The security perimeter needs to use one of its most crucial resources: human sensors

Security Manager George Grachis discusses the current cyber threat landscape and why human sensors, our users, are our most underutilized resource that can make all the difference.

man seated at table typing on laptop
Thinkstock

I first wrote this article back in March of 2014.

It was 2010 and the monthly ISSA meeting featured speaker was Major Gen. Dale Meyerrose, VP of Harris information assurance at the time. Dale asked if we should teach being a responsible cyber citizen in our schools. Back then I had just started working in a large Public School District that had never before had an information security analyst. I had lots to share about information security and lots more to learn about educating users in the business of education!

I think this is a very appropriate term. So how long have you been a responsible cyber citizen? Where did you learn to become one? We all learned how to drive a car and hopefully we are responsible drivers, at least there is training and a test for drivers of automobiles. What about being a responsible cyber citizen? There is no official curriculum in our schools for it? Can you actually cause your country and yourself significant monetary losses or worse, just by not being aware of the dangers that lurk on the internet? The point is, over time malware has become quite sophisticated, what started as a prank in the 1980s is now a multi-billion dollar cyber-crime industry.

Well that was back in 2010. So what's changed since then? Unfortunately not much! Yes we have new and better technology that keeps getting exploited. Microsoft, Adobe, Apple and now Android are slinging out patch after patch. Attacks still include hacktivism, cyber espionage, cyber-crime, and cyber warfare. Oh, now we have more ransomware; it surged in Q2 of 2013. Contrasting more of the 2010 Verizon data breach report to the latest, you will see that over 80 percent of attacks were not highly difficult. Verizon also states in the 2012 report, regarding Human Sensors: "once again, end users represent the most effective means of detecting a breach internally." 

Well I wrote all that back in 2014. So over three years later what’s really changed? We still have the patching madness from Microsoft, Apple, Android and others. Now we have added IoT, and the extreme growth in the cloud. According to Forbes' Roundup of Cloud Computing Forecasts 2017, released on April 29, 2017:

At this point In part one of this series I showed some actual SPAM emails that were caught by our human sensor, yes that’s where you come in. Because no matter how great or new of technology we employ at the end of the day it’s a human that either acts correctly or incorrectly to social engineering attempts directed to us in any internet facing application. So what’s the common denominator to challenge all this ever changing technology? Humans! We are the human sensors and we are installing, operating and utilizing all of this technology every day. We are most often the weakest link.

The 2017 Verizon Data Breach Investigations Report continues to illustrate this fact. 66 percent of malware was installed via malicious email attachments. The majority of phishing attacks – 95 percent – followed the process of phishing techniques being linked to software installation on a user's device. Overall, 43 percent of data breaches utilized phishing.

Symantec reported the following in its 2017 Internet Security Threat Report.

“Malicious emails were the weapon of choice for a wide range of cyber attacks during 2016, used by everyone from state sponsored cyber espionage groups to mass-mailing ransomware gangs. One in 131 emails sent were malicious, the highest rate in five years. Email’s renewed popularity has been driven by several factors. It is a proven attack channel. It doesn’t rely on vulnerabilities, but instead uses simple deception to lure victims into opening attachments, following links, or disclosing their credentials. Spear-phishing emails, such as spoofed emails instructing targets to reset their Gmail password, were used in the US election attacks”

As it turns out the 2017 data still supports the fact that many data breaches are tied to the human element and will always be.

Key challenges from 2014 that have not changed!

  • Information security can no longer prevent advanced targeted attacks.
  • IT will not own the majority of user devices or services that users consume. IE:Cloud Computing!
  • Too much information security spending has focused on the prevention of attacks and not enough has gone into security monitoring and response capabilities. There is no magic bullet for this issue!
  • Individual enterprises will not be able to defend themselves without the collective sharing of threat and attacker intelligence.

Recommendations

  • Begin a project now to understand where sensitive information is created, moved, transformed, stored and archived in your enterprise. Use this to prioritize investments. What is your business sectors sensitive information? PII? Confidential? Secret? PHI? Intellectual Property? PCI DSS?
  • Architect for pervasive monitoring. Budget for increased monitoring each year for the next five years, expanding the depth and breadth of monitoring technologies.
  • Invest in your incident response capabilities. Define and staff a process to quickly understand the scope and impact of a detected breach.
  • Favor security solution providers with a broad view across large numbers of enterprises to provide visibility of threats and attackers
  • I highly recommend Ira Winkler’s Book “Advanced Persistent Security” It’s the appropriate response to counter Advanced Persistent Cyber Threats. Let’s face it cyber criminals are state sponsored, they are well funded, very organized and skilled. We can’t just keep working in silos and pretend it’s not going to happen to us. We must gather threat intelligence and apply it in a strategic and meaningful way to counter the relentless onslaught of global cyber-attacks!

As I mentioned in part one of this article, Gartner at that time predicated that Prevention is futile in 2020, I stated that this fact applies right now, that was in 2014!  It still applies even more so now in 2017. We must continue to work towards 100% compliance every day, not just when we expect an auditor to show up. As NIST has previously stated “Compliance is not about adhering to static checklist or generating unnecessary FISMA reporting paperwork, rather compliance necessitates organizations executing due diligence with regard to information security and risk management."

So back to our users; the new security perimeter. Reach out to them in a monthly newsletter, cover topics in a web based format with interactive videos and one single topic like phishing, mobile malware, or data privacy. US-CERT has an excellent area for cyber security tips. Remember that your company likely has a cross section of employees from boomers to Millennials and they all learn in different ways. The millennial group will really appreciate any type of interactive learning and videos and yes even games. OnGuardOnline at https://www.ftc.gov/news-events/audio-video/consumers/onguard-online and YouTube have some great videos and games that cover cyber security. Be creative and show a passion for cyber security, this will help get users excited about learning about it. Make it personal, tell them this is not just applicable to work, its applicable to you and your family's daily life. Also use Gamification, as often mentioned by my Colleague Ira Winkler, He puts it like this:Gamification is a way to reward people for exhibiting a desired behavior. It is not merely creating a game for people to play, nor making training a game.

One size does not fit all. Make sure to review the latest cyber news regarding our current threat landscape from CSO Online and other great online resources. Share them weekly with your IT department. How about our executives? Yes, carefully include them in select cyber issues that you know should matter to them and your business. Finally, make sure you are covering security awareness for all new hires.  Remember, it's not just IT Security anymore, It's information assurance that impacts the business and the bottom line. Compliance helps win contracts and keep them, but it's not the same thing as being secure; being secure is all about proactive security measures and pervasive monitoring and involvement of every user. As I once stated in my interview in Fortune magazine back in 2014: How Home Depot CEO Frank Blake kept his legacy from being hacked, “But Grachis says the only path is to shift from complying with broad security standards, which are already out of date, to assuming that hackers are already in your system and enhancing the monitoring technologies that will find them more quickly. “Compliance is backward-looking and static,” Grachis says. “Security is forward-looking, dynamic, and intelligent.”

Finally, our most important asset is always our people; I just hope you don't mind being called Human Sensors, the new security perimeter. Finally, here is my security motto: Users need to know that no matter what physical and technological devices are in place ultimately, it is user knowledge and action that will achieve the utmost security for you. I made this statement in 2007 and it still applies.

So the bottom line here is just what you would expect, You can change technology every day but in the end Humans operate and use and are the most important part of any business or Technology solution. So not much has changed since 2014 concerning cyber security and data breaches, Human Sensors: you are still the most important element and you will always be! Nothing will ever be more important than you! 

This article is published as part of the IDG Contributor Network. Want to Join?

Related:
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!