Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
W mti.com E [email protected] T +44 (0) 1483 520 200
Enterprise Cyber SecurityAddressing the Human Factor
Contents
Cyber security is a key challenge for all organisations, growing
almost daily in complexity. An increasingly mobile and distributed
workforce, expanding use of cloud resources and growing legacy
software and hardware issues mean organisations must secure
multiple attack surfaces across complex, constantly changing IT
estates. Cyber criminals are, of course, quick to exploit the many
opportunities presented to them by these circumstances.
Meanwhile, a steady stream of legislation makes additional
demands, each requiring time, expertise and other resources. Such
regulations, though designed to protect organisations, individuals,
customers and suppliers, add to the over-all cyber security challenge
which every organisation must address.
Data breaches are a serious matter. Financial and other regulatory
penalties may be imposed, either via general legislation such as
GDPR, or more specific regulations such as those relating to the
payment card industry. Intellectual property may be lost and
significant reputational damage suffered. Mission critical data, such
as client databases, may be corrupted, rendered inaccessible or
stolen.
Various issues must be considered and managed in order to
minimise the risk of a breach. These include the use of technology
solutions to protect key infrastructure elements such as networks,
endpoints and applications, and tools to gather and exploit threat
intelligence.
Such technologies typically dominate any discussion of cyber
security matters, often leading to the adoption of diverse, poorly
integrated point solutions. However, there is another issue to take
into account, fundamentally important but often largely overlooked:
the human factor. According to a recent report by the Information
Commissioner’s Office 80% of reported breaches in Q4 2017/18 were
the result of human or process error.1
It is essential that any cyber security strategy addresses the human
factor carefully and thoroughly. This document explores seven key
types of individual to consider, their characteristics, the risks they
may present and examples of how those risks may be addressed.
The Overlooked Human Factor
80%
of reported breaches in Q4 2017/18 were the result of human or process error
The Overlooked Human Factor
Cyber-Risks by User Type
The Way Forward
New users
Developers
Malicious Insiders
IT Administrators
Benign Third Parties
Senior Management
Malicious Third Parties
Cyber Security Terminology
The cyber security world is fast moving, with existing threats constantly evolving
and new ones emerging. Keeping up with the terminology alone is a challenge.
Look out for this icon throughout this guide for explanations of some common
cyber security terms.
In this guide you will learn about the critically important but often overlooked human factor in cyber security, seven key user types and the risks they present, and how to address these risks.
Technologies to Address the Risks
An Independent Cyber Security Benchmark
Assessing Your Cyber Security
Next Steps
1 Source: https://ico.org.uk/action-weve-taken/data-security-incident-trends
New Users
Overview
Individuals new to the organisation, moving to a new department, or
simply new to a system or process, typically operate initially without
the benefit of experience. Over 75% of large organisations suffered
staff-related security breaches in 2015, and half of the worst of these
were caused by human error.2
They may not be aware of best practice, process and system
weaknesses that must be catered for, or specific system security
features that should be employed in prescribed ways. They may
unwittingly take unnecessary risks.
Even those new users who have been well trained in the security
requirements of their position may be at greater risk of making
mistakes than more experienced individuals.
The Risks
Focused on learning and excelling in their new role, new users often
overlook key security issues. They may access inappropriate data,
services and other resources, or open risky emails or attachments.
Spear phishing attacks will often target new users in order to
capitalise on their lack of experience. In the case of ‘whaling’
attacks, targeting new senior executives with access to highly
valuable or sensitive information, the damage can be significant or
even disastrous. More generally, new users may also be vulnerable
to water holing attacks, in which specific web destinations which
they are known to frequent are compromised.
As a result, new users at all levels in the organisation are at
particular risk of malware attacks, including ransomware.
New users, not fully aware of security best practice and protocols,
may also be more likely than others to engage in risky behaviours
such as transferring sensitive data to portable storage devices or
forwarding emails to their private email accounts. Working from
home or over public wifi may expose them to further risks.
Phishing
An attack intended to trick
targeted individuals into
giving up privileged
information, often login
credentials or financial details.
Phishing attacks are typically
made via emails designed to
look like bona fide messages
from trusted bodies.
