Cybersecurity and Why We (Humans) Are the Weakest Link…Again.
You can’t find a bar these days where someone next to you isn’t talking about the news of the day, which is most likely political. At the root of these discussions is the increased activity and compromised systems due to malicious hacker attacks. I’m sure by now you have an opinion and want to express your views to your neighbor who may just want to have a Manhattan in peace. Ugh… don’t worry, this is not a political essay, but more a quick read on our lack of focus on the critical topic of Cybersecurity. This article’s attempted theme, that all Internet Security folks know without fail, is that more often than not the root cause of the issue is a human that inadvertently let the bad actors in the door. We are absolutely the weakest link in the Cybersecurity chain and this article outlines typical issues around this topic.
As the news of the day continues to focus on Russian interference within the elections of 2016, there are many discussions around the ability for investigators to scrub an obscene number of log records in order to figure out what happened. Cybersecurity, for the first time in history, is absolutely the hottest topic on the planet and everyone is looking to blame someone. “Well the Democrats clearly caused the issue by being hacked” or “The Russians were obviously working against the Democrats and fueled the negative campaigns against the Dems.” Both sides, Republicans & Democrats were hacked but how? Those humans again… I’m not calling anyone in particular unintelligent as these attacks are extremely well orchestrated, but at the end of the day, we (humans) are the issue.
As people wonder why it has taken so long to share information, such as the latest indictments of 12 Russian nationals, they do not recognize the complexity and sheer number of files that must be reviewed. It’s staggering, which is why most data breaches, according to Microsoft, are not detected for almost 5 months. Feel free to re-read that last sentence before moving on, we will wait.
We focus all efforts on the firewall and antivirus software that exists today. “Because we have a security team who manages the firewall so clearly we are covered.” This is a frequent conversation that is flat out wrong. First, you probably are understaffed for a security team. If you’re not, then I’m sure you have the weirdest holiday parties of all time. We security nerds are never going to out-cool the sales team. We are aware and accept. But this should not limit the needs of the organization. Yes, we (security engineers) are not cheap, but believe me when I say we are important and when there is more work than personnel, we are never going to get everything done that is needed. Just because we can’t sell this concept every time, again not as well liked as sales, it needs to be understood by the executives that it’s more important than an amazing holiday party. I promise the team will drink the cheap booze.
Second, firewalls are only one side of the fence as we attempt to keep bad people out, but what happens once we let them in? How do we know that the bad actors have stormed the gates? Are they raising their hands with so much traffic that it sets off the alarms? Good hackers tend to not make much noise. Occasionally, some punks will cause an instant ruckus just to show off that they were able to get past the guards, but if they are really bad actors and not just some punks they typically like to take the following approach:
Not Enough Security
“So smart-guy, if firewalls and antivirus are not sufficient, what else can be done?” I’m glad you asked. There are newer software platforms that exist within the market that take advantage of machine learning techniques to figure out where you go, what you do and let people know when things “don’t look right”. If you go to Salesforce, some internal servers, webmail, some sort of news site and, in the fall, your fantasy football page(s) then one day start sending a beacon message back to Russia, an alert is triggered. Yes, this is absolutely a “big brother” type of system but please return back to the previous point where the security team isn’t properly staffed anyway. Trust me when I say they most likely don’t care that you are sneaking some fantasy trades now and again. There’s not enough of a team to handle the big issues let alone this waste of time. And if they block it you’re going to use your phone anyway so what’s the use?
I hate to be the bearer of bad news, but you have to spend more on security and disaster recovery. I’m sorry, but you do. Your other options are to lock down everyone’s laptop so they can’t do most functions they are used to (Dropbox, Gmail, Facebook) while on the job meaning they are going to spend more time on their smartphone. It’s a cost either way, so I recommend that you buy the right software and just move along.
The last point that needs to be said here is to please train your teams on what not to do. Tell them to never pick up a thumb drive that you’ve never seen before and decide to check out what’s on it. Don’t believe me, just ask the Iranian nuclear team (aka Stuxnet). If you as a user click on some link that looks “mostly right” but you’re not quite sure, and it’s asking you to reset your password - DON’T DO IT. This technique is what got former Sec. of State Colin Powell, Sen. Lindsay Graham and John Podesta, all of whom are pretty smart people who hopefully knew they were targets. They got hacked anyway.
As long as employees are needed, which for the foreseeable future is forever, we need to increase our security spending. This needs to apply towards improving our security tools, increasing the size of the security team and incorporate frequent security trainings. Implement stronger and more frequent password systems. It’s time for everyone to implement a Two Factor Authentication, it’s cheap and it really works. The current model isn’t working well. If you disagree please feel free to ask Hilary. - Nathan Vineyard, CTO, Zirrus One