Layered Security - Human
Security is the protection of something - usually in my field it is an asset. There are many thought processes on security and how many layers that it should have - some think 3 and other think 7. The main point is that a single security measure is not enough. There is also the need to determine what needs to be protected and the protection should not cost more than the asset that is being protected. Cost is not always a dollar amount which also continues to complicate the problem.
We will start with the weakest layer of security. Humans. I know humans can be good at security except I think of John Wick. This man can fall out of a building and land on a car and get right back up. I am not saying that it could not happen - I am just saying that the defense is less each time the asset is attacked. Except John Wick. It really depends on the story line they are going for at the time. I also think of the really amazing executive assistants that I am positive are not getting paid enough for what they are doing. Have you ever tried to get through an executive assistant? (Not physically - just business case wise). That is not going to happen unless they want it to happen. They have some magic powers or something because they make things happen or make things not happen with a blink of their eye.
So, there are humans that are trying to do good and MOST humans do not want to be the cause of the security issue in their company. This is usually where things start to go awry. I usually set up training for companies. Not one and done annual training. I have never found that as helpful. I set up monthly mini sessions along with monthly (multiple) phishing emails. Why? It has to be there all of the time. What is the cost of training versus clicking a phishing email? Glad you asked. You will not like the answer though. The answer is it depends.
Depends on what? What the attackers goal is. What information was compromised. How long the attack was. Could be anywhere from $10,000 to over $5 million dollars. Yes, over $5 million dollars from clicking on a link in a email. Sometimes this may not even be covered by insurance - depends who the attack is. If it is a state-sponsored attacker, insurance policies may not cover damages from that type of attack.
I was discussing mitigation strategies and one member on the engineering team made the comment it might be easier for the high-risk people to simply not check their email. The first reaction was a hard no until I started thinking about it and maybe that was not a bad idea at all. How much email was received that did not need to be read at all? Could someone possibly not read email and still communicate effectively throughout the organization? The answer falls back in the it depends category as each team works differently.
So far it seems like humans are not a layer of security at all BUT actually often they are the best layer to bring up when something is not right. Many times users have stated something was off when they are doing something which led to a discovery of the initial stages of an attack. Technology is not the greatest at determining when something feels off. Humans are definitely good at it - it is usually the explaining part that does not always work out so well.
Humans are also the cybercriminals behind the attacks which is the other side of the scenario. Sometimes it is the insider threat that no one sees because everything just gets done until the IT person has had enough of whatever the situation is that they do not like and things stop working. Phishing emails are getting better and better which makes training users harder and harder. Insider threats are hard to determine in the first place and add a geographically separated workforce along with decreased budgets it becomes even harder. Attackers no longer want to see what they can get. Specific data is sought out and the more time attackers can stay in a system the better.
I found a keylogger on a laptop that was being used by an employee that had access to sensitive data. How long was it on there? No clue. Logs were not kept. It was found when an anti-malware solution was installed. The employee said there computer started being slow a few months after they got it. When asked if they put a ticket in the answer was no because the IT people were busy and the work still got done. I know there are so many red flags in that scenario, but it is common and no one wants to give their laptop up to IT to take a look around for something that may or may not be causing the slowness.
How do you solve the problems? User enablement and provided easy of access to their credentials and bookmarks when they need to use a loaner laptop. Scanning computers and doing basic cybersecurity goes quite a long way. Are the problems going to go way? No. It is going to make it easier to understand what is going on when users understand what can go wrong and feel like they can ask questions without feeling dumb. I often will ask users what happened right before the issue. Maybe 10% of the time I get an answer. I can increase that to 70-80% if I look at browsing history and remind them.
Users are awesome at helping when given the right tools. It is when they are not sure what to do or how to do it that the human security layer becomes more of a risk than an asset.
We will continue down our layered security in an upcoming post.