Successful cyber-attacks
typically begin with a phishing
email, and users continue to
be taken in, despite improved
knowledge of this type of
attack.
1Cyber-Risks by User TypeIn this section we look at
seven key user types
within your organisation and beyond it, who present specific cyber security risks.
Ignore them at your peril – they’re often the cyber criminal’s easiest way through
your technological defences.
2 Source: https://www.pwc.co.uk/assets/pdf/2015-isbs-technical-report-blue-03.pdf
IT Administrators
Overview
IT Administrators and others in similar roles typically have
accounts with extensive user rights. Having compromised such
an account, cyber criminals can make use of those rights to gain
access to a much wider range of resources than would be the
case with a standard user’s account.
The Risks
With upwards of 80% of data breaches the result of weak or
compromised login credentials, user accounts with elevated
privileges present significant potential for damage to the
organisation. Privileged accounts are a key security vulnerability
for most organisations today. As a result, phishing attacks are
often aimed specifically at IT Administrators.
The potential for damage goes well beyond the theft or
corruption of sensitive data. With access to one or more of the
organisation’s social media accounts, great harm can be done to
its reputation and brand. Similarly, by sabotaging the
organisation’s cloud environment, day to day operations can be
heavily impacted.
2Senior Management
Overview
Typically having access to valuable information, Senior
Management Team (SMT) members are prime cyber-attack
targets. They, and their immediate support staff, such as PAs, are
often unaware that they sit near the top of the cyber-criminal’s hit
list, making them especially vulnerable to social engineering
attacks.
The Risks
SMT members are often targeted with spear phishing and
whaling attacks. Highly tailored to the target individual, these
attacks are typically designed to gain access to sensitive
information.
Their high profile makes them easier to target with well-
researched spear phishing and whaling attacks. Travelling
frequently, at home and abroad, they may use insecure public wifi
hotspots, putting them at risk of MITM attacks.
Further compounding the risks, C-suite members are often the
group of employees most likely to fail to follow established
policies and procedures.
3
Spear Phishing
A phishing attack aimed at a specific
individual, or a small, tightly defined
group of individuals, typically relying on
detailed knowledge of their interests,
jobs, families or other similar matters.
Whaling
A spear phishing attack aimed
at a specific high value target
or targets such as C-level
executives.
MITM
Exploiting weaknesses in
public wifi networks, hackers
mount Man-in-the-Middle
(MITM) attacks by intervening
in communications between
users and the local wifi router.
Traffic that should pass
directly between the user’s
device and the router is
instead routed through the
hacker’s device, allowing
them to inject malware and
collect sensitive corporate or
personal information and login
credentials.
80%
of data breaches are the result of weak or compromised login credentials
Developers
Overview
Developers and others in similar roles usually have more extensive
rights than the average user. In some cases, they have similar rights
to those of an IT Administrator.
They often feel hindered in their day to day work by security
solutions and restrictions. As a result, IT may grant them wider-
ranging rights than they actually need, typically one-by-one, over a
period of time. This is especially common where the individuals
concerned are working on business critical applications.
The Risks
Phishing and spear phishing attacks are frequently aimed at
developers, as cyber criminals seek to exploit the elevated
privileges often found on their accounts.
Developers with extensive user rights may also present insider
threats, intentionally or accidentally, as a result of the generally
weaker security in the development environment.
4Benign Third Parties
Overview
Trusted individuals from outside the organisation, such as those
working for contractors and suppliers, are often granted
unnecessarily extensive user rights on the organisation’s systems.
Attacks mounted through third parties are a serious concern. In
2017, 56% of the organisations surveyed for the Ponemon Third
Party Data Risk Study had suffered data breaches resulting from
such attacks.
The same research also shows that more than one in two
organisations do not know which third parties they share
sensitive information with, rising to a sobering 82% for nth-party
relationships. Meanwhile, 57% have no clarity on the efficacy of
their third parties’ data protection policies.3
The Risks
Third party users may be inadequately aware of approved
security practices within the organisation, as well as being less
motivated than employees to adopt such practices.
Should a third party account be compromised, the impact on the
organisation will depend on the privileges in place on the
account. Examples include reputational damage resulting from
unauthorised access to social media accounts, and degraded
organisational capabilities resulting from compromised cloud
resources and services.
