Alex Makumbi
01 May 2017
The Information Technology industry in last two or so decades has gone through a transition away from an over reliance on physical infrastructure and physical end-points to embrace and cater to the habits of a dynamic always on-demand customer. Emerging technologies such as Cloud Computing Infrastructure and Internet of Things (IoTs) are helping organizations reduce costs and provide flexibility to their operations. The “trust in cloud are going to increase, leading to more sensitive data and processing in the cloud” (McAfee Labs, 2016). Consumer demand are going to drive investments in developing and integrating IoTs in organization’s product portfolio.
Adversaries are now adapting to the new information technology landscape by leveraging emerging technologies, tools and techniques to exploit new weak points in the defense systems. Advanced persistent threats (APT) are now more common and mobile and wireless security is actively targeted as a weak point. DDoS attacks are now cloud-based, leveraging virtual servers to generate ultra-high bandwidth attacks. State-sponsored espionage made it onto the international spotlight during the 2016 U.S. election, increasing heightened awareness to safeguard critical data from politically or financially motivated threats. Until new methods of authentication are introduced, password management is still a major challenge putting in place and enforcing stronger user-controlled passwords.
The over reliance on emerging technologies has introduced various security challenges on securing the confidentiality, integrity and availability of critical infrastructure. Out of all the three pillars of security, confidentiality of data poses to be the greatest security challenge that keeps CISOs up at night. It is important to note that by acknowledging that confidentiality is a major challenge does not answer what the real security challenge is, it only addresses the effect of a cause. In this white paper we make the case that human endpoints are and will remain one of the biggest weakness throughout most technologies for the foreseeable future. We outline that an approach required to combat this weakness is exchanging cyber threat information within a sharing community and organizations to leverage the collective knowledge to increase endpoint situational awareness.
People are the biggest point of vulnerability in any organization and the endpoint is where they interact with whatever an attacker is after: intellectual property, credentials, cyber ransom, etc. People by nature are trusting. They enjoy connecting and being up to date on latest trends. They click on links in emails, tweets or Facebook posts all too easy, this including security experts. People are responsible for the policies and procedures that are in place at the enterprise, whether forced upon them by regulatory bodies or voluntarily for security.
Millennials entering the workforce is reshaping how office environments are designed. A desire for open office spaces for creativity and collaboration, increase number of people telecommuting, and Bring Your Own Device (BYOD) mobile devices has reduced control of information and increased the attack surface greatly. Everyday human errors can cause breaches that expose millions of people to potential harm. “Leaving devices unattended, sharing passwords or accidentally emailing or peer-to-peer sharing of information to the wrong people are entry points attackers aim exploit” (Kam, 2016). The Federal Times indicated that “at least 50 percent of breaches and leaks are directly attributed to user error or failure to provide proper cyber hygiene” (Boyd Aaron, 2014).
The biggest risk is a lack of awareness on the part of users. Even if the organization has good security processes and training, and even if people are faithfully following security procedures at a workplace, they are typically unaware that the decisions and actions they make in their private lives can place them and their employers at risk. For instance, if employees bring their own devices to work, their failure to do an OS update with important security patches can place networks at risk. Another instance is if employees use the same password on personal and work accounts or send comments on social media sites. These examples and many more stem from a lack of awareness.
We need to raise the awareness of human endpoints. This begins by bringing together cyber threat knowledge that organizations already have and exchanging it within a sharing community. The collective knowledge, experience, and capabilities of that sharing would ensure the community has a more complete picture of the threats the organization may face. Leveraging this information and knowledge, “an organization can make informed decisions pertaining to defensive posture, threat detection techniques, and mitigation strategies” (Johnson, Badger, Waltermire, Snyder and Skorupka, 2016). Correlating and analyzing cyberthreat information an organization can tailor that information according to department and organizational role making human endpoints situationally aware about threat landscape. “Until you make a human cyber security aware, no data is fully secure. The idea is to prevent an attack rather than reacting once it happens” – Akshat Jain from Cyware (Ranipeta, 2017).
The world of information security does not lack for challenges. The never ending updates and patches in response to incremental changes by adversaries and the major software releases that introduce new features but also open unexpected vulnerabilities. It is difficult to keep up with the never ending cyclical nature of information security. Our over reliance on emerging technologies such as cloud computing and IoTs place particular challenges to the confidentiality, integrity and availability of critical infrastructure.
The increase in attack surface has particularly raised great concern on how effective organizations can successfully secure the confidentiality of data both at rest and transit. People are the biggest point of vulnerability in any organization and are the endpoints where attackers interact in hopes to steal intellectual property, credentials, cyber ransom, etc. Adversaries are now adapting to the new information technology landscape by leveraging emerging technologies, tools and techniques to exploit new weak points.
We need to raise the awareness of human endpoints. People should be armed with timely relevant cyber threat information to be situationally aware so that when they make decisions and actions in their private lives and working environment, they understand the implications both to them and their respective employer. The private and public sectors should gravitate closer together to create communities that exchange cyber threat knowledge, experience, and capabilities. Organizations in private and public sectors should also take an active role in ensuring employees are adequately trained throughout the year by allocating time during the year for security training. These steps will ensure the gap of human endpoint, non-technical and technical, understanding of information security is reduced.
Boyd Aaron. (2014). “The user knows nothing: Rethinking cybersecurity” Federal Times. Retrieved from http://www.federaltimes.com/story/government/cybersecurity/2015/04/14/the-user-knows-nothing/25776507/
Johnson Chris, Badger Lee, Waltermire David, Snyder Julie and Skorupka Clem. (2016). “Guide to Cyber Threat Information Sharing” National Institute of Standards and Technology. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf
Kam Richard. (2016). “The Biggest Threat to Data Security? Humans, Of Course” IAPP. Retrieved from https://iapp.org/news/a/the-biggest-threat-to-data-security-humans-of-course/
McAfee Labs. (2016). “McAfee Labs explores top threats expected in the coming year” McAfee Labs – Intel Security. Retrieved from https://www.mcafee.com/us/resources/reports/rp-threats-predictions-2017.pdf
Ranipeta S Shilpa. (2017). “How human learning, and not just machine learning, can keep us cyber-secure” The News Minute – Cyber Security. Retrieved from http://www.thenewsminute.com/article/how-human-learning-and-not-just-machine-learning-can-keep-us-cyber-secure-58439
Taylor Brian. (2016). “Endpoint security: People are the biggest source of vulnerability” TechRepublic. Retrieved from http://www.techrepublic.com/article/endpoint-security-people-are-the-biggest-source-of-vulnerability/