Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/31/2018
10:30 AM
Christy Wyatt
Christy Wyatt
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Facebook Must Patch 2 Billion Human Vulnerabilities; How You Can Patch Yours

The situation Facebook is in should be prompting all security teams to evaluate just how defenseless or protected the people in their organizations are.

Everyone loves to watch giants get attacked. The heat of the moment provides fantastic entertainment. Typically, the spectacle reveals some truth. However, we usually don't get a clear picture of everything that's happening until after the dust settles. Such is the case with Facebook.

Now that things have calmed a bit, those of us in the security industry who have been watching the saga unfold are learning some valuable lessons. Chief among these is that by making only a few missteps, any business can turn millions of humans into vulnerabilities that unscrupulous actors can exploit. In this case, a lone developer accomplished this with an app that users, and Facebook, regarded as harmless.

What were some of missteps Facebook made? It failed to arm itself with sufficient visibility over its environment. It had an ineffective early warning system. It didn't devote enough resources to user education and defense. And the social giant has been opaque about its business model and how it collects and monetizes members' data. While Facebook may currently be the one in the spotlight, it's vital to remember that it's not the only business that is failing to protect its users. These same oversights and problems plague most organizations today.

The 2018 IBM X-Force Threat Intelligence Index revealed that vulnerable humans, which it refers to as "inadvertent insiders" (aka insider threats) are responsible for exposing more than 2 billion records and causing 20% of reported security incidents. The Ponemon Institute estimates that this class of user is costing organizations more than $283,281 per incident annually. Some damages can't be measured in terms of dollars or records lost but by the impact they've had on world history. The Hillary Clinton campaign argues that attacks against vulnerable campaign insiders contributed to her 2016 presidential election loss.

The situation Facebook is in, along with findings like these, should be prompting security teams to evaluate just how vulnerable or protected the people in their organizations are. It should also be motivating them to find ways to "patch" any human vulnerabilities that exist. 

What's a Social Network, or Any Business, to Do?
Facebook CEO and co-founder Mark Zuckerberg says the platform will make sweeping changes to curtail future abuses. Let's hope they work. If Facebook, or any organization, is serious about protecting its people, there are certain essential steps they need to take. Here are four that all organizations should take right now:  

1. Gain visibility. Organizations need to get a grip on the behaviors of partners, customers, employees, and third-party application developers. To accomplish this, they don't have to resort to requiring anyone to adhere to intrusive monitoring practices that amount to surveillance and eavesdropping. To be effective, screen-shot captures, key stroke logging, and other invasive tactics aren't needed. There are a wide range of technologies available that Facebook or any company could choose from that will provide the visibility and intelligence needed to spot suspicious trends before they spiral out of control.

2. Enable early warnings. Many organizations have tools and technologies in place to notify them when suspicious behaviors take place. Many "early warnings" end up being false positives, which lead to alert fatigue. For early-warning alerts to truly have value, they have to be powered by technologies that understand behavioral context, know when events are normal or anomalies, and what the intent of observed actions are. A smoke detector is of little use if it doesn't have a siren that lets people in the facility it's protecting know when there's danger. Nor would it have any value if it "cried wolf" when there is nothing to worry about.

3. Educate and protect. Organizations that want to shield their users against bad actors need to invest in providing security and scam education to users. Studies suggest that with education, humans can reduce their susceptibility rates to scams by as much as 70%. To further protect humans, businesses may need to build in alerts that that let them know when they are about to engage with risky apps, click on questionable links, or get involved in dubious conversations. Access to a threat intelligence feed can also prove useful. The latest information about attacks in the wild will allow security teams to take proactive measures.

4. Be transparent. Had Facebook been up front with users about the fact that every bit of information they share is collected and analyzed for marketing and advertising purposes, then the 87 million users who were fooled may have thought twice before engaging with an app that was collecting personal information. Any organization committed to protecting its users against privacy and trust violations needs to be transparent about its data policies and business model. Users who understand how the businesses they engage with and work for use the data they generate and share will be in a better position to understand what types of online activities and behaviors are potentially harmful.

When it comes to vulnerabilities in the world of technology, our minds tend to focus on hackers exploiting weak computer code in order to gain access to systems and data. While this is certainly one example of how the vulnerability scenario plays out, history has taught us, and Facebook has highlighted, that it isn't the only one. By now, all businesses should be thinking about their human vulnerabilities and taking steps to protect them against scams and attacks that could compromise their personal privacy and lead to costly and embarrassing incidents.

Related Content:

Christy Wyatt, CEO, Dtex Systems Christy Wyatt is chief executive officer of Dtex Systems and serves as a member of the board. Most recently Christy was chairman, CEO and president of Good Technology, the global leader in mobile security across the Global 2000. During ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/4/2018 | 8:08:39 AM
Don't tell the truth
Consider anything real about you on FB is exposed already --- so change your personal data going forward to be a lie and at least you are covered on that score!!!   Doing that tonight.  
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.