CYBER SCAPE AFRICA | Q2
2019
Once the email reaches our users and they decide to
click, they should be warned not to open malicious
attachments or be followed to a malicious site. Our
tools should stop malicious programs loading,
sending data to outside parties, use DLP, detection
of keystroke loggers, etc.
And even if all above fails, our network tools should
detect both successful and unsuccessful attacks,
and if they are unsuccessful, they should start
cleaning up and reporting it immediately.
So can we really blame the user who is in the middle
of their busy day and clicks on a link in an email that
looked like a genuine email from their manager? We
should stop blaming users, we should stop saying
that humans are the weakest link or that there is no
patch for human stupidity.
Because it is our responsibility as security teams
driving security policies and procedures within our
companies to account for the human element of our
security programs, of our security landscape.
We should take ownership of this so to build a
security environment where secure behaviours are
enacted by default, as these will become behaviours
rooted in your company’s culture. From the
mailroom, to the board room, we should engage
with everyone in our company to follow security
processes and procedures.
Hard coding security in the human part of your
network is only one layer of your in-depth security
model. Along with secure culture, we should be
using zero-trusts frameworks or even go towards a
digital trust model network where each user has a
specific “digital fingerprint” therefore any unusual
connection to unusual shares, ports or bigger
volume of downloaded data would be flagged and
investigated.
Part of the strategy to patch vulnerabilities caused
by human assets in your network should be an
awareness program. And we’ve seen a shift towards
more awareness programs, so why are our
employees’ habits, in regards to information
security, getting worse as SailPoint research shows?
Maybe we should look at how humans learn. We
know from research that our experiences become
long-term memories through biochemical synthesis
between existing neurons in our brain. Strong and
long-term memories are largely the result of a
continued flow of information from one cell to the
next.
22
Is it really constructive to scare our users
every couple of months with new ways of
how to exploit them? What if we would focus
on just cultivating the flow of information
about what our users should do, rather than
just trying to create new neurons, new ways
of how they can be exploited, and make sure
they are comfortable knowing what they
should do, with anything out of ordinary
reported to the security team in their
organisation?
Same as I am trying for my social engineering
targets to have positive experience engaging
with me, we should be celebrating successes
of our users. We should put results of our
social engineering tests , and while I was able
to manipulate someone into divulging
sensitive data over the phone, what about all
the others that refused to give me any
information over the phone?
It’s easy to see the failings and focus on them
and it is rarely seen to focus on the success.
All this said, I would like to open a discussion
about human element of security in Africa .
We should have look at what is the status of
our human threat landscape? What can we
do to improve security posture of the users
in our organisations, as well as our loved
ones at home ?
Sarka Pekarova,
Security Consultant
Dreamlab Technologies