The weakest link when defending our information systems and networks is, of course, the people who use the network. These people serve in two primary roles: user and administrator. In this post, I’ll discuss these types of users and how they can impact a deterrence strategy.
A user is anyone who logs on and uses the resources available on the network. A low-level employee with low technical skills can be susceptible to a variety of external threats, particularly those involving social engineering. They can also be careless, such as using weak passwords like “Spring2018” or “Football123”.
Another type of user that can weaken the system is a temporary employer or contractor. An IT contractor may require considerable access to the network in order to perform their role, and they may not be as trustworthy or as vigilant with passwords and network security practices as a full-time employee. In addition, due to the complexities of inter-departmental communication in large organizations, the user account of a highly privileged contractor may not be restricted or terminated in a timely manner after they have completed their project and left the organization.
In some cases, a staff member may have a gripe against the organization and intentionally cause harm. For example, news reports occasionally tell the story of a member of a government organization who leaked sensitive, secret information to the press for personal reasons.
Administrators, even security administrators, can inadvertently weaken the security of a network. An organization may be proactive enough to purchase and install high-tech security devices, however, the act of properly configuring, monitoring, and maintaining those devices is an entirely different matter. If the administrator makes a mistake, or, more likely, overlooks one of the many configuration details, the network may be left exposed.
Hackers are well aware that people are the weakest link in defending information systems and networks. Any competent hacker will perform reconnaissance on a target before initiating an attack. During this phase, the attacker will research the network users and look for obvious vulnerabilities. Some activities include:
- Create a fake profile on LinkedIn as a recruiter, connect with an employee on Linked In, review their contact list, and then build a list of employees of the target organization.
- Create a list of employee email addresses and login names.
- Draft phishing emails to lure in employees.
- Attempt to remotely log into the network using employee login IDs and typical passwords (i.e. “Spring2018” seems to be a favorite of pen-testers).
These are simple attacks, and an effective cyber deterrence strategy should effectively block these attacks as a first line of defense. A cyber deterrence strategy must demonstrate to the outside world that their employees are alert, trustworthy, and respond quickly to cyber threats and attacks. Unfortunately, many organizations are hyper-focused on minimizing expenses, and leadership is highly motivated to reduce costs related to the training and development of personnel. This conflict of interest practically guarantees that an organization will have a people-related vulnerability somewhere, thus severely weakening an organization’s cyber deterrence strategy. However, if the attacker knows that the people in the organization are well-trained and ready and able to both recognize and thwart an attack, they may think twice. Any cyber deterrence strategy must strongly emphasize the people aspect if it has any hope of success.