Most people’s image of cyber-crime comes from the media. A slovenly teenager sits in a darkened room, typing frantically in front of a bank of screens. Cut to shirtsleeved workers, typing in equally frantic defence in front of their screens. At some point the hacker is “through the firewall” and has complete control. Shortly afterwards we see a “downloading” progress bar as the target’s sensitive data is siphoned out.
Clearly, the answer to this threat is more, and better, firewalls. Fancy intruder detection systems. Honeypots. Encryption. Biometrics… In other words, expensive kit, which requires installation, and maintenance, and constant updating. This is a nice earner for the tech industry; in fact, at the moment, it’s probably the nicest available earner.
But this isn’t how it really works. Yes, there are external threats that work through gaps in external security – although most of them are automated. And yes, there are real hackers – although these days they’re better organised, and scarier, than the teenage stereotype. So, yes, you do need decent firewalls, and a good IDS, and encryption, and so on. But none of this will save you on its own.
The majority of successful network penetrations – always bearing in mind that the really successful ones are those we don’t hear about – exploit the weakest link in your defences. You.
Take the Scoular Co. of Omaha – a $6.2bn commodities giant – which was ripped off to the tune of $17m dollars in 2014. No-one penetrated the firewall, or took control of the banking system. There was no virus, no malware, no dramatic keyboard bashing.
Instead, the criminals faked an email from the CEO to the treasurer asking him to transfer funds to an account in China; first $920,000, then $7m, then $9.4m. There was a clever backstory about a hush-hush acquisition of a firm in China, and equally cunning use of apparent confirmation by the firm’s auditors. The treasurer complied, and over four days the crooks profited without ever touching the target’s computers themselves.
Or consider Target, the giant US electronics retailer. In 2013, they lost 40 million credit card numbers (and more than 70 million customer records) to hackers. Yes, this time the hackers compromised Target’s network, installing malware on their point-of-sale terminals to capture the card numbers. But they didn’t force their way in through the firewall – they compromised staff at a contractor, got passwords from them, and used those to get through the perimeter.
What’s worse is that Target had a fully-functioning internal security system that detected the malware – astonishingly, Target’s IT team ignored the alarms this generated. So not only was the original penetration through human frailty, but also its eventual success equally depended on failure of human controls, not technological ones.
Scoular are out $17m, and the treasurer is out of a job. Target is out, some estimate, up to $1bn. Their CIO is history, too. Yet both of these breaches could have been prevented without additional technology, and without external cost. What was needed wasn’t a hardware, software or firmware update, but a wetware update – better thinking.
In Scoular’s case, a bit of healthy paranoia – like checking that the provided phone number for the auditors matched the one in public records (or even in previous emails), or maybe just phoning the CEO to ask if he was serious – together with better compliance education to negate the spurious “SEC regulation” excuse for using a non-standard email address.
In Target’s case, proper rules regarding network access for contractors, with regular audits of permissions and disabling of inactive accounts, combined with – shock! – paying attention to the alarms arising from an expensive recently-installed intrusion detection system.
In your case?
4 thoughts on “Why security awareness training is more important than firewall upgrades”
Great post. Users are the weakest link, and despite millions spent on security defences, including cyber security training , all organisations have one thing in common – most breaches are the result of users.