The biggest cybersecurity threats all have one thing in common: Users.
Ransomware attacks. Misconfigurations. Insecure credentials. Phishing scams. Vulnerabilities due to unpatched or outdated software. All of these threats can be traced back to poor user behaviors.
There is a serious user problem out there, and whether the user makes a mistake or is intentionally malicious, it can impact the entire system and the organization. But is it really a user problem?
In their session at (ISC)2 Security Congress, Ira Winkler, CISO with Skyline Technology Solutions and Tracy Celaya-Brown, president, Go Consulting International, said the user problem is really a cybersecurity people problem.
“People can’t do things that we don’t give them permission to do,” Winkler said. As long as a user has the ability to do certain tasks, click on links or see a spearphishing email show up in their inbox, they will make mistakes that can take down the network. The problem is not that users cause a loss, but that they can potentially initiate a loss, according to Winkler and Celaya-Brown.
A Failure of Leadership
One mistake shouldn’t take down an entire network. One person shouldn’t have the ability to cause universal panic because of the access permissions they are given. But it happens all the time, and the reason is failure of cybersecurity leadership. Remember the Twitter hack a few years ago where some of the most famous names on the social media site were victims of account takeovers? Winkler pointed out that social engineering techniques coupled with the fact that about one-fifth of Twitter’s employees had permissions to change passwords led to that massive cybersecurity failure. Or, in other words, the human problem was enabled by cybersecurity people and leadership who fell short in their responsibilities. Of course, you want users that will behave the way cybersecurity leadership wants them to, but the cybersecurity team needs to take a closer look at their actions, too.
“We have to take a closer look at why problems occur,” said Winkler. “The problem isn’t a user clicking on a link. The problem occurred when the user received the message.”
New School Safety Science
It’s time to look at the user as just one part of the entire system, said Celaya-Brown. “It’s our responsibility in cybersecurity to look at all the enabling factors.” For instance, the cybersecurity team should know why the user was in the system in the first place, how the user gained proximity to the incident and why the damage actually happened. Environment plays a big role in cybersecurity failures. More often than not, it is an issue within the network environment that ends up causing the user to do something wrong.
Yes, there are user issues that can be prevented, such as improving security awareness, but you can only do so much in enforcing good security practices once they have knowledge. And then there are malicious insiders who purposely break all the rules.
Overall, Winkler said, the user should never be the last line of defense because you don’t want to leave your cybersecurity program at the mercy of a malicious user.
“Users don’t cause loss,” said Winkler. “The user can initiate loss, but can’t cause it.”
When a user is in the position of possibly initiating a problem, you want to create a better user experience and provide awareness to avoid initiating a loss, Winkler and Celaya-Brown said. The solution is to engineer the user out of the process, or at least filter out an attack. The goal is to anticipate the potential cybersecurity incident caused by a user and deploy detection and reaction tools to avoid data loss.
In security awareness training, users are instructed to be on the lookout for a hacker. And that’s not a fair fight. If an attacker wants to socially engineer an attack, they’ll go after a low-level user who will struggle to tell the difference between a legitimate and malicious email message. Instead, the user should be taught to follow smart business practices. Rather than take on the responsibility of sharing PII—even their own—that should be a permission that must be authorized by someone else higher in the management chain.
Let a cybersecurity professional determine if an email is legitimate or if it is a hacking attempt. Or, eliminate the user problem by turning it into a cybersecurity problem. It won’t cut down on the attacks you face, but it will allow you to better manage the human engineering aspect of cybersecurity.