cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

The Weakest (Security) Link Might Be You

Level 9

chain-4049725_1280.jpg

In the second post in this information security in a hybrid IT world series, let’s cover the best-designed security controls and measures, which are no match for the human element.

“Most people don’t come to work to do a bad job” is a sentiment with which most people will agree. So, how and why do well-meaning people sometimes end up injecting risk into an organization’s hardened security posture?

Maybe your first answer would be falling victim to social engineering tricks like phishing. However, there’s a more significant risk: unintentional negligence in the form of circumventing existing security guidelines or not applying established best practices. If you’ve ever had to troubleshoot blocked traffic or user who can’t access a file share, you know that one quick fix is to disable the firewall or give the user access to everything. It’s easy to tell yourself you’ll revisit the issue later and re-enable that firewall or tighten down those share permissions. Later will probably never come, and you’ve inadvertently loosened some of the security controls.

It’s easy to blame the administrator who made what appears to be a short-sighted decision. However, human nature prompts us to take these shortcuts. In our days on the savannah, our survival depended on taking shortcuts to conserve physical and mental energy to get through the harsh times on the horizon. Especially on short-staffed or overwhelmed teams, you save energy in the form of shortcuts that let you move on to the next fire. For as many security issues that may exist on-premises, “62% of IT decision makers in large enterprises said that their on-premises security is stronger than cloud security,” according to Dimensional Research, 2018.The stakes are even higher when data and workloads move to the cloud, where your data exploits can have further reach.

In 2017, one of the largest U.S. defense contractors was caught storing unencrypted application credentials and sensitive data related to a military project on a public, unprotected AWS S3 instance. The number of organizations caught storing sensitive data in unprotected, public S3 instances continues to grow. However, dealing with the complexity of securing data in the cloud requires other tools for improving the security posture and helping to combat the human element in SaaS and cloud offerings: Cloud Access Security Brokers (CASBs).

Gartner defines CASBs as “on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.” By leveraging machine learning, CASBs can aggregate and analyze user traffic and actions across a myriad of cloud-based applications to provide visibility, threat protection, data security, and compliance in the cloud. Also, CASBs can handle authentication/authorization with SSO and credential mapping, as well as masking sensitive data with tokenization.

Nifty security solutions aside, the best security tools for on-premises and off-premises are infinitely more effective when the people in your organization get behind the whole mission of what you are trying to accomplish.

Continuing user education and training is excellent. However, culture matters. Environments in which people feel they have a role in information security increase an organization’s security posture. What do you think are some of the best ways to change an organization’s culture when it comes to security?

17 Comments
Level 15

Enjoyed the post, thanks!

Level 14

Thanks for the article!

Level 11

Since security is considered the responsibility of everyone, it could be argued that security should be taught in the cradle.  this might seem a little odd but it is the logical conclusion to how far should security be pushed out. this would address any cultural issues as well as basic user education.  the times they are a changin' and a discussion (or several discussions) need to be held regarding security at a basic level and who needs it.  Or perhaps we need to take a step back and say "wait security is an important issue but it's not ALL important".

There are quite cool security awareness tools/solutions around. I have met the guys from Security Awareness Training Software | Wombat Security at a security conference and found their solution quite nice.

Level 13

Nope.  Couldn't possibly be me.  I've met the enemy and it's definitely *not* me.

Thanks for the post!

Level 11

We work with a company called Beauceron that is quite good too for company wide end user training and analytics.

Thanks for the post.

Level 12

The most frequent type of "unintentional negligence in the form of circumventing existing security guidelines" that I see is users trying to deal with senseles policies of difficult to remember passwords that are changed every 30 to 90 days.

Since most of these users know they're likely to forget the password they will write it on a Post-It and stick it underneath their keyboard, in their pencil drawer, or in plain sight on the monitor.

When I had the authority to do so, I implemented a three strikes and you're locked out policy on the doman. A five minute lockout happens after the first strike, and a call to IT was required after six failed attempts. Of course this was eliminated as soon as I moved on because it was "inconvenient" for the users to not allow brute-force attacks.

With 52 possibilities just using upper and lower case letters, the probability of successfully finding a three character password in six guesses is approximately 0.000042.

Level 14

Users are definitely part of the problem.  We have just had one phished who entered their Active Directory username and password into a website they linked to from an e-mail because they thought they were winning something from a restaurant chain.  How could they possibly think that was OK.      

Level 20

People are always the weak link.

Level 9

Thanks for sharing your thoughts!  I'm pretty much in the "security should be taught in the cradle" camp.  I have an 11-year-old that is starting to use devices and computers without a parent over his shoulder.  As a parent, I feel like it's my job to make sure has basic infosec common sense: like your password shouldn't be a simple 5-character word, don't click on that download link, and don't give out your account information. 

Level 9

Hehe.  it's not me either!  Thanks for reading! 

Level 9

Oh my gosh, I'm so with you on those complex password policies that invite unintentional negligence.  If an organization has those types of requirements for passwords, they would be way better served to implement multi-factor authentication/smartcards where users can have passwords that they can actually remember.

Once you go MFA, you won't want to authenticate any other way

Level 12

From time to time, I wonder how much reconnaissance can be done by reading support forums.

Device models, methods, and more could be disclosed, especially in regard to security.

MVP
MVP

Securing data is a top priority with most companies, but so often this is just a concept. Many companies don't bother to really determine what should be secured, where it may reside, who has access, etc. In general we have an overall "idea" of these things, but not a real hard answer. For example, most companies have limits in place for where a piece of private data can be stored "Everybody, put all applications for employment in this folder." However, if someone opens that file locally can they save it on their machine? Their personal drive? Their corporate cloud drive? There personal cloud drive? The assumption made is that if the document has a "place" that it will live there. It's good to organize and build our data structure but we must go further and plan for movement, other storage and other uses of the data.

Level 13

Thanks for the Article

Level 9

Ljwtyewaa

On Tue, Jun 18, 2019 at 7:32 AM david.botfield

Level 12

thanks for the article

About the Author
Becky Elliott, a Baltimore native, has worked in Information Technology for over 20+ years, mostly as a Government Contractor. In recent years, she has leaned into Tech Community as an NetApp A-Team Advocate, Tech Field Day Delegate, and aspiring “extra credit kid”. She holds a number of certifications including CISSP, Linux+, NetApp Certified Implementation Engineer - SAN.