Battling cyber security’s human condition
There is no silver bullet when it comes to cyber security. Organizations with multi-million dollar IT budgets still make headlines for being successfully breached, and even government intelligence organizations can’t keep their hacking tools secret despite having some of the strongest protections and strictest policies on the planet. While providers of software solutions, apps and services, and hardware can deliver quality security solutions, the difference between stopping a breach and falling victim to one often comes down to human oversight.
Unfortunately, technical security protections are often easily undermined by social engineering and human error. In fact, according to CompTIA’s 2016 International Trends in Cybersecurity report, 58 percent of security breaches are caused by human error, versus 42 percent caused by technology error. For example, look at Sony Pictures’ catastrophic data breach, where the company lost employee personal information, emails, and even copies of un-released films. When the dust finally settled around this attack, evidence suggested that the intruders began with credentials harvested from spear-phishing campaigns that deceived employees.
Sometimes attackers don’t even need to trick employees into giving up their credentials; they can just guess an over-simplified password. According to Verizon, 63 percent of all intrusions involve stolen, weak, default or easily guessed credentials.
If human error plays such a big role in protecting a network, what are some of the security best practices that organizations should teach to employees? Let’s examine two primary areas, password protection and recognizing phishing attacks.
Why are weak credentials such a critical factor in data breaches? Because when people are given the choice between security and convenience, they often opt for convenience. Password reuse is a prime example of this. The 2012 Dropbox data breach succeeded because a Dropbox employee used the same password for his corporate account and his personal LinkedIn account, which was compromised during the LinkedIn breach earlier that year. Common password policies include using a range of alpha-numeric and special characters, and requiring employees to change passwords every few months. Recent password dumps have shown however, that employees instead opt to just change a single character in their password when asked to update or reset it.
One could make the argument that relaxing certain policies and protections could increase password security, if done in the proper context. The U.S. National Institute of Standards and Technology (NIST) recently released a draft of its upcoming digital identity guidelines document. In it, they recommend against password composition rules that require complex, hard-to-remember passwords. Instead, they encourage companies to have employees use longer, more easily remembered passphrases, such TelevisionBrainsHurtEverything or SometimesDoggyOthersChair.
Organizations should also encourage the use of password managers, as they solve the problem of both password reuse and password complexity. While they do have the drawback of allowing all accounts to effectively become unlocked by a single master password, users are much more likely to create and remember a single highly-complex password, such as Min97$XP19*244, rather than multiple complex passwords for each individual service.
Improvements that will benefit users are being made on the technical side as well. For example, the Wi-Fi Alliance, which oversees the “Wi-Fi Certified” designation for wireless devices, recently launched the Wi-Fi Passpoint standard that improves both usability and security on public Wi-Fi hotspots for connecting clients. Instead of unencrypted (open) hotspots or entering a shared key, the Wi-Fi Passpoint program enables hotspot users to create a single Wi-Fi Passpoint account. People use this single account, saved on their mobile device, to automatically connect to any Wi-Fi Passpoint hotspot protected by WPA2 Enterprise security.
Phishing emails also rely on human error to function, so organizations need to train their employees to make better security decisions. Teaching your employees how to spot a phishing attack could be the difference between enjoying your weekend, or spending it restoring backups after a ransomware infection.
Being suspicious of unsolicited emails is step one towards spotting a phishing attack. Phishing emails are designed to look like a legitimate message, whether it be a notice to reset your Apple.com password or a shipment tracking confirmation with a zip file containing malware attached. Most phishing emails have one very common trait; they are unexpected. If you didn’t request your apple.com password be reset, chances are that password reset email is fake. If you haven’t ordered anything from an online store recently, that shipment tracking info is bogus.
The most successful phishing attacks are surprisingly convincing, spoofing the typical format of a legitimate website or email. However, one thing phishing attacks cannot do is use the legitimate URL of the website they are mimicking (outside of very specific cases). Always treat any web links you receive in email messages as suspicious, and double check that the URL matches the intended site. Instead of clicking links in the email, browse directly to the organization’s website and find the desired page.
Cyber criminals usually go for the weakest link when looking to infiltrate a network. More often than not, that link is a human. That means organizations need to be diligent when educating and creating policies for their employees. Finding a balance between hardcore “NSA-level” security and usable security is key. Providing phishing education, requiring password managers and encouraging employees to use longer passphrases will help your organization fight the cyber security human condition, and improve your overall security posture.