DO NOT INVITE THEM
IN: WHAT “HUMAN ERROR” CAN MEAN IN PRACTICE
IN: WHAT “HUMAN ERROR” CAN MEAN IN PRACTICE
Alessia Unfer | 11 October 2016
https://www.digitalshadows.com/
Although you may or may not be a fan of vampire movies,
you certainly know that vampires should not be invited into your house. One of
the characters in the movie Lost Boys (1987) once said: “Don’t ever invite a
vampire into your house, you silly boy. It renders you powerless.” A statement
that well applies to the topic of this blog, i.e. that we should never be
handing keys to cyber criminals; this can also render you powerless.
you certainly know that vampires should not be invited into your house. One of
the characters in the movie Lost Boys (1987) once said: “Don’t ever invite a
vampire into your house, you silly boy. It renders you powerless.” A statement
that well applies to the topic of this blog, i.e. that we should never be
handing keys to cyber criminals; this can also render you powerless.
So called “human errors” cause more data loss than
malicious attacks, according to the UK’s Information Commissioner’s Office
(ICO) and at Digital Shadows it is no secret that the largest threat to an
organisation’s data is its own employees – whether deliberate or not. Back in
February, a colleague published a blog that stated,
“while smart cyber criminals hacking corporate systems get lots of publicity,
the reality is cyber exposure incidents all too often have non-criminal,
accidental causes.” The same was reiterated by the study “Managing Insider Risk Through
Training & Culture” published by Experian Data Breach Resolution
and the Ponemon Institute, which explained how more than half of the surveyed
companies experienced security incidents due to malicious or negligent
employees falling victim to cyberattacks or exposing information inadvertently.
malicious attacks, according to the UK’s Information Commissioner’s Office
(ICO) and at Digital Shadows it is no secret that the largest threat to an
organisation’s data is its own employees – whether deliberate or not. Back in
February, a colleague published a blog that stated,
“while smart cyber criminals hacking corporate systems get lots of publicity,
the reality is cyber exposure incidents all too often have non-criminal,
accidental causes.” The same was reiterated by the study “Managing Insider Risk Through
Training & Culture” published by Experian Data Breach Resolution
and the Ponemon Institute, which explained how more than half of the surveyed
companies experienced security incidents due to malicious or negligent
employees falling victim to cyberattacks or exposing information inadvertently.
If “to err is human”, mistakes can also be easily
corrected once aware of the risk. Let’s look into one type of incident often
detected by our Searchlight platform here at Digital Shadows. By doing this you
will receive an insight in what constitutes a common “human error” that could
be affecting your organization one day: the easy access to codes and
compromised credentials on the open web. All analysed instances contain
compromised credentials made available on the public website github[.]com, a
web-based Git repository hosting service providing access control and several
collaboration features.
corrected once aware of the risk. Let’s look into one type of incident often
detected by our Searchlight platform here at Digital Shadows. By doing this you
will receive an insight in what constitutes a common “human error” that could
be affecting your organization one day: the easy access to codes and
compromised credentials on the open web. All analysed instances contain
compromised credentials made available on the public website github[.]com, a
web-based Git repository hosting service providing access control and several
collaboration features.
For the purpose of this post, we collected data on the
number of incidents that we have sourced from Github in the past six months and
the result was quite revealing. Over 500 incidents included client information
publicly available on Github. But that’s not all. Out of this total amount, we
assessed the severity of seven incidents as “Very High” according to our
in-house severity matrix, due to the public repositories being recently updated
and containing identifiable client systems information and code—including a
clear text username and password set. This shows a fairly worrying average of
one serious incident detected every month. Although we can’t say for sure why
this is happening, it does not appear to constitute an exception in what is
becoming such a common – and unfortunate – scenario of login credentials being
pushed to public repositories while rushing to get the work done. In this case,
GitHub’s help page providesdetailed instructions on how to avoid
exposing sensitive data on the repository and how to remove them if already
exposed.
number of incidents that we have sourced from Github in the past six months and
the result was quite revealing. Over 500 incidents included client information
publicly available on Github. But that’s not all. Out of this total amount, we
assessed the severity of seven incidents as “Very High” according to our
in-house severity matrix, due to the public repositories being recently updated
and containing identifiable client systems information and code—including a
clear text username and password set. This shows a fairly worrying average of
one serious incident detected every month. Although we can’t say for sure why
this is happening, it does not appear to constitute an exception in what is
becoming such a common – and unfortunate – scenario of login credentials being
pushed to public repositories while rushing to get the work done. In this case,
GitHub’s help page providesdetailed instructions on how to avoid
exposing sensitive data on the repository and how to remove them if already
exposed.
Keep in mind that prevention is better than a cure in such
matters. Simple, well-executed preventive measures continue to be more
important than complex systems. In fact, technological defences will not
protect your computer if human nature does not care as much. As previously
said, “to err is human” but “to persist is devilish.” Yet the blame cannot be
pinned solely on the guilty individual. According to an Experian study,
companies do understand the risk posed by careless or negligent employees that
in turn could lead to a data leak or other security incidents. However, these
same companies do not cultivate employee security awareness, leaving prevention
largely forgotten. It appears that 60 percent of the respondents believes that
employees are not knowledgeable or have no knowledge of the company’s security
risks.
matters. Simple, well-executed preventive measures continue to be more
important than complex systems. In fact, technological defences will not
protect your computer if human nature does not care as much. As previously
said, “to err is human” but “to persist is devilish.” Yet the blame cannot be
pinned solely on the guilty individual. According to an Experian study,
companies do understand the risk posed by careless or negligent employees that
in turn could lead to a data leak or other security incidents. However, these
same companies do not cultivate employee security awareness, leaving prevention
largely forgotten. It appears that 60 percent of the respondents believes that
employees are not knowledgeable or have no knowledge of the company’s security
risks.
Simply put, cybersecurity should be every employee’s
concern. Here at Digital Shadows we don’t like to sit back and wait for
something to go wrong before we try to understand it – and neither should you.
This is when cyber situational awareness comes into the picture; preventing,
detecting, and helping contain cyber-related incidents while providing your
organization with a better understanding of where your vulnerabilities lie
within your organization.
concern. Here at Digital Shadows we don’t like to sit back and wait for
something to go wrong before we try to understand it – and neither should you.
This is when cyber situational awareness comes into the picture; preventing,
detecting, and helping contain cyber-related incidents while providing your
organization with a better understanding of where your vulnerabilities lie
within your organization.
“We blew it, man, we lost it! We unravelled in the face of
the enemy!”, said the vampire in Lost Boys, when caught. “Shut up! It’s not our
fault, they pulled a mind scramble on us! They opened their eyes and talked!”,
replied his fellow vampire. We all also need to open our eyes, detect and avoid
silly mistakes that can simplify things for cyber criminals. Identifying and
effectively handling internal risk is key to the more efficient management of
the external one.
the enemy!”, said the vampire in Lost Boys, when caught. “Shut up! It’s not our
fault, they pulled a mind scramble on us! They opened their eyes and talked!”,
replied his fellow vampire. We all also need to open our eyes, detect and avoid
silly mistakes that can simplify things for cyber criminals. Identifying and
effectively handling internal risk is key to the more efficient management of
the external one.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!