Two major hacks within the last month, the Sony and CENTCOM hacks, haven't been attributed to poor awareness as of yet, but it is likely that they will be. One of the key issues of the Sony hack was that there were administrator credentials hardcoded into the malware. As the theory of the disgruntled employees has now been discounted, and it appears to be the work of a foreign intelligence agency, it was reported that the credential were obtained through spearphishing.
In the case of the US Central Command, aka CENTCOM, the organization's Twitter and YouTube accounts were compromised. These attacks are likely very similar to past Syrian Electronic Army hacks, where spearphishing compromised the passwords of organizations' social media accounts. Even if it involved easily guessable passwords, or password reuse, all of the issues involve bad security awareness.
Similarly, the infamous Target and Home Depot hacks, which involved the compromise of point-of-sales systems, were initially enabled by spearphishing attacks. The Verizon Data Breach Investigation Report has several categories related to failings of user awareness and more than half of all incidents detailed involve awareness failings.
Yet security awareness programs are frequently treated as minor elements of organizational security programs. The awareness program is frequently first to have its budget cut, and usually is minimally funded to begin with. While many security programs include some level of phishing simulation, such simulations are not true awareness efforts, but what should be considered a small metrics collection effort within an overall awareness program.
Before discussing this further, it must be acknowledged that awareness efforts should be a piece of an overall security program and a part of a defense-in-depth strategy. For example, Sony should have implemented multifactor authentication on its critical servers, so that a password compromise would have had minimal impact. With the Target hack, the network should have been much better segmented, so that vendor credentials should not have yielded access to the same network that included the point-of sales systems.
However as you look at the major incidents that have been making front page headlines, while costing the effected organizations tens of millions of dollars and great embarrassment, it is clear that security awareness should be taken seriously by all security programs. Organizations need to examine how to better implement awareness programs, and start allocating the appropriate resources to such programs.
While some people are going to contend that the attacks mentioned demonstrate how awareness has failed, the fact is that they also demonstrate how just about every technical security countermeasure has failed. In the Sony hack, access controls failed. Data leak prevention failed. Anti-malware failed. Encryption efforts failed. In the Target hack, there was likewise a failing in the overall attack kill chain, comprised of both technical and non-technical countermeasures. The same can be said for every major hack out there.
However as users are clearly becoming a primary attack vector, security programs need to acknowledge that more resources, or at least the appropriate resources, should be allocated to strengthening the targeted vector. While the appropriate investments need to be made in security technologies, there has to be an acknowledgement that countermeasures need to likewise address the point of attack.
There is no silver bullet when it comes to stopping attacks. However as users have been shown to be a primary target for some of the costliest attacks in the history of computer-based crimes, security programs need to start applying the appropriate resources to awareness as a countermeasure. Again, this does not mean that you don't also invest in additional technologies that help mitigate user awareness failings, but you still need to address the primary attack vector as well.
It is time to acknowledge that the most damaging attacks initially target humans, and that a proportionate amount of countermeasures needs to be allocated to making humans more security aware. It is not easy, and there are admittedly few people who know how to implement a successful awareness program. However, it is time to take not just the threat, but the reality seriously and start focusing efforts appropriately.
Ira Winkler, CISSP and Araceli Treu Gomes can be contacted at www.securementem.com.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.