First of a six-part series.
We are only human; we all make mistakes sometimes. Until the day when both the offensive and defensive sides of cyberattacks are conducted entirely by machines, we need to factor in human error as part of the cybersecurity process. Generally, when the topic of the human element is discussed, it focuses exclusively on the actions of the end user. But there is far more to the story than that. Every aspect of securing, defending, and attacking has a human element, an element that profoundly affects all the other components and guarantees that there can be no silver bullet in cybersecurity.
In this six-part series, we will address cybersecurity and the human element from the perspectives of fallibility: end users, security leaders, security analysts, IT security administrators, programmers, and attackers. For each perspective, we will explore common mistakes and the underlying issues that cause mistakes to happen, the repercussions of these mistakes, the processes and organizational changes needed to minimize mistakes on the defense side, and the fundamental changes the industry needs to reshape the current paradigm.
We begin with a look at the group that is often disparaged as the "weak link" in cybersecurity defense: the end users. These are the people who use our organization's network, software, and hardware on a regular basis to do their jobs. Some are technology-savvy, others know only the very basics of how to use their devices, and many are somewhere in between. Most end users, including the technology-savvy, lack knowledge about cybercrimes.
We have all seen numerous occasions in which end users fall prey to typical attack scenarios. End users enter their user credentials on phishing sites, click on malicious links and malware attachments in spear-phishing emails, visit malware-laden websites in waterhole attacks, plug infected thumb drives into their machines, or leave laptops or mobile phones unattended (or have their devices stolen). Sometimes end users are just not thinking about security and make rookie mistakes, sometimes the attacks are stealthy and trick end users into believing they are legitimate, and sometimes the attacks are so sophisticated that only a trained eye would be able to catch them.
The result of end-user error varies based on the type of attack, but a common outcome is a malware infection if the threat is not detected and remediated by the endpoint security software running on the end user's system. If sensitive data resides on the end user's system, a malware infection could lead to a data breach or business disruption. Stolen credentials can be used to access or destroy data on the network. Malicious attachments or websites can infect the endpoint, leaving it susceptible to data exfiltration, data destruction (as in the case of ransomware), and lateral movement that could lead to further compromises on the network. Some incidents can be resolved with a straightforward technique, such as a reimaging the infected system, but every case still requires review by the security team, which increases incident investigation and response costs.
Naturally, one of our priorities is to minimize the end user's exposure to malicious emails, websites, and the like so that there is less room for end-user error. This means implementing and continually fine-tuning the proper prevention technologies that weed out as many of the malicious attacks as possible (endpoint protection, email security, firewalls/web proxies, mobile device management, etc.).
It also means providing end users with training on why cybersecurity is important, and how they can be the "human firewall" who identifies cyberattacks, particularly email-based ones such as phishing/spearphishing attacks. This way, the end users not only refrain from clicking but also report incidents to us so that we can investigate and gain threat intelligence and prevention measures from it. Moreover, we need to deal with the inevitability of end user error by encrypting end user devices whenever possible so that data breaches do not occur when devices are lost, and by having solid incident response plans in place so we are ready to handle the infections that result from an erroneous click.
Change the Paradigm
We can't view our end users as stupid or as "enemies" who are the obstacle to our work. Like us, they're just trying to do their jobs. We cannot expect them to be able to identify malicious emails and websites as well as we can; that's not their skill set. So, we have to be understanding when they, as expected, make mistakes. When we adjust the way we think about our end users, it improves the way we interact with them. This can go a long way toward improving the dynamics between the security team and end users. We certainly don't want our end users to view us as the "enemy" who is the obstacle to their work. Improved relations begin with mutual respect. By working together we can help turn the "weak link" in cybersecurity defense into part of the solution.
Join us next time to discuss the second perspective in our series: security leaders.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.