3
PROTECTING THE END USER | A People-Centric Approach to Managing Vulnerability, Attacks and Privilege
WHY PROTECTION STARTS WITH PEOPLE
It’s clear that the usual defend-the-perimeter model of
cybersecurity isn’t working—and hasn’t worked for years. More
than two thirds of IT security professionals polled in a recent
Ponemon study expect cyber attacks to “seriously diminish their
organisation`s shareholder value.” And more than believe their
cybersecurity posture is leveling off or even declining.1
Blame two converging trends: the perimeter is dissolving, and
attackers are shifting their focus away from technology and
towards people.
And the walls came tumbling down
There’s a simple reason perimeter defences aren’t working.
In today’s cloud-enabled mobile economy, there’s no longer
a perimeter to defend. Work takes place on devices organisations
don’t support, on infrastructure they don’t manage, and in
channels they don’t own.
As Gartner puts it, the IT department “simply does not control the
bounds of an organisation`s information and technology in the
way it used to.”2
ART OF THE STEAL
People always make the best exploits
As business shifts to the cloud, so have attackers. Cloud
infrastructure may be highly secure, but the people who use
them are often vulnerable.
That’s why today’s attacks exploit human nature rather than
technical vulnerabilities. More than 99% of today’s cyber attacks
are human-activated.3 These attacks rely on a person at the other
end to open a weaponised document, click on an unsafe link,
type their credentials, or even carry out the attacker’s commands
directly (such as wiring money or sending sensitive files).
Credential phishing, which tricks users into entering their account
credentials into a fake login form, is one of the most dangerous
examples. In the cloud era, those credentials are the keys to
everything—email, sensitive data, private appointments and
trusted relationships.
In the third quarter of 2018, for example, corporate credential
phishing attempts quadrupled vs. the year-ago quarter.4 And
email fraud rose 77% over the same timeframe.5
Cloud account compromise nets millions for
attackers—no malware needed
The following is a real-life account of a company we worked
with in the wake of an email fraud attack. Some details have
been omitted for privacy.
Last year, a CEO was stuck in an intense meeting, carefully
negotiating a deal with a key business partner. Hundreds of miles
away, cyber attackers with control of his Office 365 account were
working on their own, sneakier transaction.
Exploiting the meeting’s sensitive nature—and the trust of the
executive’s direct reports—they stole millions through fraudulent
wire transfers. Their only tools: email, patience and a little social
engineering.
As the meeting wore on, a senior finance person received an
urgent email from the CEO’s account. The CEO was busy
negotiating a deal, it stated. To close the transaction, he needed
a large wire transfer, and quickly. The finance person complied,
unable to check with the CEO directly.
But the email wasn’t from the CEO. The account information
wasn’t the business partner’s. And the normal fiscal controls
weren’t applied. The attackers had looted millions of dollars—all
without a single malware infection, phishing email or technology
exploit.
The attackers had taken control of the CEO’s account months
earlier after guessing his password in a brute-force attack. (In this
kind of attack, cyber criminals systematically try hundreds or even
thousands of passwords until one works.)
Undetected, the attackers set up an email forwarding rule. This
move gave them free-ranging access into the company’s most
sensitive business. They knew the partner meeting was coming,
what it was about, and that the CEO would be unreachable by
phone or in person.
Ponemon Institute. “2018 Study on Global Megatrends in Cybersecurity.” February 2018.
Rob van der Meulen (Gartner). “Build Adaptive Security Architecture Into Your Organisation.” June 2017.
Proofpoint. “The Human Factor 2017.” December 2016.
4
Proofpoint. “Quarterly Threat Report Q3 2018.” December 2018.
5
Ibid.
1
2
3
4
PROTECTING THE END USER | A People-Centric Approach to Managing Vulnerability, Attacks and Privilege
ASSESSING USER RISK: THE VAP MODEL
Vulnerability
Just as people are unique, so is their value to cyber attackers
and risk to employers. They have distinct digital habits and weak
spots. They’re targeted by attackers in diverse ways and with
varying intensity. And they have unique professional contacts
and privileged access to data on the network and in the cloud.
Users’ vulnerability starts with their digital behavior—how they
work and what they click. Some employees may work remotely or
access company email through their personal devices. They may
use cloud-based file storage and install third-party add-ons to
their cloud apps. Or they may be especially receptive to attackers’
email phishing tactics.
Together, these factors make up a user’s overall risk in what we
call the VAP (vulnerability, attacks and privilege) index.
Understanding
People-Centric Risk
SECURITY
ATTACKED
Targeted by
threats
VULNERABLE
Work in high
risk ways
PRIVILEGED
Access to valuable
data/systems
COMPLIANCE
How your people work
Assessing vulnerability that stems from how people work is mostly
straightforward—though it’s not always easy, or even possible,
with traditional cyber defences. It starts with knowing what tools,
platforms and apps they use.
The more granular your visibility, the better. Gauging vulnerability
on the user level, for instance, is feasible only when you have
accurate user-level visibility. When you do, you can weigh factors
such as:
•
What cloud apps they use
•
How many and what devices they use to access email
•
Whether those devices are secure
•
Whether the user practices good digital hygiene
•
Whether they use multifactor authentication consistently
What your people click
The second part of measuring vulnerability is figuring out how
susceptible your users are to phishing and other cyber attacks.
Short of letting attackers in and seeing who opens a malware file
or wires money to an attacker (not ideal for obvious reasons),
phishing simulations are the best way to gauge this aspect of
vulnerability.
Simulated attacks, especially those that mimic real-world
techniques, can help identify who’s susceptible and to
which tactics.
Someone who opens a simulated phishing email and opens the
attachment might be the most vulnerable. A user who ignores it
would rank somewhat lower. And users who report the email to
the security team or email administrator would be deemed the
least vulnerable.
Highly
regulated
roles
Attacks
Access to
regulated
data
Involved in
sensitive
activities
All cyber attacks are not created equal. While every one is
potentially harmful
Please complete the form to gain access to this content