This week, we welcome Daniel DeCloss, President and CEO of PlexTrac, to talk about what makes an excellent pentest report! In our second segment, we talk Security News, how hackers can hijack your local airport, Baltimore to buy $20M in cyber insurance months after the attack, a dangerous Kubernetes bug that allows authentication bypass-DoS, and using machine learning to detect IP hijacking! In our final segment, we air a pre-recorded interview with Peter Kruse, Co-Founder of the CSIS Security Group, discussing Cybercrime, Threat Hunting, and spear-phishing attacks!
Show Notes: https://wiki.securityweekly.com/PSWEpisode623
To learn more about PlexTrac, visit: https://securityweekly.com/plextrac
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, In our first segment, we talk Enterprise News, discussing how Okta is launching offerings for threat detection and remediation, Tenable extends Lumin to all platform customers, Signal Sciences announces integration with Pivotal Container Service, and how Thoma Bravo made a 3.9 Billion dollar offer to acquire Sophos! In our second segment, we talk about Tactics for Understanding Security Vendor Products! In our final segment, we air three pre-recorded interviews from Hacker Halted with Cathy Ullman, Joe Gray, and Jenny Radcliffe!
Show Notes: https://wiki.securityweekly.com/ES_Episode157
Visit https://www.securityweekly.com/esw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Autumn is the “hacking season,” when hackers work to exploit newly-disclosed vulnerabilities before customers can install patches. This cycle gives hackers a clear advantage and it’s time for a paradigm shift.
Each year, when the leaves start changing color you know the world of cybersecurity is starting to heat up.
This is because the cyber industry holds its two flagship events — DEFCON and BlackHat —over the same week in Las Vegas in late Summer. Something akin to having the Winter and Summer Olympics back-to-back in the same week, these events and other similar ones present priceless opportunities for the world’s most talented hackers to show their chops and reveal new vulnerabilities they’ve uncovered.
It also means that each Fall there’s a mad race against time as customers need to patch these newly revealed vulnerabilities before hackers can pull off major attacks — with mixed results.
A good example began in August, after researchers from Devcore revealed vulnerabilities in enterprise VPN products during a briefing they held at BlackHat entitled “Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs.”
The researchers also published technical details and proof-of-concept code of the vulnerabilities in a blog post two days after the briefing. Weaponized code for exploits is also widely available online, including on GitHub.
News of the vulnerability rang out like a starter pistol, sending hackers sprinting to attack two enterprise VPN products in use by hundreds of thousands of customers — Pulse Secure VPN and Fortinet FortiGate VPN.
In both cases, White Hat hackers discovered the flaws months earlier and disclosed them confidentiality to the manufacturer, giving them the time and details needed to issue the necessary patches. Both Pulse Secure and Fortinet instructed customers to install the patches, but months later there were still more than 14,500 that had not been patched, according to a report in Bad Packets — and the number could be even higher.
Being that these are enterprise products, they are in use in some of the most sensitive systems, including military networks, state and local government agencies, health care institutions, and major financial bodies. And while these organizations tend to have trained security personnel in place to apply patches and mitigate threats, they tend to be far less nimble than hackers, who can seize a single device and use it to access devices across an entire network, with devastating consequences.
The potential for these attacks is vast, considering the sheer volume of targets. This was again demonstrated in the case of the “URGENT/11” zero-day vulnerabilities exposed by Armis in late July. The vulnerabilities affect the VxWorks OS used by more than 2 billion devices worldwide and include six critical vulnerabilities that can enable remote code execution attacks. Chances are that attackers are already on the move looking for lucrative targets to hit.
This is how it plays out — talented White Hat hackers sniff out security flaws and confidentially inform manufacturers, who then scramble to issue patches and inform users before hackers can pounce. And while manufacturers face the impossible odds of hoping that tens of thousands of customers — and often far more — install new security patches in time, the hackers looking to take advantage of these flaws only need to get lucky once.
It’s time for a paradigm shift. Manufacturers need to provide built-in security which doesn’t rely upon customer updates after the product is already in use. This “embedded security” creates self-protected systems that don’t wait for a vulnerability to be discovered before mounting a response.
