Human Error, The Weakest Link in Cybersecurity

According to IBM’s “2014 Cyber SecurityIntelligence Index” 95 percent of all securityincidents involve human error. A lot of the security incidents are dueto social engineering. Examples of this arehumans clicking on links (phishing), openingunknown attachments or entering personalor confidential information into a seeminglyfriendly and familiar account.

Social engineering is a technique used byhackers and intruders to access data orother critical information. This techniquetakes advantage of the weakest link in theinformation security, the humans. Usingthe trusting nature of humans the hackeror intruder gain access to data or a se-cure building. Either by a phishing email ortailgating someone inside the secure building. ”Social engineering is essentially the artof gaining access to buildings, systems ordata by exploiting human psychology, ratherthan by breaking in or using normal hackingtechniques”.

No matter how much security your organiza-tion have, social engineering will always be athreat. This is due to the human’s mind andhow we always want to trust others. Oneway to describe us would be naive, especiallyus Norwegians who in 2009 were named themost naive in Europe by a survey funded bythe European Commission. Only 10 percentare considered to be in general “skeptical” ofother people.

Chris Nickerson is a consultant who performs1red team testing for his clients using socialengineering techniques. In one of his tests hebought a Cisco shirt and tried to tailgate hisway in. When he came to the building hejust asked one of the smoking employees tohold the door for him and posed as a Ciscotechnician. He got full access to the buildingand even managed to get his team inside. This is just an example showing how easy itis to play someones naivety and willingnessto trust other people. Therefore it is important to educateyour employees on social engineering tomake sure they are aware of the differenttechniques that can be used and the dangersthese techniques can lead to. Social engi-neering will continue to grow and change upit’s approach and discover techniques thatwork better, this means that updating youremployees on the dangers and techniques ofsocial engineering regularly is essential.

Luckily there are techniques that helpmitigating the dangers of social engineeringsomewhat. To mitigate the danger we haveto eliminate the dependency on human intel-ligence. One way to do this is a technologycalled Remote Browser Isolation. Remotebrowser isolation isolates the users webbrowsing activity away from the endpointdevice, thus excluding most of the browserrelated attacks such as phishing whileensuring accessibility and productivity.

Humans in general are way to trusting, evenwhen they know they work at a facility wheresecurity is of the utmost importance. Consul-tants like Chris Nickerson prove how easy itis to use social engineering, and thus makingtheir clients more aware of the possible dan-gers and exploits. We have also seen that byusing Remote Browser Isolation we can avoidsome of the human error by isolating activityaway from the endpoint device.