Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/31/2018
10:30 AM
Christy Wyatt
Christy Wyatt
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Facebook Must Patch 2 Billion Human Vulnerabilities; How You Can Patch Yours

The situation Facebook is in should be prompting all security teams to evaluate just how defenseless or protected the people in their organizations are.

Everyone loves to watch giants get attacked. The heat of the moment provides fantastic entertainment. Typically, the spectacle reveals some truth. However, we usually don't get a clear picture of everything that's happening until after the dust settles. Such is the case with Facebook.

Now that things have calmed a bit, those of us in the security industry who have been watching the saga unfold are learning some valuable lessons. Chief among these is that by making only a few missteps, any business can turn millions of humans into vulnerabilities that unscrupulous actors can exploit. In this case, a lone developer accomplished this with an app that users, and Facebook, regarded as harmless.

What were some of missteps Facebook made? It failed to arm itself with sufficient visibility over its environment. It had an ineffective early warning system. It didn't devote enough resources to user education and defense. And the social giant has been opaque about its business model and how it collects and monetizes members' data. While Facebook may currently be the one in the spotlight, it's vital to remember that it's not the only business that is failing to protect its users. These same oversights and problems plague most organizations today.

The 2018 IBM X-Force Threat Intelligence Index revealed that vulnerable humans, which it refers to as "inadvertent insiders" (aka insider threats) are responsible for exposing more than 2 billion records and causing 20% of reported security incidents. The Ponemon Institute estimates that this class of user is costing organizations more than $283,281 per incident annually. Some damages can't be measured in terms of dollars or records lost but by the impact they've had on world history. The Hillary Clinton campaign argues that attacks against vulnerable campaign insiders contributed to her 2016 presidential election loss.

The situation Facebook is in, along with findings like these, should be prompting security teams to evaluate just how vulnerable or protected the people in their organizations are. It should also be motivating them to find ways to "patch" any human vulnerabilities that exist. 

What's a Social Network, or Any Business, to Do?
Facebook CEO and co-founder Mark Zuckerberg says the platform will make sweeping changes to curtail future abuses. Let's hope they work. If Facebook, or any organization, is serious about protecting its people, there are certain essential steps they need to take. Here are four that all organizations should take right now:  

1. Gain visibility. Organizations need to get a grip on the behaviors of partners, customers, employees, and third-party application developers. To accomplish this, they don't have to resort to requiring anyone to adhere to intrusive monitoring practices that amount to surveillance and eavesdropping. To be effective, screen-shot captures, key stroke logging, and other invasive tactics aren't needed. There are a wide range of technologies available that Facebook or any company could choose from that will provide the visibility and intelligence needed to spot suspicious trends before they spiral out of control.

2. Enable early warnings. Many organizations have tools and technologies in place to notify them when suspicious behaviors take place. Many "early warnings" end up being false positives, which lead to alert fatigue. For early-warning alerts to truly have value, they have to be powered by technologies that understand behavioral context, know when events are normal or anomalies, and what the intent of observed actions are. A smoke detector is of little use if it doesn't have a siren that lets people in the facility it's protecting know when there's danger. Nor would it have any value if it "cried wolf" when there is nothing to worry about.

3. Educate and protect. Organizations that want to shield their users against bad actors need to invest in providing security and scam education to users. Studies suggest that with education, humans can reduce their susceptibility rates to scams by as much as 70%. To further protect humans, businesses may need to build in alerts that that let them know when they are about to engage with risky apps, click on questionable links, or get involved in dubious conversations. Access to a threat intelligence feed can also prove useful. The latest information about attacks in the wild will allow security teams to take proactive measures.

4. Be transparent. Had Facebook been up front with users about the fact that every bit of information they share is collected and analyzed for marketing and advertising purposes, then the 87 million users who were fooled may have thought twice before engaging with an app that was collecting personal information. Any organization committed to protecting its users against privacy and trust violations needs to be transparent about its data policies and business model. Users who understand how the businesses they engage with and work for use the data they generate and share will be in a better position to understand what types of online activities and behaviors are potentially harmful.

When it comes to vulnerabilities in the world of technology, our minds tend to focus on hackers exploiting weak computer code in order to gain access to systems and data. While this is certainly one example of how the vulnerability scenario plays out, history has taught us, and Facebook has highlighted, that it isn't the only one. By now, all businesses should be thinking about their human vulnerabilities and taking steps to protect them against scams and attacks that could compromise their personal privacy and lead to costly and embarrassing incidents.

Related Content:

Christy Wyatt, CEO, Dtex Systems Christy Wyatt is chief executive officer of Dtex Systems and serves as a member of the board. Most recently Christy was chairman, CEO and president of Good Technology, the global leader in mobile security across the Global 2000. During ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/4/2018 | 8:08:39 AM
Don't tell the truth
Consider anything real about you on FB is exposed already --- so change your personal data going forward to be a lie and at least you are covered on that score!!!   Doing that tonight.  
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8003
PUBLISHED: 2020-01-27
A double-free vulnerability in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service by triggering texture allocation failure, because vrend_renderer_resource_allocated_texture is not an appropriate place for a free.
CVE-2019-20427
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the ptlrpc module has a buffer overflow and panic, and possibly remote code execution, due to the lack of validation for specific fields of packets sent by a client. Interaction between req_capsule_get_size and tgt_brw_write leads to a tgt_shortio2pages integ...
CVE-2019-20428
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic due to the lack of validation for specific fields of packets sent by a client. The ldl_request_cancel function mishandles a large lock_count parameter.
CVE-2019-20429
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic (via a modified lm_bufcount field) due to the lack of validation for specific fields of packets sent by a client. This is caused by interaction between sptlrpc_svc_unwrap_request and lustre_msg_hdr_size_v2...
CVE-2019-20430
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the mdt module has an LBUG panic (via a large MDT Body eadatasize field) due to the lack of validation for specific fields of packets sent by a client.