Earlier this year Dark Reading published a six part series, “Cybersecurity and the Human Element: We’re All Fallible,” in which the authors examined common mistakes of end users as well as the potential repercussions of human error. All signs supported their claim that we are indeed all fallible. Human beings are vulnerable to exploitation, but security practitioners know this. Thus, it’s not really human beings that are the problem. The greater threat is that when attackers are successful through this vector, malware can infiltrate the network and hide out completely undetected for months at a time.
The hacking of the individual through phishing attempts is what we’ve already recognized as the third dimension of the risk assessment. It’s not the humans’ vulnerability that poses a problem as much as the assessment’s inability to identify when a human has been compromised. Individuals are often lured into downloading malware that then resides within the organization for weeks, months or even years, yet that malware goes completely undetected in a vulnerability assessment.
In their series, Roselle Safran and Uptal Desai argued that organizations need to empower their employees by, “providing end users with training on why cybersecurity is important, and how they can be the “human firewall” who identifies cyberattacks, particularly email-based ones such as phishing/spearphishing attacks.” Certainly there is truth to that, but phishing continues to be largely successful because people are easily duped. Attackers know this, and they take advantage of this easy route in.
Consider the reality of a best case scenario where everything has been patched and there are no vulnerabilities to be exploited. Even in these conditions, attackers still have the phishing vectors to work with. Fancy armor doesn’t help. Despite an organization’s best efforts to defend itself and deal with the entire attack surface, the employees are essentially an absolute vector into the network.
The well-trained employee can catch even the most sophisticated phish, but in some cases, an attacker has already compromised the environment and is using legitimate–not spoofed–accounts to send phishing emails. An employee, who engages in those daily human interactions with the sender of a fraudulent email knows when something feels suspicious. We need employees to report that. We need to train them, but we also need to recognize that they are human.
Let’s imagine that an employee at a partner organization fell victim to a phishing attack. Malware has infiltrated the system, yet it has remained inside for months completely undetected. As a result, Company A has no idea that Company B has been compromised–nor does Company B know that it’s been compromised for that matter.
In a normal business transaction, Company A and Company B have a VPN open. Though it was designed to be a security tool that creates a secure tunnel between the two partners, that VPN is now a gateway for an attacker. Our CEO and President, Karim Hijazi, likes to compare the VPN in this scenario to a very effective hypodermic needle with a very contaminated syringe on the other side injecting nasty malware from one organization to another.
While it’s a visceral image, it’s sadly appropriate. If two companies are directly connected to each other, one has to believe the other is doing a good job at their security. That’s historically been the best that they can do. But, they can do better.
If organizations accept that humans are fallible, then they need to be able to see when and where malware is beaconing throughout their supply chain. It’s not enough to have visibility into your own systems. If an employee in your fourth or fifth or tenth party falls victim to a phishing scam and malware infiltrates their network, that malware will eventually find its way to you–unless you are able to see it beforehand.