Behind Every Successful Cyber Attack There Is A Human
In the famous Hollywood movie "Catch me if you can," Leonardo DiCaprio portrays the character of Frank Abgnale Jr., a conman and check forger turned security consultant for several banks and law enforcement agencies, including the FBI. Several nuggets of wisdom are attributed to him, but the one that is apt goes as follows.
"Every case involving cybercrime that I've been involved in; I've never found a master criminal sitting somewhere in Russia or Hong Kong or Beijing. It always ends up that somebody at the company did something they weren't supposed to do. They read an email; went to a website they weren't supposed to".
Whether it is the attacker looking to gain financial information or the perverse pleasure of seeing you in pain, or the employee who has inadvertently left a door open that can be exploited, there is always a human who is in the chain of attack. Enterprises need to look at their constituents from where this risk emanates.
· Those who use technology
· Those who implement technology
· And finally, those who help secure the technology
Social engineering attacks; are targeted to the first segment of the populace. In the old days, if you wanted to glean sensitive information about any company, all you had to do was land up at their favorite tea stall and eavesdrop on the employees sharing sensitive company information over a cup of Chai. In the digital world, however, the new C.H.A.I stands for traits of Curiosity, Hubris, Apathy, and Ignorance are essential elements for carrying out social engineering-based attacks. Meet the HUMAN MALWARE, the most dangerous malware of all; this has become the most effective vector for carrying out cyber-attacks.
Lack of security hygiene while implementing technologies is the second area that is the most commonly used threat vector. The worldwide ransomware attack in 2017 and 2018 came because of a known vulnerability in the Microsoft operating system that had gone unpatched for several months. The episode did bring in much-needed light for security hygiene while building, implementing, and using technologies, however a lot of distance still needs to be traversed. The teams responsible for application development, cloud implementations, infrastructure builds need to incorporate adequate security processes as part of their project lifecycle.
The security teams within the organizations are the last line of defense, which may sound controversial. Still, no technology can address security challenges of "Stupidity" – like poorly crafted code or clicking on links that are not safe. Having said that, there are challenges within this last line of defense as well. Firstly, most security technologists generally lack the business context and make decisions that may not be optimum for the organization. And secondly, as per a recent report, 35% of the company's security products have overlapping features, and 80% of the products are misconfigured, leading to gaps in cyber-defense.
For organizations that have been unfortunate to see their defenses breached need to assess what element of human proclivity was exploited, with an intent not to punish but to educate and improve. As they say, Cybersecurity is everyone's problem; depending only on technology or security teams is foolhardy and a sure shot recipe for disaster.
_20240911192319_original_image_15.webp)
