Security Starts With People, Unfortunately.

One of the findings of our investigations pointed to a compromised account as a possible cause of the cyberoperation.
While I was reading the results, I thought, “That could have been me. In fact, it could have been any of our employees,” and I began asking myself what I as an individual could do to increase the security of the company I’m working for.

Let’s face it, most of the risk is produced by us humans and our behavior.

Everyone who’s been in IT for a while knows basic rules of how to securely use the internet avoid traps, and increase both security and privacy. But quite often, we don’t apply that knowledge for various reasons.

In a work-from-home world and the changed way in which we access resources, the situation clearly didn’t get any easier. If we’re lucky, we have a little office for ourselves at home, but in many cases that’s just not possible, and we work from the kitchen table or whatever place is available. It’s all right, we get the job done. But the familiar scenery blurs the lines of work and being at home, and there’s one important lesson to learn here:

Our appetite for risks is, most likely, different compared to how our employers would see it.

So, I started with a few really obvious points, and one of them is passwords.
I’ve used a password manager for private browsing many years now, but still used a pattern in my passwords with just a few variations. Now I took a weekend or so to check how I’m doing and discovered loads of potential risks, pitfalls, and instances of pure embarrassment. I’ll spare you the details. While I was at it, I checked my credentials for identity theft—as it happens, I used a SolarWinds tool for this task, but free resources like https://haveibeenpwned.com.com are useful, too.

I’m now using 100% unique passwords everywhere and MFA for my email accounts, my password manager, and any site with my payment information, and I even created different email addresses under my domain for particular services. 

Paranoia? Well, not exactly.

You might wonder how this could possibly improve corporate security. It’s simple: I’m using loads of web services, and any one of them could become compromised, including my account information, so attackers potentially see my personal data. And while I’m not a C-level, it’s effortless to find out whom I’m working for, which could make me a possible target for spearhead attacks. That brings me to a more direct threat.

Phishing and social engineering. Old news, still valid.

Imagine this scenario: Someone you used to work with for a few years approaches you on social media. The discussion starts with harmless blah blah blah, but suddenly, there’s “Tell me, is account X still one of your customers?” And folks who talk before thinking would reply “Oh yes, but we didn’t do as much business with them as we used to.” Oy! What did you just do?

Yes, I know, that’s a very cheesy example, but it’s easy to understand.

Where’s the risk now?
Well, your former colleague might be working for a competitor and will now reach out to that account, and eventually, the business with them is lost for your company.
But can you be certain your ex-colleague is who he or she says they are?

Maybe that social media account is compromised and now being used to get insider information from you. It could happen so quickly. 

Upon checking LinkedIn, I see many former co-workers still use their SolarWinds-branded portrait pictures with the orange background. I get it, it looks admirable, and I’m sorry if your new employer uses pink for their corporate identity, but you’re no longer part of our family.

Even worse, it’s not always easy to know if someone still works in the same company. Departures aren’t always announced (“After seven years we finally got rid of Sascha”), and the bigger the company, more frequently moves happen, so it gets confusing. 

I’m too lazy to check if a person is still active in AD. I just don’t discuss any corporate matters on social media, period. Ping me on Teams instead.

So many tools out there!

I’m bilingual. Depending on my mood, I start writing stuff in English or in German, and I’m going to translate it into the other language later, so I can use it for different audiences. In the past, I’ve been lazy and used a free web service for the first translation and fine-tuned it afterwards.

I’ve tried a few services and found an excellent one, but now I’m thinking it’s free for a reason. What happens to the text I’m entering into the system?

Yes, sure there’s “just” an AI interpreting what I’m trying to say and does all the heavy lifting, and the AI won’t spy on me, would it? It feels a bit weird now while being a bit more cautious. Surely, it doesn’t matter for text like this, but there’s other stuff I don’t want to be seen anywhere outside my company too soon.

The same applies to any form of free file conversation (PDF, pictures, etc.) on random websites, or syntax verification for JSON and friends. No one knows if there’s just a simple and innocent script running, or if all the content is going to be recorded, including IP address, browser fingerprint, and other stuff which can be used to further identify the source.

Everyone is part of the security team.

There are so many other things which should be obvious, but for plain convenience we’re bending and bypassing rules and increase risk for ourselves and our employers.
No, even if you’re a local admin, it doesn’t mean you have to install the same stuff you’re used to at home. You are at home? But it’s not your machine.

We aren’t just employees, we’re part of the extended security team, too.

Even if the invisible tinfoil hat starts itching, stop for a second before you put things in motion. Reflect on your behavior and possible consequences. Be a pessimist! They live longer.
Even if it means that you can’t click on those cute cat pics anymore.

Although, I’m not convinced. Cat pics are always harmless, aren’t they?

Anonymous
    • In the era of FOMO and instant gratification, and the fact that we as humans always think the best of people, common sense goes flying out the window (at warp speed!). The human element will always be the weakest link in he security chain. Train your folks on what to be wary of and test them on a regular basis. I've always preferred the term "security awareness"....  Shields up and stay vigilant my friends!
  • Everyone truly is part of the security and patching team.  Unfortunately, most do not understand their role.

    So when there is a reboot to install patches, let it happen.  

  • Sorry, but cat pics are the absolute worst. Keep them in your wallet Joy

    The primary problem with security (IMO) is that software/website/etc creators don't make it easy to be secure. They need to make security second nature for people like my wife. It's all well and good an IT pro being aware of how to be secure and using an offline password manager, but just try telling that to my wife. 

    I've spent the best part of two decades telling her and still the message doesn't get through.