Defending Against the Human Vulnerability in Cyber Attacks

Posted September 20, 2022

In the world of cybersecurity, our conversations often center around defending against attack strategies such as phishing or monitoring attack trends such as ransomware. But in the end, ransomware only becomes ransomware when the attackers decide to monetize the breach through a ransom demand. Analyzing the origin of the breach is far more informative to prevention than the hacker’s demand of ransom. While million-dollar ransoms make great headlines, each of those ransoms likely started with either a credential attack, phishing attack, or exploiting a system vulnerability. And defending against these attacks means plugging those vulnerabilities. According to Verizon’s 2022 Data Breach Investigations Report, over 80% of attacks exploited one of these attack vectors.

The common denominator in each of these frequently exploited attack paths is the human element. Humans choose weak credentials, reuse credentials, or store and transmit credentials insecurely. Humans fall victim to phishing attacks and reveal personal or corporate sensitive information. And humans make up the system administrators who misconfigure applications or don’t patch systems allowing for easy exploitation of vulnerabilities that could have easily been secured. Defending against attacks becomes exponentially more difficult when employees are leaving the front door open.

The human element continues to drive breaches. This year 82% of breaches involved the human element. Whether it is the Use of stolen credentials, Phishing, Misuse, or simply an Error, people continue to play a very large role in incidents and breaches alike.

— Verizon 2022 DBIR

Protecting against our human vulnerabilities requires a proactive approach to segmenting our data and systems — cordoning off information so a breach in one area can’t move laterally across our system. If we assume someone will eventually leave the front door open, we want to make it difficult for an intruder to move freely from office to office.

It requires explicit verification and authorization of users based on all data available including the device used, location, the services, and hardware-bound multi-factor authentication (MFA) to eliminate credential attacks. Users should not be able to log in from multiple locations easily. If an employee was logged in from the office in Minneapolis this afternoon are they really trying to log in from Russia in the evening?

It requires limiting user access based on the principle of least privilege to only allow access to what they need to complete a given task in a pre-determined amount of time. If a low-privilege user falls victim to a phishing attack, you should be able to rest assured their access level did not give up information allowing for a further attack.

And it requires creating an internal mindset to accept the reality that your organization is likely under attack every minute of every day. Assume a breach is happening and actively monitor your environment to protect against the ongoing threat. Employees and vendors should feel comfortable reporting unusual activity without second-guessing their decision. And they should know exactly how to report the activity because they have been trained to be on guard. This mindset is encapsulated by adopting a zero-trust security model.

If we know our systems are under attack and we know the human element is our greatest weakness, we proactively prepare for the eventual breach through data protection, secure backups, and a breach response plan to restore critical systems. This includes:

Implement automated backups of all critical systems and regularly test backup integrity.
Protect backups from inclusion in a system breach.
Regularly test your breach response and disaster recovery plans and separately protect these plans from inclusion in a breach

Defending against the human element is an added challenge to any security plan but the right training, configurations, and security policies will harden your systems to attack. An ounce of prevention could be worth avoiding millions in ransom.

Kevin Willette

Kevin Willette is Partner / CEO of Verus Corp. His focus is ensuring complete customer satisfaction and providing as much or as little support as is needed for the individual client. Kevin knows that plenty of places do IT services, but what sets Verus Corp apart is the local feeling and the commitment to doing things right the first time. He has always wanted to be a business owner because it affords him the opportunity to offer a service that was better than anything clients had seen before. His true goal is to help customers make their businesses better by removing potential IT barriers. Kevin served as chair for Habitat for Humanity during his time at Minnesota State University, Mankato. He has also served on the WatchGuard Advisory Council since 2016. Kevin’s work with Verus Corp has helped them achieve awards as the WatchGuard Partner of the Year and Cisco Select Partner. Kevin graduated from Minnesota State in 2000 with a major in Business Marketing and minors in Business Administration and Music.