4 key points of human factor
Submitted by: Alexei ParfentievAccording to Gartner in 2018 information security spending will exceed $96 billion — companies will be purchasing credential management software, infrastructure and network security equipment, information security services, client data protection software.
Learning about new incidents companies agree to increase their costs. Businesses are mostly focused on protection from external threats. WannaCry alerted people to the dangers of cyberattacks: during the first two days of ransomware activity there were hacked more than 200 thousand users from 150 countries. All the attention is drawn to hackers, zero-day vulnerabilities and ransomware, while incidents caused by just one click or just one decision of an employee may be overlooked.
South African financial services company Liberty Holdings got its corporate email compromised. The violators were going to sell the obtained information. They would release the data if they didn’t get paid.
There were a few pointers which made everyone question the breach source: the leak wasn’t reported straight away, the facts confirmed by the Liberty CEO seemed to lack details, the server was fully accessible to those who seized the data. When a leakage happens the source should be a company’s major concern. Hackers are never as informed as insiders are, only the people who cooperate within a particular network know exactly what and where can be accessed. Although hacks are no good news, companies are encouraged to be vocal about an incident, while insider leaks are often skimpily, half-heartedly exposed.
Human factor can trigger different situations and any of them might appear detrimental to an organisation.
Emotions
Joe Sullivan, former Uber cybersecurity chief, used to have an impeccable track record. He participated in the investigation of high profile cyberattacks in USA, worked at Facebook, eBay and PayPal — he’s been chasing and catching criminals all his life. An undetected data theft which happened in 2016 affected his professional reputation. Joe decided that the incident should be withheld even if it would take him collaborating with his own enemies. He paid hackers $100 thousand for keeping silence. 57 million passengers and drivers had no idea their data has been compromised for more than a year.
Vainglory is what led to another real life case. In February, 2017, the photo of the USA President and the Prime Minister Shinzō Abe at the golf club was made by a businessman who was sitting next to them and published by various media. He posted on Facebook the photo commenting that “…it was fascinating to watch the flurry of activity at dinner when the news came that North Korea had launched a missile in the direction of Japan.”
One of the photos depicts club members gathering around the confidential documents. The other photo captures the USA President talking on the phone turning away from Japanese Prime Minister. Here’s the human factor at its best. First of all, the heads of states rushed into discussing the secret issue in front of people. Second of all, smartphones which were used by those standing around could be a direct leakage source.
Negligence
That’s the main reason why many contractors reveal client data.
In 2017 an American telecommunications giant Verizon lost the data of 14 million clients: names, addresses, account data and PIN codes for client verification. The data was uploaded to Amazon by a contractor hired to improve the call center functioning. The specialist forgot to check security settings — a URL with the information could be freely accessed by anyone in the Internet.
Amazon became part of many leakage stories: 198 million registered US voters were exposed in the cloud (the archive didn’t have even a password protection — it was uploaded to the cloud by a company which collected data for Donald Trump’s election campaign); 2.2 million Dow Jones company subscribers got their data compromised; 3 million WWE clients (an American entertainment company known for managing wrestling events) got their data leaked in the Amazon service; Time Warner Cable (the second largest cable network in the USA) got 4 million client records exposed.
Amazon could have introduced some extra control to detect faulty configuration and limit the access to sensitive data without password protection. In November 2017 the service provider presented a solution: the control panel featured a notification warning users that incorrectly configured storage endangered data security. Amazon also applied full data encryption by default.
Self-interest
Some people tend to profit from their status — one of the biggest temptations which cause incidents.
An information security director of North American Association of State and Provincial Lotteries cracked a random number generator. The specialist had been working in the organisation for 10 years before he decided to create a malware and infect computers which managed winning combinations for the lotteries. The “correct” tickets were bought by his brother and friend. The scheme was started in 2005 and was running for 7 years.
Accident
A leak can be accidental — a mere fatigue or automated address selection in the email client. That is what happened to the Pentagon in 2017 — Public Affairs included an email of correspondent for Bloomberg in the mailing list. The journalist informed the Pentagon of the mistake but the email kept coming. The correspondence between the Department of Defense and the Federal Emergency Management Agency employees discussed ways the media covered the scale of Hurricane Maria’s destruction. They were sharing instructions on how to make the news seem positive.
The journalist benefited from the opportunity and equipped an article for Bloomberg Businessweek with some excerpts from the emails which he received accidentally from the Pentagon.
Another unintentional data exposure occurred in Finland. In 2017 a citizen of Oulu received an email revealing some messages sent by local policemen to each other discussing security measures which should be taken during the visit of Vladimir Putin. The email contained a detailed itinerary of Sauli Niinistö and the precise time of Putin’s helicopter arrival.
The Eastern Finland Police Department weren’t silent about the incident and explained the confidential email sent to a random person admitting a human factor to be the cause. The email client suggested contacts from the list of those who were addressed at least once automatically. The citizen of Oulu who received the secret email and the press officer appeared to have similar names.