Human Fallibility: A Threat that Flows Through Your Entire Downline

Image of phishing concept between hands of a man in background
25 June 2020

Earlier this year Dark Reading published a six part series, “Cybersecurity and the Human Element: We’re All Fallible,” in which the authors examined common mistakes of end users as well as the potential repercussions of human error. All signs supported their claim that we are indeed all fallible. Human beings are vulnerable to exploitation, but security practitioners know this. Thus, it’s not really human beings that are the problem. The greater threat is that when attackers are successful through this vector, malware can infiltrate the network and hide out completely undetected for months at a time. 

The hacking of the individual through phishing attempts is what we’ve already recognized as the third dimension of the risk assessment. It’s not the humans’ vulnerability that poses a problem as much as the assessment’s inability to identify when a human has been compromised. Individuals are often lured into downloading malware that then resides within the organization for weeks, months or even years, yet that malware goes completely undetected in a vulnerability assessment. 

Power to the People?

In their series, Roselle Safran and Uptal Desai argued that organizations need to empower their employees by, “providing end users with training on why cybersecurity is important, and how they can be the “human firewall” who identifies cyberattacks, particularly email-based ones such as phishing/spearphishing attacks.” Certainly there is truth to that, but phishing continues to be largely successful because people are easily duped. Attackers know this, and they take advantage of this easy route in. 

Consider the reality of a best case scenario where everything has been patched and there are no vulnerabilities to be exploited. Even in these conditions, attackers still have the phishing vectors to work with. Fancy armor doesn’t help. Despite an organization’s best efforts to defend itself and deal with the entire attack surface, the employees are essentially an absolute vector into the network. 

The well-trained employee can catch even the most sophisticated phish, but in some cases, an attacker has already compromised the environment and is using legitimate–not spoofed–accounts to send phishing emails. An employee, who engages in those daily human interactions with the sender of a fraudulent email knows when something feels suspicious. We need employees to report that. We need to train them, but we also need to recognize that they are human. 

A Tangled Web of Fallible Humans

Let’s imagine that an employee at a partner organization fell victim to a phishing attack. Malware has infiltrated the system, yet it has remained inside for months completely undetected. As a result, Company A has no idea that Company B has been compromised–nor does Company B know that it’s been compromised for that matter. 

In a normal business transaction, Company A and Company B have a VPN open. Though it was designed to be a security tool that creates a secure tunnel between the two partners, that VPN is now a gateway for an attacker. Our CEO and President, Karim Hijazi, likes to compare the VPN in this scenario to a very effective hypodermic needle with a very contaminated syringe on the other side injecting nasty malware from one organization to another. 

While it’s a visceral image, it’s sadly appropriate. If two companies are directly connected to each other, one has to believe the other is doing a good job at their security. That’s historically been the best that they can do. But, they can do better.

If organizations accept that humans are fallible, then they need to be able to see when and where malware is beaconing throughout their supply chain. It’s not enough to have visibility into your own systems. If an employee in your fourth or fifth or tenth party falls victim to a phishing scam and malware infiltrates their network, that malware will eventually find its way to you–unless you are able to see it beforehand. 

The Latest

Prevailion CEO, Karim Hijazi – Cheddar News- FCC commissioner calls on Apple and Google to ban TikTok app

A member of the FCC renewed urgency calls on Apple and Google to remove TikTok from their app stores, raising concerns that TikTok’s Chinese-based parent company is collecting user data that is being accessed in China.

IRONSCALES Cyber Security Heroes: The New Cyber Era Post Ukraine Invasion

What Wicked Webs We Un-weave

What Wicked Webs We Un-weave: Wizard Spider once again proving it isn’t you, it isn’t me; we search for things that you can’t see Authored by: Matt Stafford and Sherman Smith Executive summary: In late January 2022, Prevailion’s Adversarial Counterintelligence Team (PACT) identified extensive phishing activity designed to harvest credentials for Naver. Naver is a […]

Copyright 2023 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.