Some of you may be familiar with the Critical Security Controls, a consortium of the security community working to identify the top risks to organizations and the controls that mitigate them. One of the top controls (CC #9) identifies the human element. The challenge is this control simply identifies awareness as important, not which human risks should it be addressing. As such a sub-set of this consortium came together to help identify the top human risks, including CMU, Mandiant, Virginia Tech and MITRE. Our findings are very preliminary and we are looking for more data, however I wanted to share with you what we have learned so far. I will be discussing these top human risks in my presentation at RSA next Wednesday at 1:00pm.
These are the top human risks we found most organizations shared. Not all risks apply to all organizations. Also, these are NOT listed in any type of priority. Note my own personal comments for each risk.
- Lack of Situational Awareness: One of the top risks is people simply not realizing they are a target, and thus not engaged in any security program or not changing behaviors as a result. For more high-profile targets there is also the issue of making people aware of APT. Another common misconception is that since organizations have security teams and security technology in place, employees do not have to engage in secure behaviors as technology will prevent all attacks.
- Phishability: No surprise here, just about every organization involved identified phishing as one of the top human risks. Keep in mind phishing does not apply to just email but also messaging (Skype, Facebook messenger, etc).
- Password Reuse: BIG surprise here. I assumed passwords would hit the list, but because passwords were not complex enough. Not the case, the problem is not just complexity but people are re-using passwords for multiple accounts, including crossing both work and personal. Once the bad guys have one of your passwords, they have free reign within the organization. Also, we are starting to see that complexity is not so important as password length, think focus on passphrases.
- Using Unpatched / Poorly Configured Devices (BYOD): Systems and devices not secured or patched. You would be surprised at how many people do not realize that to keep your systems secure you must keep it updated. While not just a BYOD problem, this problem is amplified as more BYOD is introduced into organizations.
- Indiscriminate Use of Mobile Media: This is especially true for organizations that depend on physical air gaps to protect them. Can we say Energy/Utility/ICS space anyone?
- Data Leakage via Social Networking: The issue here was not so much sensitive information about organizations being leaked (though it does happen) but people NOT realizing that all the tid-bits of personal data they release are used to create complete pictures about them and used by advanced threats.
- Accidental Disclosure / Loss: People losing laptops, having mobile devices stolen, or accidentally emailing the wrong person with sensitive data (auto-complete in email anyone). We often forget that fact that many incidents are not caused by malicious intent, but by good old fashion mistakes.