Understanding Human Vulnerabilities & Threats
A staggering number of companies were victims of data breaches this past year. In fact, forty-three percent of all organizations reported some type of data breach. How many were breached and did not know?
In a heightened threat landscape, such as that which companies are currently experiencing, mitigating a threat is nearly impossible. However, training personnel to engage security measures in every aspect of conducting business is a necessary step in the reduction of the threat. In the chain of information security it is usually the human and not the system that is the “weak link.”
What are those threats?
There are many threats to organizational computers and the networks those systems are attached to and the majority of those threats need some form of human interaction to activate. What are the goals of these attacks? The principle purpose is to gain entrance and gather as much information as possible by exploiting known human weaknesses.
“Phishing,” which is a method that uses fraudulent emails or what looks like a legitimate website address to cause a human to accept the interaction and gather data and information for malicious or illegal uses is the main avenue of approach used in cyber intrusions. Everyone has been the target of a phishing email at one time or another. The question is did the user recognize it as a threat or phishing attempt?
There are generally two purposes for a phishing attempt. One is to gain information directly and the other is to introduce malware into the system. Some malware deploys into the system immediately, but the more dangerous type is those that users will not even realize is there.
The Three Main Types of Phishing are:
- Smishing – uses an SMS text to get a response, either by phone or link
- Spearphishing – the perpetrator usually already has a good amount of information on the target group and uses that information to gain information on others in the group
- Whaling – uses the information gathered by spear phishing to get information regarding the original target, usually an executive
The most appropriate way to counter phishing attacks is through personnel training. Educated employees are the first line of defense against cyber-attacks such as phishing. Inform staff members and everyone that uses the network how to identify cues and triggers used in these types of attacks. Additionally, everyone should have a direct line to security and get them involved as soon as possible. The sooner a threat is identified and quarantined, the less damage it can do to the system.
How to Work Safely from Remote Locations
The internet has made the world our workplace. Coffee shops and small diners make it easy to take our work there while we enjoy a coffee or meal. Nevertheless, WIFI is about as insecure as it gets. It is too easy to mirror a WIFI modem to look exactly like the real one and gain information. Additionally, it is too easy to let down your guard in these places. For most of us, we utilize the same coffee shop or local diner frequently and we know everyone there, from the server to the cook, and even the janitor.
Here are some things to keep in mind:
- Always check the name of the connection on the WIFI, is it Starbucks or Starbuks. It may be a subtle difference that is easy to accept as the real thing.
- Sit with your back to the wall and the monitor facing the wall as well.
- Never leave a laptop, tablet, or phone on the table while using the restroom. Even though the surroundings feel secure because it is familiar, it only takes a second for a laptop to disappear.
- Avoid contacting the network server with an email using a WIFI link, save it to send from home. This may seem inconvenient, but so is a cyber-intrusion on the company network.
- It is particularly important to keep all security systems up to date, firewalls up, and AV & anti-malware running.
How to Safely Use Instant Messenger & Email
In this contemporary world, platforms and apps that allow instant messenger and emails have given users a great deal of accessibility to reach out almost effortlessly and communicate globally in just seconds. However, the benefit remains only when used appropriately. Interactions online must be as confidential as a closed-door chat with a subordinate. Once it is written down and published it is no longer private, it is a matter of record. Additionally, if written in ink, it is permanent. When you send an email or instant message IM, it is for all intents and purposes, written in ink. Even though you might delete it, it is still in someone’s server, somewhere.
Due to that permanent nature, never send private information on IM or email. It might seem as though it is safe, but attacks are happening every day. Never send numbers pertaining to credit cards, banks accounts, or social security, and username and passwords in an email or IM. Take the time; make a call. Leaving that kind of information in an email account could be financially disastrous. Hackers are very sophisticated and regularly access emails sitting on servers.
Keep these protocols in mind for drafting an email:
- Never include any type of harassment, threat, or improper conversation in an email or IM. In addition, avoid contentious conversations such as religion, politics, or sex. Those topics are too offensive and often are taken as harassment.
- Do not forward any emails that contain any of the above. It is like repeating a rumor; it is just in bad taste.
- Never send or forward a mass email. Sending an email with multiple addresses is the same as giving someone another individual’s email address without asking them permission to do so. If you must send an email to multiple addresses, utilize the bcc option, so the only address visible is their own.
What is Social Engineering?
Social engineers are those people making a living by taking advantage of the social behavior of others, learning their vulnerabilities and exploiting those to meet their agenda. They are the pizza or sandwich person that is just walking around the office. Or, the person you held the door open for because they were right behind you, even though an access card is needed to get in, yet you did not check if they had one. He is John from IT who calls for your login to fix that bug that everyone has been complaining about since yesterday.
Asking the tough questions will help reduce the human vulnerabilities. Why does someone from IT need my login? Why was the pizza person hovering over that unoccupied desk? Sir, do you have an access card?
How to Use Training to Reduce Human Vulnerabilities
A strong security policy coupled with cyber-security training will provide awareness of the threat and awareness is a valuable weapon in the fight against cyber-attacks.
The three tenants of a good training program are:
- Security Language: It starts with asking the tough questions and built-on by utilizing a common vocabulary of knowledge to create an atmosphere of intolerance of bad habits that allow access to the vulnerable system where valuable information is stored.
- Legal Compliance: Many organizations must comply with security standards, such as Payment Card Industry (PCI) Data Security Standard, or the Health Information Privacy Administration Act (HIPAA) particularly those that handle sensitive information. Security must be as much of an integral part of operations in all organizations as it is to those. Protection of information must be a priority made part of the routine, yet can never be routine.
- Behavioral Change by Design: Times are changing and behavior must change with the times. Holding the door for someone is still a good deed, but the better deed for everyone is to verify his or her right to access. There are three components to behavior change:
- Ability to change, knowing what needs to change
- Motivation to change, wanting to make the change
- Performing the change, putting knowledge, ability, and motivation together to perform the change.
Awareness of the human vulnerabilities to security while conducting business in a cyber-friendly environment is crucial to protect systems from attacks and intrusions used to gain private or sensitive information. Installing security hardware and software is never going to be enough. Just as using an access card to gain entry does no good when someone holds the door open for an intruder. Changing the mind-set of staff members and all employees is imperative to reducing vulnerabilities to cyber-attacks.
The Senior Partner of CourseVector, Mike Vandling, has considerable background in Information Technology, IT security, and has instilled that philosophy across the company. In his duties at Pennsylvania State Association of Boroughs (PSAB), he sets up and enforces IT compliance and security. CourseVector is a company you can depend on to provide trusted servers and hosting at a very reasonable price. Once again, the security of those servers is only beneficial when used appropriately. Security begins with the user. If you have any questions or would like further information pertaining to cyber-security training contact Mike.