Cyber criminals are assumed to be bad guys who attack and compromise technology. To some level there is some truth to it though it’s important to note what distinguishes them from pickpockets and other criminals is that they commit their acts aided by technology- computers, mobile devices and use of the internet. However, if we critically analyze the breaches of the day its clear it merely an attack on human weaknesses.
Security breaches are successful thanks to bad habits ingrained in humans.
In the current year – 2016, there has been millions of social media accounts leaked on the dark web. Majority of the breaches originating from 2012 – ‘the year of breaches’ which reveals humans soft spots. The safety and secure storage of passwords for the profiles is purely responsibility of the social media sites. However users will want to use simple passwords so that it’s easy to remember -that’s a good excuse. Humans are lazy so for the different platforms they opt to replicate same simple word across various platforms. The most peculiar aspect is despite being informed on the risk of doing so and several incidents on the media, humans just ignore. It won’t happen to me so why should I care.
Dance with the devil
Ransomware an attack on our fears -losing our crucial data. Due to humans poor habits(failing to back up or patch out systems), ignorance and our curiosity(we want to click everything that comes out way) and failing to take preventive measures we end up dancing to cyber criminals music.
Cyber criminals know that if they take control and deny access to data, humans will be willing follow their command. That by itself gives Ransomware popularity is more rewarding to the cyber criminals. Humans fail to do the basics are mentioned earlier, the cyber criminals know this facts so they know once they encrypt data/drives, the owners will be willing to pay them to gain access to their data. Think of it this way cyber criminals see a ready and vibrant market for ransomware.
An attack on culture, corporate politics and authority & power
CEO Scam is an attack on corporate culture. A simple email crafted and purporting to be sent by the CEO or other senior executives has lead to massive losses. As we were growing up we were talk to respect our seniors (which are a good thing) in other cultures one isn’t supposed to question those in authority or their seniors. These cultures are transferred to organizations and those in authority aren’t supposed to be questioned even when a junior doesn’t think a certain situation is right. Malicious actors are attack that culture that has been cultivated in organizations so an email from CEO requesting funds tranfer will be acted on by a junior staff.
In addition, corporate governance remains on papers. In reality executives will abuse majority of policies/procedures in fact due to the positions they hold they are exempted from following policies, standards. They also accumulate so much power that even questioning what looks logical is is unthinkable by a junior.
The game of minds. Based on the above scenarios bad guys are able to execute a smooth heist. No use of sophisticated tech apart from an email and a client of course to send out the email.
Too much focus is spent on protecting tech and yet the criminal is after the people. An old saying no comp attacks the other (again depends on how you look at it). The threat landscape is ever growing and getting more sophisticated and trying to catch up is a mouse-cat race. We expect more attacks on humans as there is a high chance of success and yes humans have weaknesses that can be easily be easily be exploited.
Known known vs unknown unknown
We can always protect ourselves from the known knowns as we are familiar with the threats and have an idea of how to mitigate them. However the head-ache begins when we have to deal with the unknowns. Most enterprises find themselves dealing with unknowns which overwhelm their cyber security measures. To address the unknowns Threat Intel and Security Analytic have proved to be effective. Sophisticated and dynamic threats need to be dealt in equally measure. However, the Security Operations teams need to know how to make sense of Intel and act on actions from the tools. Responsibility goes back to humans to dissect and action on them.
Time to change the game!!!
It’s the point we realize the battle is against humans that we can best secure investments/identity and economies. It’s critical to secure technology and once we miss the human weakness the war is already won by the bad guys. They are like you and I (maybe more curious, inquisitive) they don’t just see us as fellow humans beings but as humans who have weaknesses that can be exploited to gain or take control of technology.
2018 © Villbo Group Limited.