With an increase in the number of security threats, IT security professionals need to rethink how ‘the human point’ could impact the safety of their data.
Critical data is everywhere. Stratified in private and public clouds, on removable media, in mobile devices, and all too often in parallel with personal data on employee devices. Yet many security professionals can’t see how and where data is used as it sprawls across company-owned, employee-owned and hosted applications.
This isn’t that surprising when you consider the scale of the challenge. The average organization has around 23,000 mobile devices (including personally owned ones) in use by employees, while a study from Tech Pro Research found that 75% of companies either already allow employees to bring their own devices or have plans to integrate a Bring Your Own Device policy in the near future.
Regardless of how attacks originate, they ultimately inflict the most damage at the points in which people interact with critical business data and intellectual property. These ‘human points’ of interaction have the potential to undermine even the most comprehensively-designed systems in a single malicious or unintentional act.
For this reason, we believe the approach to security the industry has relied upon for years, centered on protecting technology infrastructure, needs to evolve. For too long, the industry has been in a cycle of developing products that simply cannot keep pace with the emergence of new threats.
The difference we are suggesting is to focus on the constant – the people. When you examine how people interact with critical business data and IP and understanding how and why these interactions occur, we believe security professionals will be better able to manage how and why people create risk. Risk is itself not constant and by looking at the reasons behind a breach - accidental or maliciously – security teams can better tackle the challenges facing their organizations.
Human point of weakness
To put this in wider context, one third of organizations have suffered from an insider-caused breach, with potential losses from each incident totaling more than $5m, according to the SANS Institute. What’s more, the Verizon 2017 Data Breach Investigations Report revealed that over 43% of data breaches this year have been social attacks.
This means that they were all focused on exploiting the human point of weakness in an organization’s security defenses. These attacks deploy a social incentive for employees to open emails, with varying levels of research. Some are general - i.e. a recent attack that looked like it came from a large mobile phone operator warning people they had incurred a massive bill. More targeted attacks are also seen with specific individuals targeted based on membership to a hacked website database, or even with information gleaned from social media accounts.
But is relying on existing technology solutions enough to prevent and stop these attacks? Think of the cyber security industry in the context of a technology arms race, whereby a new threat is revealed, a new patch / tool / update is released to deal with it and the cycle repeats. Cyber security investment continues to rise, but so does the volume of threats.
We recently surveyed over 1,250 cyber security professionals worldwide to ask them about the state of sector and the changes that need to be made. The resulting research, The Human Point: An Intersection of Behaviors, Intent & Data, discovered that most experts do not hold high hopes that more cyber security tools will improve security, instead, an overwhelming majority of respondents felt that understanding the behaviors of people as they interact with IP and other data was the path to success.
In other words, to determine the underlying cause of security incidents (e.g. data theft, intellectual property loss etc.) and prevent them from occurring again in the future, security professionals must look at the intent behind peoples’ actions.
Category of risk
Insiders typically fit into three groups along a spectrum that we call ‘the continuum of intent’, which categorizes users as accidental, compromised or malicious. However, it’s important to note that people can move in and out of these categories depending on a number of factors, so examining their typical behaviors is also crucial.
Accidental insiders are those individuals who make honest and unintentional mistakes, inadvertently exposing the organization to data theft. This could be down to a lack of training, awareness of processes or negligence. Indeed, Forcepoint’s Insider Threat European Survey revealed that 41% of UK employees are not receiving data protection training.
Meanwhile, compromised insiders are those users with access to networks whose credentials have been stolen and used by a hacker to misuse the system to their own ends. It was this approach that caused much of the damage in the case of the Petya outbreak in June 2017.
Administrative credentials were obtained through the use of built-in credential stealing code, resulting in the malicious activity effectively blending into the background noise of a big network, thereby allowing the attackers to maximize their dwell time on networks.
Lastly, there are malicious insiders. This group includes individuals who have both knowledge and access to vital company networks, as well as the intent to cause harm. Forcepoint’s Insider Threat European Survey also revealed that 29% of European employees have purposefully sent unauthorized information to a third party.
The key is for organizations to implement intelligent, integrated security solutions that provide visibility into user behavior, coupled with robust cyber security programs. These systems should be capable of observing behavior and interpreting intent in order to proactively protect users, critical data and, most importantly, the point at which they intersect. It is only by understanding the intent behind a user’s actions that we can recognize the difference between good and bad cyber behaviors.
Access Forcepoint’s 2017 State of Cybersecurity Whitepaper here.
Author: Neil Thacker, CISSP, CEH & OPST is Deputy CISO at Forcepoint. Neil holds 18 years’ experience in the Information Security industry with 10 years financial services experience in the insurance and banking arena. Neil is a member of the ENISA Threat Landscape stakeholder group where he contributes to the EU agency program alongside CERTs to position the threat landscape, offer mitigation advice and threat analysis innovation. Neil is also co-founder of the Security Advisor Alliance, a not-for-profit organization formed to help security leaders in their role and offer advice and tools to move towards improved risk and data-centric strategies.