Happy Friday and welcome to November!
Shorter days start this weekend so make sure to set those clocks back, and I can practically smell Thanksgiving dinner already. On another note we are still working though some post World Series hangovers here in Boston, and even though I am a NY Yankee in "Big Papi's Court” I can't help to feel just a little Boston Strong this week.
The title of this week's blog (War on Two Fronts) actually isn't about a Boston-New York rivalry but rather the threats you folks face on a daily basis. The immediate assumption is that all attackers have to break through the perimeter to breach your network, but the reality is that your users are as much of a threat, either due to intentional, or more likely, unintentional/ uninformed behavior. In fact, a recent MeriTalk survey of federal security professionals and end users, revealed that the threat ratio is about 50/50. Given all the press that attacks from rogue groups and nation states are given, you would think it's more 80/20 (outside v inside) and that 20% was made up of Snowden doppelgangers. This misconception could immediately undermine all of the effort security teams put into their perimeter defenses. Here are some of the highlighted points noted in a recent GCN article regarding the report:
- 31% of end users admit to regularly circumventing what they see as unreasonable security restrictions.
- Security professionals estimate that 49% of agency breaches are caused primarily by a lack of user compliance.
- User frustration equals security risks. The greatest pain points for users — Web surfing and downloading files — produce the most agency breaches.
The problem here is that users frequently don't really understand the risks, and they are notoriously hard to police. Most users opt for convenience over security, and do not adopt the same level of healthy paranoia that those working in security have developed (not the tinfoil hats). For some help on increasing the awareness of your users on basic security topics, check out out National Cyber Security Awareness Month email primers on phishing, mobile threats, password hygiene, cloud, and the need for general vigilance. You need a multi-pronged approach to addressing user-based risk. User awareness is just one part of this, and needs to be a continuous effort.
Additionally, a closer alignment of IT and security teams could help streamline internal policies and allow for more collaboration, but its also important for users to start taking some of that responsibility. While participants in the MeriTalk report highlight the fact that they circumvent the security policies of their agency/organization, DEF CON 2013's Social Engineering Capture the Flag (SECTF) showed that the same can be said for the private sector as well. The targets were all major firms that one would think would be the most secure or have a mature enough security programs to better enable their users. What was surprising was how easily these organizations were breached. Attackers were able to gain information either directly from users, or found on the internet. Both instances highlight the trusting and unaware nature of users when it comes to information dissemination. You can download the DEF CON SECTF report here to see the contest results, and DarkReading has an article on it here.
The point here is that in order to turn the tide in security, you need your users to be in lock step with the organization's security vision. Clearly defining your regulations and holding your users responsible for maintaining their end of the bargain is extremely important, but so is informing your users as to why they need to be just as vigilant securing the organization from within, as your team is securing the perimeter.
We here at Rapid7 are always looking to provide simple solutions to complex problems, like user risk. Our newest product UserInsight can help you assess and address your users' risk and the data provided can let you know how your users are currently circumventing your established policies. Truly understanding your users' behaviors and seeing, in clearly laid out metrics, the risk that your users bring to the organization is step one. Step two is developing a plan to comprehensively address these behaviors holistically throughout your organization. These two steps together will get you on the path of reducing the user threat in your network.