Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/31/2018
10:30 AM
Christy Wyatt
Christy Wyatt
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Facebook Must Patch 2 Billion Human Vulnerabilities; How You Can Patch Yours

The situation Facebook is in should be prompting all security teams to evaluate just how defenseless or protected the people in their organizations are.

Everyone loves to watch giants get attacked. The heat of the moment provides fantastic entertainment. Typically, the spectacle reveals some truth. However, we usually don't get a clear picture of everything that's happening until after the dust settles. Such is the case with Facebook.

Now that things have calmed a bit, those of us in the security industry who have been watching the saga unfold are learning some valuable lessons. Chief among these is that by making only a few missteps, any business can turn millions of humans into vulnerabilities that unscrupulous actors can exploit. In this case, a lone developer accomplished this with an app that users, and Facebook, regarded as harmless.

What were some of missteps Facebook made? It failed to arm itself with sufficient visibility over its environment. It had an ineffective early warning system. It didn't devote enough resources to user education and defense. And the social giant has been opaque about its business model and how it collects and monetizes members' data. While Facebook may currently be the one in the spotlight, it's vital to remember that it's not the only business that is failing to protect its users. These same oversights and problems plague most organizations today.

The 2018 IBM X-Force Threat Intelligence Index revealed that vulnerable humans, which it refers to as "inadvertent insiders" (aka insider threats) are responsible for exposing more than 2 billion records and causing 20% of reported security incidents. The Ponemon Institute estimates that this class of user is costing organizations more than $283,281 per incident annually. Some damages can't be measured in terms of dollars or records lost but by the impact they've had on world history. The Hillary Clinton campaign argues that attacks against vulnerable campaign insiders contributed to her 2016 presidential election loss.

The situation Facebook is in, along with findings like these, should be prompting security teams to evaluate just how vulnerable or protected the people in their organizations are. It should also be motivating them to find ways to "patch" any human vulnerabilities that exist. 

What's a Social Network, or Any Business, to Do?
Facebook CEO and co-founder Mark Zuckerberg says the platform will make sweeping changes to curtail future abuses. Let's hope they work. If Facebook, or any organization, is serious about protecting its people, there are certain essential steps they need to take. Here are four that all organizations should take right now:  

1. Gain visibility. Organizations need to get a grip on the behaviors of partners, customers, employees, and third-party application developers. To accomplish this, they don't have to resort to requiring anyone to adhere to intrusive monitoring practices that amount to surveillance and eavesdropping. To be effective, screen-shot captures, key stroke logging, and other invasive tactics aren't needed. There are a wide range of technologies available that Facebook or any company could choose from that will provide the visibility and intelligence needed to spot suspicious trends before they spiral out of control.

2. Enable early warnings. Many organizations have tools and technologies in place to notify them when suspicious behaviors take place. Many "early warnings" end up being false positives, which lead to alert fatigue. For early-warning alerts to truly have value, they have to be powered by technologies that understand behavioral context, know when events are normal or anomalies, and what the intent of observed actions are. A smoke detector is of little use if it doesn't have a siren that lets people in the facility it's protecting know when there's danger. Nor would it have any value if it "cried wolf" when there is nothing to worry about.

3. Educate and protect. Organizations that want to shield their users against bad actors need to invest in providing security and scam education to users. Studies suggest that with education, humans can reduce their susceptibility rates to scams by as much as 70%. To further protect humans, businesses may need to build in alerts that that let them know when they are about to engage with risky apps, click on questionable links, or get involved in dubious conversations. Access to a threat intelligence feed can also prove useful. The latest information about attacks in the wild will allow security teams to take proactive measures.

4. Be transparent. Had Facebook been up front with users about the fact that every bit of information they share is collected and analyzed for marketing and advertising purposes, then the 87 million users who were fooled may have thought twice before engaging with an app that was collecting personal information. Any organization committed to protecting its users against privacy and trust violations needs to be transparent about its data policies and business model. Users who understand how the businesses they engage with and work for use the data they generate and share will be in a better position to understand what types of online activities and behaviors are potentially harmful.

When it comes to vulnerabilities in the world of technology, our minds tend to focus on hackers exploiting weak computer code in order to gain access to systems and data. While this is certainly one example of how the vulnerability scenario plays out, history has taught us, and Facebook has highlighted, that it isn't the only one. By now, all businesses should be thinking about their human vulnerabilities and taking steps to protect them against scams and attacks that could compromise their personal privacy and lead to costly and embarrassing incidents.

Related Content:

Christy Wyatt, CEO, Dtex Systems Christy Wyatt is chief executive officer of Dtex Systems and serves as a member of the board. Most recently Christy was chairman, CEO and president of Good Technology, the global leader in mobile security across the Global 2000. During ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/4/2018 | 8:08:39 AM
Don't tell the truth
Consider anything real about you on FB is exposed already --- so change your personal data going forward to be a lie and at least you are covered on that score!!!   Doing that tonight.  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.