or websites can infect the endpoint, leaving it susceptible to data exfiltration, data destruction (as in the case of ransomware), and lateral movement that could lead to further compromises on the network. Some incidents can be resolved with a straightforward technique, such as a reimaging the infected system, but every case still requires review by the security team, which increases incident investigation and response costs.

Minimizing Mistakes
Naturally, one of our priorities is to minimize the end user's exposure to malicious emails, websites, and the like so that there is less room for end-user error. This means implementing and continually fine-tuning the proper prevention technologies that weed out as many of the malicious attacks as possible (endpoint protection, email security, firewalls/web proxies, mobile device management, etc.).

It also means providing end users with training on why cybersecurity is important, and how they can be the "human firewall" who identifies cyberattacks, particularly email-based ones such as phishing/spearphishing attacks. This way, the end users not only refrain from clicking but also report incidents to us so that we can investigate and gain threat intelligence and prevention measures from it. Moreover, we need to deal with the inevitability of end user error by encrypting end user devices whenever possible so that data breaches do not occur when devices are lost, and by having solid incident response plans in place so we are ready to handle the infections that result from an erroneous click.

Change the Paradigm
We can't view our end users as stupid or as "enemies" who are the obstacle to our work. Like us, they're just trying to do their jobs. We cannot expect them to be able to identify malicious emails and websites as well as we can; that's not their skill set. So, we have to be understanding when they, as expected, make mistakes. When we adjust the way we think about our end users, it improves the way we interact with them. This can go a long way toward improving the dynamics between the security team and end users. We certainly don't want our end users to view us as the "enemy" who is the obstacle to their work. Improved relations begin with mutual respect. By  working together we can help turn the "weak link" in cybersecurity defense into part of the solution.

Join us next time to discuss the second perspective in our series: security leaders. 

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Roselle Safran is President of Rosint Labs, a cybersecurity consultancy to security teams, leaders, and startups. She is also the Entrepreneur in Residence at Lytical Ventures, a venture capital firm that invests in cybersecurity startups. Previously, Roselle was CEO and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RoselleSafran
100%
0%
RoselleSafran,
User Rank: Author
2/21/2019 | 11:47:13 AM
Re: End user and the holistic perspective
Thanks, @Smilenlucky! We decided to delve into the issue from multiple angles because there's so much more to the topic than just the end user side of it. We hope you can check out the rest of the articles in the series!
Smilenlucky
100%
0%
Smilenlucky,
User Rank: Apprentice
2/20/2019 | 10:37:29 AM
End user and the holistic perspective
This is a great initiative to consider all the involved parties in information security .
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.