This approach was outlined in a report from the US Department of Commerce’s National Institute of Standards and Technology (“NIST”) published in July. Entitled “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks,” the report detailed the unique challenges of IoT security, and stated that these devices must be able to verify their own software and firmware integrity.
There are already built-in security measures that can stack the deck against hackers, including secure boot, application whitelisting, ASLR, and control flow integrity to name a few. These solutions are readily available and it is imperative that leading manufacturers provide runtime protection during the build process, to safeguard their customers’ data and assets.
It’s a race against time and a reactive security approach that waits for a vulnerability to be discovered and then issues patches is lacking, to put it lightly. There will always be users who don’t install the patches in time and hackers who manage to bypass the security solutions before manufacturers can get their feet on the ground. And with White Hat hackers constantly looking for the next vulnerability to highlight, it’s a vicious cycle and one that gives hackers every advantage against large corporations.
And as Fortinet and Pulse Secure lick their wounds from the recent exploits, the onus is upon other manufacturers to realize that the current security paradigm simply isn’t enough.
Copyright 2010 Respective Author at Infosec IslandSecurity is top of mind for every company and every IT team – as it should be. The personal data of employees and customers is on the line and valuable company information is at risk. Security protocols are subject to even closer scrutiny when companies are considering migrating to the cloud.
More and more enterprises recognize that they need to pursue cloud adoption to future-proof their tech stack and achieve their business transformation objectives. The agility and cost savings the cloud provides is fast becoming a requirement for competing in today’s marketplace. Despite the growing sense that cloud is the future, many companies are hesitant to migrate their applications as they believe the cloud is not as secure as on-premise. This is a common myth, and far from the truth. While security must remain a top priority for IT professionals during the migration process, there is a successful pathway to safely and securely migrate.
Who Owns What in the Cloud?
In today’s “cloud wars” landscape, it can be difficult to separate fact from fiction – and it’s clear that many IT professionals feel the cloud is less secure. It’s time to address this myth. The cloud can be just as secure, if not more so, than a traditional on-premise environment. A survey by AlertLogic found that security issues do not vary greatly whether the data is stored on-premise or in a public cloud. Although there is the belief that public cloud servers are most at risk for an attack, on-premise systems are typically older, complex legacy systems, which can be more difficult to secure. The public cloud has the advantage of being less dependent on other legacy technologies.
Significant advancements have been made to ensure cloud migration and management can be executed in a highly secure fashion. For example, the major cloud providers today have developed a large partner network with cloud-native tools and services built from the ground up to specifically address cloud security. Public cloud providers have extensive security-focused teams and experts on staff to ensure that the cloud remains secure, supported by an ecosystem of cloud certified Managed Service Providers (“MSPs”) who can monitor and assess threat risk every step of the way. If done properly, organizations can take advantage of these advanced products and skilled resources to secure and harden their cloud environment. Most IT organizations, driven to be lean and efficient, simply can’t replicate the same level of security which leverages layers of security expertise and experience. The biggest threats are people related, either through inadvertent implementation and configuration errors, lack of proactive management discipline (e.g. applying patches) or malicious exploitation of vulnerabilities which, unfortunately, originate most easily from someone inside.
Unlike an on-premise data center deployed and managed by internal IT staff in which the organization is solely responsible, security and compliance in public cloud operates under a shared responsibility model. The cloud provider is responsible for security of the cloud and the customer is responsible for security in the cloud. What this means is that providers such as Amazon Web Services (AWS), manage and control the host operating system, physical security of its facilities, hardware, software, virtualization layer and infrastructure including networking, database, storage and compute resources. Meanwhile, the customer is responsible for system security above the hypervisor – things like data encryption in-transit and at rest, guest operating systems, networking traffic protection, platform and application security including updates and security patches.
The hybrid cloud is another valuable pathway for companies that aren’t ready or able, for various reasons, to make the full leap to the public cloud. The shared responsibility model for security and compliance applies to hybrid cloud which utilizes a combination of public cloud, private cloud and/or on-premise environment. This definition, understanding and execution of roles is critical for cloud security. According to Gartner, by 2020, 90 percent of companies will utilize some form of the hybrid cloud. In the end, security requires expertise, tools, discipline and governance. The ability for organizations to leverage and push responsibility to vendors is an underlying benefit of cloud.
