Time to reprioritize security awareness efforts

The Sony, CENTCOM, and just about every other major attack are proving that poor awareness is costing organizations a lot of money.

Two major hacks within the last month, the Sony and CENTCOM hacks, haven't been attributed to poor awareness as of yet, but it is likely that they will be. One of the key issues of the Sony hack was that there were administrator credentials hardcoded into the malware. As the theory of the disgruntled employees has now been discounted, and it appears to be the work of a foreign intelligence agency, it was reported that the credential were obtained through spearphishing.

[ A security awareness success story ]

In the case of the US Central Command, aka CENTCOM, the organization's Twitter and YouTube accounts were compromised. These attacks are likely very similar to past Syrian Electronic Army hacks, where spearphishing compromised the passwords of organizations' social media accounts. Even if it involved easily guessable passwords, or password reuse, all of the issues involve bad security awareness.

Similarly, the infamous Target and Home Depot hacks, which involved the compromise of point-of-sales systems, were initially enabled by spearphishing attacks. The Verizon Data Breach Investigation Report has several categories related to failings of user awareness and more than half of all incidents detailed involve awareness failings.

Yet security awareness programs are frequently treated as minor elements of organizational security programs. The awareness program is frequently first to have its budget cut, and usually is minimally funded to begin with. While many security programs include some level of phishing simulation, such simulations are not true awareness efforts, but what should be considered a small metrics collection effort within an overall awareness program.

Before discussing this further, it must be acknowledged that awareness efforts should be a piece of an overall security program and a part of a defense-in-depth strategy. For example, Sony should have implemented multifactor authentication on its critical servers, so that a password compromise would have had minimal impact. With the Target hack, the network should have been much better segmented, so that vendor credentials should not have yielded access to the same network that included the point-of sales systems.

However as you look at the major incidents that have been making front page headlines, while costing the effected organizations tens of millions of dollars and great embarrassment, it is clear that security awareness should be taken seriously by all security programs. Organizations need to examine how to better implement awareness programs, and start allocating the appropriate resources to such programs.

While some people are going to contend that the attacks mentioned demonstrate how awareness has failed, the fact is that they also demonstrate how just about every technical security countermeasure has failed. In the Sony hack, access controls failed. Data leak prevention failed. Anti-malware failed. Encryption efforts failed. In the Target hack, there was likewise a failing in the overall attack kill chain, comprised of both technical and non-technical countermeasures. The same can be said for every major hack out there.

However as users are clearly becoming a primary attack vector, security programs need to acknowledge that more resources, or at least the appropriate resources, should be allocated to strengthening the targeted vector. While the appropriate investments need to be made in security technologies, there has to be an acknowledgement that countermeasures need to likewise address the point of attack.

There is no silver bullet when it comes to stopping attacks. However as users have been shown to be a primary target for some of the costliest attacks in the history of computer-based crimes, security programs need to start applying the appropriate resources to awareness as a countermeasure. Again, this does not mean that you don't also invest in additional technologies that help mitigate user awareness failings, but you still need to address the primary attack vector as well.

It is time to acknowledge that the most damaging attacks initially target humans, and that a proportionate amount of countermeasures needs to be allocated to making humans more security aware. It is not easy, and there are admittedly few people who know how to implement a successful awareness program. However, it is time to take  not just the threat, but the reality seriously and start focusing efforts appropriately.

Ira Winkler, CISSP and Araceli Treu Gomes can be contacted at www.securementem.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitysecurity awarenesstwittersonyyoutube

More about Home DepotSonyVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler and Araceli Treu Gomes

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place