Disguised Scamware
Attackers inject malware into a trusted
application, so that when users install or update
it, their devices are compromised. This attack
type was successfully executed through the
popular cleanup and anti-malware app CCleaner
in 2017, affecting millions of users.
Pretexting
If attackers can create a believable story, they improve
their chances of tricking their targets into falling for their
phishing attack. Often undertaken by phone, pretexting
is the process of gathering specific information for such a
story. Phishing emails may also be combined with follow-
up phone calls, to encourage recipients to respond.
5
Bad USB Cable
In a development of the established
Bad USB Stick attack type, attacks
can now be mounted using a just a
compromised USB cable, perhaps
plugged into a laptop to charge a
phone. A chip hidden in the cable
injects keystrokes into the target
machine, triggering actions such as
the downloading of malware. Other
USB devices such as mice have also
been used in this type of attack.
Watering Holes
Attackers inject malware into
a website known to be
frequented by the targeted
users. When a user visits the
site, the malware takes
advantage of vulnerabilities to
compromise their device.
Watering hole attacks are
often aimed at specific
industries, but may also target
the wider population through
more widely used sites.
Mouse Hovering
This attack type takes
advantage of vulnerabilities in
various popular applications to
launch malware when the user
hovers their mouse over a link.
Mouse hovering capitalises on
the fact that users will often
hover to see where a link goes
before clicking it – ironically, to
avoid following untrusted links.
57%
of organisations have no clarity on the efficacy of their third parties’ data protection policies
Phishing and spear phishing attacks are frequently aimed at developers
3 Source: https://www.opus.com/ponemon
Malicious Third Parties
Overview
Whether motivated by ideologies, personal grudges or simply the
desire for quick and easy profits, malicious third parties remain a
major threat.
Hackers employ a wide range of social engineering and
technological attack vectors, ranging from the ongoing flood of
phishing emails, through man-in-the-middle (MITM) attacks on
insecure wifi networks, to ingenious uses of such apparently
innocuous items as USB cables.
The Risks
Visibility of hackers on the organisation’s network is a key challenge.
Often, having gained access via phishing attacks, they remain
undiscovered for months at a time, quietly syphoning off sensitive
data or tampering with critical systems.
Data breaches arising from such attacks can not only seriously
impact the organisation’s day-to-day operations, but also expose it
to reputational damage and fines under regulations such as GDPR.
6Malicious Insiders
Overview
It is thought that at least 10%of attacks originate from within the
targeted organisation.4 Malicious insiders, often motivated by
dissatisfaction with the organisation, attack from a position of
strength, knowing the IT environment they are targeting.
The Risks
Malicious insiders may exfiltrate data, selling it on or taking with
them to a new employer. Alternatively they may seek to
deliberately damage the organisation’s assets, for example by
changing configurations and settings, or spinning cloud resources
up or down.
The impact on the organisation can be extensive, examples
including the passing of intellectual property to competitors, the
interruption of key services, the contravention of data protection
regulations and brand damage resulting from the hijacking of
social media accounts and other communications channels.
7
DMZ
“Demilitarised Zone” – a
network segment reserved for
less trusted users, to keep
them away from sensitive
resources.
Malware
A broad term covering all
software designed to
penetrate, damage, disable or
compromise IT systems.
Two-factor Authentication
The verification of a user’s
identity by two unrelated
means, such as a password
and a unique code sent to the
user’s mobile phone.
Data Exfiltration
The deliberate copying or
moving of data to individuals
or users not authorised to
access it. Often data
exfiltration attacks progress
for some time, silently filtering
sensitive information out of
the organisation, before they
are discovered.
Data Leakage
The exposure of information
to those not authorised to
access it, potentially resulting
in data theft or other loss.
10%
of attacks originate from within the targeted organisation
4 Source: https://www.raconteur.net/sponsored/beware-the-insider-threat-in-the-war-against-cybercrime
Technologies to Address the Risks
Various technologies are available to help mitigate the cyber security risks posed by individuals within
and outside your organisation. In this section we present a short summary of some of these
technologies, arranged by user type. It is important to note that technology is only part of the story
– user education and mentoring, and rigorous policies and procedures are also essential.