How to Move to Cloud Safely
The migration process isn’t a simple task. While there is no universal pathway to migrating securely, the following tips will help IT professionals make the move:
Having a plan in place post-migration is also vital, as security doesn’t stop when the migration is complete. Companies should continue to assess their applications to ensure security remains a top priority. Working with a third-party provider or MSP skilled in cloud security can help take some of the load off the IT team, as systems require continuous updates, maintenance and cost optimization that will need to be monitored to ensure that resources deployed in the cloud are being used as efficiently and safely as possible.
Cloud technology has advanced significantly over the past 5 years. While IT pros may miss the sense of security of actually being able to physically see, restrict and manage access to their tech stack in an on-premise environment, the tide has shifted so that the benefits of cloud along with the maturity and ongoing evolution of cloud security products and services has enabled organizations to achieve a high, if not increased, level of security if implemented properly.
Copyright 2010 Respective Author at Infosec IslandThis week, it's our quarterly security money segment! In the first segment, we'll review the Security Weekly 25 index! In our second segment, we'll share the results of our Security Weekly 25 Index Survey, which we completed earlier this year!
Show Notes: https://wiki.securityweekly.com/BSWEpisode147
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Francois Lacelles, Field CTO of Ping Identity for an interview! In the Application Security News, Key takeaways from Imperva breach, From Automated Cloud Deployment to Progressive Delivery, Designing Your First App in Kubernetes: An Overview Food for Thought, Autonomy and the death of CVEs?, and AppSec 'Spaghetti on the Wall' Tool Strategy Undermining Security!
To learn more about Ping Identity, visit: https://securityweekly.com/ping
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://wiki.securityweekly.com/ASWEpisode80
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Ty Sbano, Cloud Chief Information Security Officer of Sisense for an interview! In the Leadership and Communications section, The 5 Enemies of Trustworthy Leadership, 5 Things Leaders Do That Stifle Innovation, 'What's Your Purpose'? Big Tech's 7 Favorite Interview Questions, and more!
Show Notes: https://wiki.securityweekly.com/BSWEpisode146
To learn more, please visit - http://www.tysbano.com
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, Signal rushes to patch serious eavesdropping vulnerability, Wi-Fi signal let researchers ID people through walls from their gait, the FBI warns about attacks that bypass MFA, Vulnerable Twitter API leaves tens of thousands of iOS apps open to attacks, and D-Link home routers open to remote takeover will remain unpatched! In the expert commentary, we welcome Justin Elze from TrustedSec, to talk about Red Teaming and Adversary Emulation!
Show Notes: https://wiki.securityweekly.com/HNNEpisode237
To learn more about TrustedSec, visit: https://trustedsec.com/securityweekly
Visit https://www.securityweekly.com/hnn for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, Mike, Matt, and John talk about Cloud Security for Small Teams! In the Application Security News, Ex-Yahoo Engineer Abused Access to Hack 6,000 User Accounts, American Express Insider Breaches Cardholder Information, How a double-free bug in, WhatsApp turns to RCE, Flare-on 6 2019 Writeups, and Five Trends Shaping the Future of Container Security!
Show Notes: https://wiki.securityweekly.com/ASWEpisode79
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we talk Security News, how Turkey fines Facebook $282,000 over privacy breach, why the FBI is encouraging not to pay ransomware demands, the top 10 cybersecurity myths that criminals love, Doordash third-party breach hits 4.9 Million users, and how a "Bulletproof" Dark Web data center was seized by German police! In our second segment, we air a pre-recorded interview with Stewart Room, Partner at PwC, to talk about Data Privacy and The Journey to Code! In our final segment, we air a show trailer of our brand new podcast, Security & Compliance Weekly w/ Jeff Man, Matt Alderman, Scott Lyons, and Josh Marpet!
Show Notes: https://wiki.securityweekly.com/Episode622
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, in our first segment, we talk Enterprise News, discussing how Tripwire unveils a new version of Tripwire Connect, Infrastructure management at scale with Netshield, Five Trends Shaping the Future of Container Security, and some funding updates from BurstIQ and Kenna Security! In our second segment, we welcome Paul Claxton, COO and Managing Partner at Elite Holding, Co., Valiant Consulting, and Reciprocity ROI LLC, to talk about the Top Cyber Threats for COO's, CMO's, and CISO's! In our final segment, we welcome Matt Wyckhouse, Co-Founder and CEO at Finite State, to talk about Supply Chain Security in the IoT Era!
