Security Experts:

The Human Side of Security

For those who read my columns on a regular basis you know that I don’t shy away from taking on the security industry when I believe it’s warranted. Full transparency is something I believe in strongly and is a trait that our customers and partners have come to rely upon. I also believe in recognizing good work and despite the fact that you can read about a new attack or new breach on what seems like a daily basis, the reality is, my colleagues in the security profession do a great job and the technology and software typically works as advertised.

So the next logical question is, where are the breakdowns and why are they happening with such regularity? When it comes to cyber security there are two indisputable facts. One, a network is only as secure as you make it and two, human behavior will always be the weakest link in the security chain. This is not a new problem. From an unsuspecting coworker walking an “electrical worker” into a server room to “someone from IT” calling you on the phone who needs your password to reset it, this has been going on forever. Despite the billions of dollars spent annually by government and private industry to protect their networks and critical data assets, the large majority of breaches can be tied directly to human error and/or a breakdown in protocol.

Human Factor in SecurityRight now, one of the simplest, yet biggest problems facing the security industry is weak passwords. From a logic standpoint, this would appear to be amongst the easier security problems to fix as it doesn’t require additional investment or advanced technology, simply the changing of user behavior. Yet despite the fact that the large majority of security breaches have been traced back to weak or default passwords as the cause of the vulnerability, security teams continue to struggle and report little to no progress on this front.  

Early in 2013, in its annual DBIR Verizon report, stated that approximately 90 percent of successful breaches in 2012 analyzed by Verizon started with a weak or default password, or a stolen and reused credential. Password security becomes less and less secure as cracking technologies advance, and the biggest issue is that user behavior has not adjusted. In fact, the plethora of sites requiring login credentials often forces users to revert to using a limited number of password combinations in order to keep track of them which in turn leads to additional vulnerabilities, not fewer.

It is estimated that more than 90 percent of user passwords are susceptible to being hacked and that despite repeated warnings to the contrary, users continue to create common passwords or passwords based upon information that is easily obtainable online to would-be hackers.

The reason I emphasize this point so emphatically is that passwords are THE single point of failure in most networks. When it comes to authentication and authorization, logging in with a password only proves one thing: that you know the password. So from a network perspective, whoever holds the password holds the keys to the critical information contained within.

The fact that users continue to create passwords that are so easily compromised represents a security problem of epic proportions that is directly tied to human behavior. To combat this growing problem, we need a renewed focus on security fundamentals and easy entry points. A good starting point is the elimination of the term “password” all together. If you are still using a single word for security you are already at a disadvantage, simple passwords are too easy to crack. Passphrases and complex passwords using a combination of letters, numbers, and unique characters should be the norm, not the exception. The argument that they are too difficult to remember or keep track of can be easily rectified through the use of password managers.

While weak passwords continue to represent the largest threat to cyber security, it is part of a much larger list of items that can compromise a network based solely on human error or lack of awareness. Through my work with the government, I recently had the opportunity to witness firsthand the potential for multi-million dollar sophisticated technology to become compromised by simply plugging in an unauthorized device to a USB port. While not malicious in nature, a lack of awareness on behalf of users and oversight by security teams could lead to massive and traumatic network failure.

Thinking Security

The more points of security failure located in the hands of users, the greater the risk for increased vulnerability. I’ve read both sides of the debate on whether it is beneficial to invest in training users on the importance of security protocols. Some say teaching users how their actions can have far-reaching impact on the organizations’ ability to protect its critical data is a good idea, others say it’s not. My response, while results continue to be mixed, is that it’s still incumbent on organizations to try. Similar to the “War on Drugs,” you have to try. I also strongly advocate for the use of predictive security intelligence. While you will never completely remove the human failure element of security, predictive capabilities can help teams to more accurately hone in on areas of likely attack and potential vulnerability.

I remember reading a quote from the director of the U.S. Secret Service which, and I’m paraphrasing here, said that if it were up to them, the President would never leave the White House in order to greatly increase their chances of successfully securing him. I’m sure most security teams would agree and if it were up to them, humans would never be allowed access to the network, easily avoiding the certain creation of vulnerabilities. Unfortunately, that is not practical either, so it is left to our industry to find a way to deal with the human side of security. Any takers?

Related Reading: Privileged Accounts Play Key Role in Advanced Cyber Attacks

view counter
Mark Hatton is president and CEO of CORE Security. Prior to joining CORE, Hatton was president of North American operations for Sophos. He has held senior roles with companies ranging from venture capital-backed, early-stage software vendors to a Fortune 500 information technology services and distribution organization. Hatton holds an MBA from Boston University, Massachusetts and a BA Communication from Westfield State College, Massachusetts.