New
use
rs
IT A
dmin
istra
tors
Senior M
anag
ement
Deve
lopers
Benign T
hird P
artie
s
Mal
icio
us Third
Par
ties
Mal
icio
us In
siders
Technologies
Web and Email Security
Data Loss Prevention
Anti-malware
Role-based Education
Privileged Account Management
Least Privilege
Secure DevOps
Strong Authentication
Data Encryption
Network Monitoring and Visibility
Penetration Testing
The Way ForwardIn this section we outline how to
identify the cyber security issues
presented by individuals within and beyond your organisation, and look at the
benefits of regular, comprehensive assessments of all aspects of your cyber security.
organisation, it is essential to identify and mitigate the risks
presented by the seven types of user we have looked at.
Technology has a key role to play, but with accidents,
errors and malicious activity responsible for such a
significant proportion of breaches, building a strong
security culture is critically important.
Educating users from the moment they join the
organisation, building and enforcing strong security
policies and procedures, and frequently reinforcing good
security practices are all essential. With the threat
to their knowledge and understanding of security risks and
how to address them.
Ongoing focus on, and training in security matters, working
hand in hand with robust procedures and policies, will
encourage the development of a strong security culture,
which will support the various technology solutions in use
across your estate.
Assessing Your Cyber Security
Thoroughly assessing your organisation’s security posture and processes is essential. Such assessments
should identify where improvements are necessary and how they should best be made, across all of your
networks, systems, services, applications and data, on-premise and in the cloud, looking not only at
technology but also at the human factors we have explored in this guide.
With technology and cyber crime both developing rapidly, risks are dynamic and the threat landscape is
constantly changing, so it is essential to undertake security assessments regularly.
Gaining a comprehensive understanding not only of systems, platforms and networks, but also of users
and data, and the often complex interactions between these various elements, is key to building a full
picture of your organisation’s cyber security stance. Your assessment will typically reveal opportunities for
improvements in several of the common cyber security issue areas listed in the panel below.
Unprotected
privileged accounts
Users with weak
passwords
Unstructured
patching and vulnerability
management
Weak data
protection
Weak governance
and monitoring
Poor user
education
8 Common Cyber Security Issues
An effective cyber security assessment will include three principal phases:
Review any existing
cyber security
strategy to identify
weak areas and gaps
Assess the existing
environment, using tools to
interrogate the network,
revealing activity, events
and security weaknesses
Test the environment
and individuals using
penetration testing and
social engineering
techniques
No cyber
security strategy
An Independent Cyber Security Benchmark
MTI’s Cyber Security Maturity Assessment (CSMA) objectively benchmarks the
organisation’s cyber security stance and its effectiveness, and provides
prioritised remediation guidance. The CSMA reports on key security factors
using an intuitive ‘traffic light’ system, supported by Executive and Technical
summaries outlining recommended remediation priorities.
MTI has built the CSMA using key elements from relevant industry
frameworks, including the National Cyber Security Centre’s 10 Steps to Cyber
Security, and several ISO standards, leveraged by our 20+ years of
experience in IT modernisation and security.
The CSMA provides an independent cyber security benchmark, remediation
guidance and consolidated analysis of your organisation’s cyber security
stance. Its output provides an excellent basis for selecting remediation
services to address any security gaps and weaknesses it may identify.
Excessive focus
on technology
1 2 3
Your Assessment
To book your CSMA, or find out more about how this assessment
can help your organisation, speak to one of our advisors on
+44 1483 520 200, email us at [email protected]
Next Steps
In this guide we have explored the often
overlooked human factor in enterprise cyber
security, looked at seven key individual types
and the risks they typically present, and outlined
ways in which such risks may be reliably
identified and addressed.
In a fast moving, constantly changing threat
landscape awash with dynamic risks, it is
essential to secure and maintain a detailed,
contextually aware understanding of your users
and the data they access, as the technology
aspects of your IT infrastructure. Only with such
an understanding can a solid, comprehensive
cyber security strategy be built.
W mti.com E [email protected] T +44 (0) 1483 520 200
Read more here