Show Notes: https://wiki.securityweekly.com/ESWEpisode156
Visit https://www.securityweekly.com/esw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we welcome Jeff Costlow, Deputy CISO at ExtraHop, to discuss how to strengthen your cloud security posture! In the Leadership and Communications segment, Why New Leaders Should Make Decisions Slowly, What Einstein's Most Famous Equation Says About Maximizing Your Productivity, Shift to digital business is booming, but are CEOs ignoring associated risk?, and more!
To learn more about ExtraHop, visit: https://securityweekly.com/extrahop
Visit https://www.securityweekly.com/bsw for all the latest episodes!
Show Notes: https://wiki.securityweekly.com/BSWEpisode145
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, 335 Million Malicious apps were installed on Google Play in September, a new bug found in NSAs Ghidra tool, a Medical Practice closed permanently after a Ransomware attack, researchers find a new hack to read content of password-protected PDF files, and a billboard in Michigan was hacked to play Pornography for drivers along I-75! In the expert commentary, we welcome Sean O'Brien, Founder and CEO of PrivacySafe, to talk about PrivacySafe - The Anti Cloud Appliance!
To learn more about PrivacySafe, visit: https://securityweekly.com/privacysafe
Full Show Notes: https://wiki.securityweekly.com/HNNEpisode236
Visit https://www.securityweekly.com/hnn for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Microsoft this week announced that users all around the world can now keep their most important files protected in OneDrive Personal Vault.
Launched earlier this summer, the Personal Vault is a protected area in OneDrive that requires strong authentication or a second identification step to access. Thus, users can store their files and ensure that they can’t be accessed without a fingerprint, face, PIN, or code received via email or SMS.
Now available worldwide on all OneDrive consumer accounts, Personal Vault allows users to securely store important information such as files, photos, and videos, including copies of documents, and more.
The added security ensures that, even if an attacker manages to compromise the OneDrive account, they won’t have access to any of the files in Personal Vault.
Personal Vault won’t slow users down, as they can easily access content from their PC, on OneDrive.com, or mobile device, Microsoft says.
On top of that, additional security measures are available, including the ability to scan documents or shoot photos directly into Personal Vault. Files and shared items moved into Personal Vault cannot be shared.
Both Personal Vault and files there will close and lock automatically after a period of inactivity, and Personal Vault files are automatically synced to a BitLocker-encrypted area of the user’s Windows 10 PC local hard drive.
“Taken together, these security measures help ensure that Personal Vault files are not stored unprotected on your PC, and your files have additional protection, even if your Windows 10 PC or mobile device is lost, stolen, or someone gains access to it or to your account,” Microsoft says.
OneDrive provides other security features as well, including file encryption, monitoring for suspicious sign-ins, ransomware detection and recovery, virus scanning on downloads, password-protection of sharing links, and version history for all file types.
To use Personal Vault, users only need to click on the feature’s icon, available in OneDrive. Only up to three files can be stored in Personal Vault on OneDrive free or standalone 100 GB plans, but that limit is as high as the total storage limit for Office 365 Personal and Office 365 Home plans.
Related: DHS Highlights Common Security Oversights by Office 365 Customers
Related: Microsoft Adds New Security Features to Office 365
Copyright 2010 Respective Author at Infosec IslandThis week, we welcome Ryan Kelso, Application Security Engineer at 10-Sec, Inc., to discuss Information Disclosure Vulnerabilities! In the Application Security News, Threat Actors Use Percentage-Based URL Encoding to Bypass Email Gateways, Intelligent Tracking Prevention 2.3 and a discussion to Limit the length of the Referer header with some background on Browser Side Channels, Serverless Security Threats Loom as Enterprises Go Cloud Native, and much more!
