Comprehensive Cybersecurity: Securing the Human Operating System

"Organizations must wake up and realize the importance of the human element", says SANS' Dr. Eric Cole
"Organizations must wake up and realize the importance of the human element", says SANS' Dr. Eric Cole

National Cyber Security Awareness Month in the US was created to focus on the need for improved online safety and security for all Americans. It is important to note that with the internet, however, there are no international boundaries. Cyber threats affect everyone, everywhere, anytime and anyplace. No one is safe.

When you physically travel it is obvious when you enter a different country. It is also well known that each country has its own set of laws and regulations. The internet is a different story. Consider email, for example, where the fastest distance between two points is not always a straight line. An email sent from someone in Texas can easily move through London, Russia or even China before it reaches its recipient. Meanwhile, both the sender and recipient assume their email communication took a direct route.

Another issue to consider is the insider threat. Regardless of the industry or location, nearly all organizations have one thing in common – they all have employees. With employees comes the possibility of insider threats. When people think of insider threats, they typically assume it is the deliberate, malicious insider; someone actively trying to steal from a company or cause harm. Today, very often the overlooked problem is the accidental insider. '

The accidental insider unknowingly exposes an organization to risk. A common example is clicking on a link or opening an attachment that was sent in disguise from an attacker. Although some threats are obvious (you won $100,000, visit this link or open this attachment to learn how to claim your prize), others are not.

Our adversaries are getting smarter, and more dangerous. They are targeting employees with emails that appear to come from a manager or co-worker; for example, with details related to a current project or issue. While an employee thinks they are doing a good thing opening the attachment or clicking the link, they unknowingly expose their organization to an attacker. This type of scenario is becoming more common because the adversaries we deal with today are not just con artists, but seasoned criminals who have done extensive reconnaissance.

So, what can you do to counter these attackers? Start by acknowledging that the types of threats we face have changed. Therefore, what worked in the past is not enough to keep organizations safe today. Organizations place too much emphasis on technology. They believe the more software they purchase, the safer they will be. These companies spend millions of dollars on security technology, yet they are still being compromised. They are doing good things, but they are not doing the right things.

Implementing technology lays a solid foundation to protect against cyber attacks, but it is no longer enough. Without focusing on the most vulnerable part of an organization – your employees – breaches will continue to occur.

Attackers are targeting individuals; therefore, processes must be put in place to safeguard employees. Start with education. An educated employee is less likely to fall victim to an attacker. A security awareness and training program should be required for absolutely everyone in your organization who touches data. Because threats change, training programs should be re-evaluated and updated at least once a year to ensure employees remain current on the latest threats.

Run your web browser and email client in separate virtual machines on the local client – this can be transparent to the user. If users become infected, then they will only be infected for a few hours versus a few days or months. Applying this to the desktop can decrease damage and increase security. It’s a twist on traditional virtualization that is more commonly used at the server level. By virtualizing the desktop environment, it’s possible to operate the browser and email client in contained areas where users can click away on websites and freely open email attachments. If there is an infection, it can be contained and the damage to the wider network is controlled.

Two additional methods that attackers use to cause harm are HTML and macros. Most employees do not use them in their regular functions. Employees have too many features turned on that they don’t need. Turning them off makes it more difficult for attackers to wreak havoc.

Organizations must wake up and realize the importance of the human element. Otherwise, breaches will continue to happen. If you work to change a person’s habits through heightened awareness, then you will minimize risks.


Dr. Eric Cole is an industry-recognized security expert with over 20 years of hands-on experience. He is a SANS faculty fellow and course author, and founder of Secure Anchor Consulting, where he provides state-of-the-art security services and expert witness work. To view upcoming courses taught by Cole, visit http://www.sans.org/info/113507.

What’s hot on Infosecurity Magazine?