On October 5-6, the Cyber Security for Critical Assets – MENA was held in Dubai and was organized by Qatalyst Global. I was honored to be the Chairman of a Panel discussion with panelists hailing from various industries: Du Telecomms (Telecommunications), Air Liquide (Oil and Gas), American University of Sharjah (Education) and Emirates Investment Authority (Financial). The panel discussion’s subject was Advanced Persistent Threats (APT).
APT’s are described, as the term states, as Advanced and Persistent. They are all means to get into an organization’s network for specific purposes – to steal customer information, blue prints, trade secrets, financial records, and more. The attackers have a specific intention to use the stolen information to damage an organization’s reputation. These information are your crown jewels. Those who try to penetrate your network are the actors, and the people holding the information that they need are the targets. And in most cases, the targets — your employees, are the weakest link.
Well, I’m not going to talk about APT’s here. But rather, the things that we can do to at least protect our organization’s crown jewels from these APTs.
How extensive is your organization’s awareness campaign regarding information security? Is your security policy communicated, understood and strictly implemented? It was surprising that a number of presenters during the conference included a slide or two in their presentation about the human resources being the weakest link and being the reason for most Cyber Security incidents in most organizations. It’s a reality. It’s the reason why all threats are not Advanced or persistent: hackers can easily penetrate your system without huge efforts at all.
Let’s see some of the common employee behaviors that can jeopardise a company’s security policy:
On Password policy:
The use a of a complex password. Users’ reactions:
- “It is difficult to assign a complex password. I will easily forget it and my account will get locked.” Now it’s your fault IT Security Department!! And it’s your problem if you have an increase in requests to unlock user accounts.
The past 6 passwords cannot be re-used. Users’ reactions:
- “I have used the names and birthdays of all my family members including my ex-girlfriends!!!” (Now you’re the reason why he can’t forget his ex because he enters her name and birthday until the next 60 days!)
On Malicious Emails:
A mail is received and it says “This mail may contain malicious attachment. Do not open.” (Obviously this is a hacker’s strategy.) Inspite of awareness campaigns, some users’ reaction:
- “Do not open? Why not? Let’s see.” (And now the attachment was opened and welcome Mr. Hacker!)
An email with attachment, not even giving you a proper greeting, with grammatical error, and with a subject “Wire transfer of USD 7,500 to your account.” User’s reaction:
- Opens the email, opens the attachment, and worse, provides an email and password or account number as requested in the attachment. (Ignorance or greed?)
On the use of USB Sticks and ports
A USB is found. Users’ reaction:
- “Yahoo!! I found a USB. I’ll just delete the files and make it my personal device.”
The USB ports are deactivated. Users’ reaction:
- Why do you have to deactivate the USB. Everyone’s charging their phone via the USB port!
It must have been known that the deadly and highly destructive Stuxnet was delivered through a USB drive that carries the deadly payload that infected Iran’s Natanz nuclear facility. Candy Drop!!!
Spending on Training, Awareness and in-house security activities
Investing in employees’ training and awareness on information security does not at all times involve budget. Certain policies can be implemented strictly such that the awareness level is high at all times. This can be done through:
- Inclusion of the IT Security Policy during induction or new hire orientation.
- A quarterly newsletter or communication reiterating specific policy;
- A penetration testing if resources are available in-house;
- Sending an intentional malicious email and see how many employees open the attachment;
- An annual VAPT
Indeed there are international standards, government and federal requirement. Employees, and I’m sad to add, management in some organizations, view these as simply documenting the requirements. Not everyone sees the importance of real compliance (not on paper but in action), the importance of policies, the training and awareness.
Unfortunately, as long as these policies are simply written and the Certificate of compliance is simply framed elegantly on the wall, we as the CISO’s still hold ourselves responsible for any security breach. And if that’s the case, we become part of the employees whom we call the weakest links. All of us, from employees, to the IT Security Department, to the Management are all candidates to being the weakest link. Will we allow that? Are we happy to hear that we are one of the weakest links?
Our role as CISO’s was never easy. Information Security, like quality, is everyone’s responsibility.
Interested in Cybersecurity training, experienced a breach, looking for a cybersecurity vendor? Reach out to us at VUL9 Security Solutions