Several years ago, while on a walk, my lively Pomeranian took notice of a few birds. They also took notice of her and nearly immediately took flight, reacting to what they perceived as impending danger. This was nature’s warning system in motion. The few birds' reaction to the threat caused the entire flock to become aware of the danger. This "safety in numbers" behavior intrigued me. Often in nature, an organism is more secure in a community than alone. I wondered whether this ecosystem principle could apply to employees, with the goal of enhancing the organization’s overall security posture. Evidence has shown employees can often be liabilities when it comes to security. Yet this begs the question: If assessed, trained and armed with the right tools, could employees represent a hidden security protection force to be harnessed?
The Rise of Human Hacking
Due to the advances in technology and the greater need for convenience, the IT landscape has evolved, making information security increasingly more complex. Security walls are crumbling and organizations, now more than ever, are faced with the challenge of supporting an efficient workforce while protecting against the possibility of a devastating information security breach. Attackers have seen this changing landscape and have expanded their attack surface to include human hacking, also known as social engineering. As evidenced within the Verizon 2015 Data Breach Investigations Report, over the past several years, successful data breaches that included a component of social engineering attacks have steadily increased. This is an increasingly concerning trend.
The Root of Human Vulnerability
As humans, we play a big role within the organizations we work for and contribute towards. In many senses, a human may actually be viewed as a kind of a computer; an Organic Computer. We hold valuable information such as usernames and passwords. We operate, use and access the company’s computers to do our work and in doing so, we may be fooled by others (e.g. in the form of an email) into accessing information that hides dangerous malware. A recent Intel Security quiz showed that of the more than 16,000 test takers, 80 percent fell for at least one in seven phishing emails. These numbers are alarming, especially when we realize hackers only need one employee to fall victim in order to gain access to an organization’s valuable data. But what is the root of our vulnerabilities? Throughout our evolution, we learned to overcome harsh natural environments by relying on each other. We learned to inherently trust others in our community because this has enabled us to survive longer. Yet, due to our social nature and our dependence on others, rooted in our natural desire to survive, we are vulnerable to lies. This is a grim reality. However, as opposed to considering the employee as a security liability, I have a more optimistic perspective.
“Instead of considering humans as a security liability, contemplate the harnessing and utilization of human vulnerabilities for our benefit”
Training, Assessing and Harnessing the Intelligence
As security professionals, we understand the importance of regular vulnerability assessments of our IT infrastructure, as well as remediation of findings to drive out risk. However, by and large, we minimize the assessment of our employee population as part of this program. Certainly, assessing and training won’t render us immune and we may still fall victim to social engineering attacks. However, evidence has shown that security awareness training and behavior training systems have significantly reduced the incidence of human compromise to security related events. Taking this to the next level, we can utilize the intelligence gleaned from our organic computer assessments, to bolster an organization’s security posture. I see this as crucial element of the next wave of cybersecurity and envision a system which, among other capabilities, achieves this concept by integrating human security awareness assessments with IAM systems. For instance, even though an IAM system may authenticate a user’s identity during a user’s login request, this user may be refused access on the basis that the user has poor security awareness assessment results. With this integration, an organization’s security program is bolstered in that it catches more real social engineering threat attacks.
Safety in Numbers
Just as the saying goes “One Man’s Poison is another Man’s Medicine”, instead of considering humans as a security liability, contemplate the harnessing and utilization of human vulnerabilities for our benefit. Our natural tendency to trust and rely on others may be used to our advantage. For example, there are several existing security solutions which offer human behavior based training which enables an organization to continuously raise awareness within their employee base of the dangers of phishing. Some solutions include a feature that allows employees to notify the entire community whenever an employee becomes aware of a real phishing event. Does this seem analogous to the security in numbers of the few birds alerting the entire flock? I believe this concept need not be limited to phishing, but can be used for all suspected security attacks. Imagine a web based social media enabled system, inclusive of gamification, which allows all employees of an organization to share their experiences related to imminent attacks. I sense it is similar to using an employee base as a grid of organic Intrusion Detection Systems acting as a security overlay that compliments an organization’s existing security infrastructure.
Information security defense has become exponentially more complex and challenging. The attackers have several advantages: they need not stay in one place, they may hide, time is on their side and they may leverage the susceptibility of employees in order to achieve their desired prize. As defenders, we have a disadvantage in that it is difficult to continuously move our fortress to evade the attacker. A strength we must take advantage of is our ability to harness our individual human awareness to achieve a “protection in numbers”effect. This has proven successful for many natural ecosystems. We defenders are not fighting a losing war. We are not even part of a war; we are simply surviving within a natural, ever changing physical and virtual world.