Full Show Notes: https://wiki.securityweekly.com/ASW_Episode78
Visit https://www.securityweekly.com/asw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, we talk Security News, discussing how a hacker took over a smart home with vulgar music and rising temperatures, a security warning for 23 million YouTube creators following a crazy hack attack, Vimeo sued for storing faceprints of people without their say-so, Selfie Android apps push ads and can record audio, and how adopting DevOps leads to an improved security posture! In our second segment, we air three pre-recorded interviews from the SE village at DEFCON 27 with Billy Boatright, Edward Miro, and Jayson Street! In our final segment, we air two more pre-recorded interviews from the SE Village at DEFCON 27, featuring Perry Carpenter and Chris Edwards!
Full Show Notes: https://wiki.securityweekly.com/Episode621
Visit https://www.securityweekly.com/psw for all the latest episodes!
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com
This week, in the enterprise news segment, Akamai acquires MFA specialist KryptCo, HP acquires Bromium to enhance its security platform, Cyber Insurance firm Cowbell emerges from stealth with $3.3M in seed funding and more! In our second segment, we interview Brian Dye, Chief Product Officer at Corelight, a Help Systems company, to discuss "The Path to Threat Hunting is Paved with Great Network Data". In our third segment, we interview Tony Meehan, Vice President of Engineering at Endgame, to discuss "Building an engineering team for every stage of company growth".
Full Show Notes: https://wiki.securityweekly.com/ES_Episode155
Visit https://www.securityweekly.com/esw for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
This week, Facebook suspends tens of thousands of apps from hundreds of developers, a Privilege Escalation flaw found in Forcepoint VPN Client for Windows, WannaCry and why it never went away, 0patch promises support for Windows 7 beyond January 2020, and how the FBI arrests more than 200 hackers in different countries! In the expert commentary, we welcome Grant Sewell, Director of IT Security at Safelite Autoglass, to talk about Risk-based security and identity controls, and the Use of Preempt Security's Platform!
To learn more about Preempt, visit: https://securityweekly.com/preempt
Full Show Notes: https://wiki.securityweekly.com/HNNEpisode235
Visit https://www.securityweekly.com/hnn for all the latest episodes!
Follow us on Twitter: https://www.twitter.com/securityweekly
Like us on Facebook: https://www.facebook.com/secweekly
Humans are regularly referred to as the ‘weakest link’ in information security. However, organizations have historically relied on the effectiveness of technical security controls, instead of trying to understand why people are susceptible to mistakes and manipulation. A new approach is clearly required: one that helps organizations to understand and manage psychological vulnerabilities, and adopts technology and controls that are designed with human behavior in mind.
That new approach is human-centred security.
Human-centred security starts with understanding humans and their interaction with technologies, controls and data. By discovering how and when humans ‘touch’ data throughout the working day, organizations can uncover the circumstances where psychological-related errors may lead to security incidents.
For years, attackers have been using methods of psychological manipulation to coerce humans into making errors. Attack techniques have evolved in the digital age, increasing in sophistication, speed and scale. Understanding what triggers human error will help organizations make a step change in their approach to information security.
Identifying Human Vulnerabilities
Human-centred security acknowledges that employees interact with technology, controls and data across a series of touchpoints throughout any given day. These touchpoints can be digital, physical or verbal. During such interactions, humans will need to make decisions. Humans, however, have a range of vulnerabilities that can lead to errors in decision making, resulting in negative impacts on the organization, such as sending an email containing sensitive data externally, letting a tailgater into a building or discussing a company acquisition on a train. These errors can also be exploited by opportunistic attackers for malicious purposes.
In some cases, organizations can put preventative controls in place to mitigate errors being made, e.g. preventing employees from sending emails externally, strong encryption of laptops or physical barriers. However, errors can still get through, particularly if individuals decide to subvert or ignore these types of controls to complete work tasks more efficiently or when time is constrained. Errors may also manifest during times of heightened pressure or stress.
By identifying the fundamental vulnerabilities in humans, understanding how psychology works and what triggers risky behavior, organizations can begin to understand why their employees might make errors, and begin managing that risk more effectively.
Exploiting Human Vulnerabilities
Psychological vulnerabilities present attackers with opportunities to influence and exploit humans for their own advantage. The methods of psychological manipulation used by attackers have not changed since humans entered the digital era but attack techniques are more sophisticated, cost-effective and expansive, allowing attackers to effectively target individuals or to attack on considerable scale.
Attackers use the ever-increasing volume of freely available information from online and social media sources to establish believable personas and backstories in order to build trust and rapport with their targets. This information is carefully used to heighten pressure on the target, which then triggers a heuristic decision-making response. Attack techniques are used to force the target to use a particular cognitive bias, resulting in predictable errors. These errors can then be exploited by attackers.
There are several psychological methods that can be used to manipulate human behavior; one such method that attackers can use to influence cognitive biases is social power.
There are many attack techniques that use the method of social power to exploit human vulnerabilities. Attack techniques can be highly targeted or conducted on scale but they typically contain triggers which are designed to evoke a specific cognitive bias, resulting in a predictable error. While untargeted, ‘spray and pray’ attacks rely on a small percentage of the recipients clicking on malicious links, more sophisticated social engineering attacks are becoming prevalent and successful. Attackers have realized that it is far easier targeting humans than trying to attack technical infrastructure.
The way in which the attack technique uses social power to trigger cognitive biases will differ between scenarios. In some cases, a single email may be enough to trigger one or more cognitive bias resulting in a desired outcome. In others, the attack may gradually manipulate the target over a period of time using multiple techniques. What is consistent is that the attacks are carefully constructed and sophisticated. By knowing how attackers use psychological methods, such as social power, to trigger cognitive biases and force errors, organizations can deconstruct and analyze real-world incidents to identify their root causes and therefore invest in the most effective mitigation.
For information security programs to become more human-centred, organizations must become aware of cognitive biases and their influence on decision-making. They should acknowledge that cognitive biases can arise from normal working conditions but also that attackers will use carefully crafted techniques to manipulate them for their own benefit. Organizations can then begin to readdress information security programs to improve the management of human vulnerabilities, and to protect their employees from a range of coercive and manipulative attacks.
Managing Human Vulnerabilities
Human vulnerabilities can lead to errors that can significantly impact an organization’s reputation or even put lives at risk. Organizations can strengthen information security programs in order to mitigate the risk of human vulnerabilities by adopting a more human-centred approach to security awareness, designing security controls and technology to account for human behavior, and enhancing the working environment to reduce the impact of pressure or stress on the workforce.
Reviewing the current security culture and perception of information security should give an organization a strong indication of which cognitive biases are impacting the organization. Increasing awareness of human vulnerabilities and the techniques attackers use to exploit them, then tailoring more human-centred security awareness training to account for different user groups should be fundamental elements of enhancing any information security program.
Organizations with successful human-centred security programs often have significant overlap between information security and human resource functions. The promotion of a strong mentoring network between senior and junior employees, coupled with the improvement of the structure of working days and the work environment, should help to reduce unnecessary stress that leads to the triggering of cognitive biases affecting decision-making.
Develop meaningful relationships between a mentor and mentee to create an equilibrium of knowledge and understanding. Create a working environment and work-life balance that reduces stress, exhaustion, burnout and poor time management, which all significantly increase the likelihood of errors being made. Finally, consider how the improvement or enhancement of workspaces and environments can reduce stress or pressure on the workforce. Consider what is the most appropriate work environment for the workforce as there may be varying options, e.g. working from home, remote working, or modernizing office spaces, factories or outdoor locations.
From Your Weakest Link to Your Strongest Asset
Underlying psychological vulnerabilities mean that humans are prone to both making errors, and to manipulative and coercive attacks. Errors and manipulation now account for the majority of security incidents, so the risk is profound. By helping staff understand how these vulnerabilities can lead to poor decision making and errors, organizations can manage the risk of the accidental insider. To make this happen, a fresh approach to information security is required.
A human-centred approach to security can help organizations to significantly reduce the influence of cognitive biases that cause errors. By discovering the cognitive biases, behavioral triggers and attack techniques that are most common, tailored psychological training can be introduced into an organization’s awareness campaigns. Technology, controls and data can be calibrated to account for human behavior, while enhancement of the working environment can reduce stress and pressure.
Once information security is understood through the lens of psychology, organizations will be better prepared to manage and mitigate the risks posed by human vulnerabilities. Human-centred security will help organizations transform their weakest link into their strongest asset.
About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
Copyright 2010 Respective Author at Infosec Island