Reframing the Narrative: Strategic Defense Against Human Error in Cybersecurity


April 18, 2024

Reframing the Narrative: Strategic Defense Against Human Error in Cybersecurity

We have always heard this often-repeated cliché: Humans are the weakest link in cybersecurity. However, this article isn't intended to explain the three pillars of cybersecurity (people, process, technology) and persuade you as to why people are the weakest link. With numerous articles already circulating on the cliché, even those outside the cybersecurity realm understand why, as it frequently becomes the main topic in security awareness materials.

In most writings, the solutions presented typically focus on educating users and enhancing their abilities to avoid attacks exploiting human psychology (social engineering). However, since it's universally recognized that humans tend to be the weakest link, we should treat it as such. Instead of solely aiming and hoping that the weakest link is never exploited or merely setting targets to reduce the occurrence from 50 to 10, or even from 10 to 1, it wouldn't matter much because just one occurrence can significantly compromise a company's security.

Thus far, many efforts to reduce social engineering attacks have focused only on the likelihood perspective, which would include pre-incident security measures such as training. However, reducing the impact (post-incident) is equally important because the likelihood can never be reduced to zero. Therefore, there's a need for a proper tailored strategy that seeks to identify risks and mitigating each scenario of exploitation by targeting the weakest link specific to that scenario.

Consider the risk of credential theft (username and password) via email phishing attacks as an example. The likelihood of this risk can be reduced by implementing email security measures that filter suspicious emails, while its impact can be mitigated by implementing multi-factor authentication (MFA). However, it is important to ensure the implementation of MFA cannot be bypassed. Incidents where MFA is bypassed due to insecure implementation are increasingly common. At Bitdefender, we assist in evaluating the security effectiveness of deployed MFA solutions as part of a penetration testing service. This ensures that MFA, designed to mitigate the risk of credential theft, functions as intended, providing companies with confidence in their authentication measures. In this scenario, there is a greater value in the identification of an insecure implementation of MFA and remediating it, as it has a greater reduction of risk in the event of credential theft via email phishing.

Credential theft is now more challenging for attackers due to the difficulty in bypassing MFA, so another example is the risk of target session/cookies theft. Although this attack has a single goal, the variety of scenarios require different mitigations. For instance, mitigations required for reducing the likelihood of cookie theft through a fake login portal differs from mitigations required for a scenario where a malware stealer infiltrates and resides on a user's PC.

Mitigating the impact of cookie theft can involve capabilities such as User and Entity Behavior Analytics (UEBA). If the same session is detected on devices with different fingerprints or locations, it is essential that an alert is triggered for investigation. However, it begs the question: Do the products we develop or the security solutions we use support this strategy?

Malware infiltration is another challenge. No matter how we educate users about malware dangers, the threat of malware infiltration due to user negligence remains. Hence, a multi layered approach is necessary to mitigate the impact.

To minimize malware infiltration, security solutions such as endpoint detection and response (EDR) and managed detection and response (MDR) are crucial. However, what happens when infected devices lack EDR due to being unmanaged? Typically, an organization is not obligated to secure unmanaged devices that are not owned by the company. Therefore, the strategy should prioritize limiting the capabilities of unmanaged devices to access company assets and digital infrastructure (device posturing), or explore policies to managed personal devices, such as a bring your own device (BYOD) policy.

Based on these challenges, it's imperative for the company to ensure that user behavior can be effectively influenced through the implementation of policies supported by robust technological tools. However, a common hurdle arises when existing policies do not seamlessly align with the architecture and technology being deployed. In such cases, security solution providers like Bitdefender can play a pivotal role in assisting companies in fortifying their security policies and regulations through specialized security advisory services. Moreover, to bridge the gap between existing policies and the technological framework at the operational level, comprehensive offensive strategies are often employed. The term "offensive activities" encompasses essential practices such as penetration testing and offensive security services such as red teaming, which are instrumental in evaluating and fortifying security measures.

Penetration testing serves as a crucial mechanism for assessing the security posture of a system or asset, particularly from the perspective of potential attackers. For instance, let's consider an application utilized by both internal users and customers. While companies may implement security measures assuming adherence to normal usage patterns and behaviors, the reality is that breaches are increasingly common. If a user's access is breached and falls into the hands of a threat actor (which is highly possible in this era), how much does it impact the security of the information managed by that system? Here, Bitdefender's expertise can be leveraged to simulate unauthorized user infiltration scenarios, shedding light on the potential impacts of such breaches by performing penetration testing, which would not be identified by performing vulnerability scans alone.

While penetration testing activities target specific assets designated by the company, red teaming takes a broader approach by simulating real-world threat scenarios, with a focus on infiltrating internal systems and networks. This activity often exploits vulnerabilities on the human side, aiming to gain initial access and subsequently execute lateral movements to amplify the impact. Through rigorous red teaming exercises, companies can pinpoint weaknesses in their overall security posture and proactively address them.

The aforementioned examples underscore the significance of considering human-related vulnerabilities as a primary target in cyberattacks, along with offering concrete strategies to mitigate these risks. Failure to recognize the risks associated with the exploitation of human weaknesses can expose the company to multifaceted losses. These ramifications encompass identity theft of our customers, operational disruptions within information systems, data corruption or loss, unauthorized data exfiltration, financial loss, and reputational damage. Nonetheless, it's essential to recognize that this article only scratches the surface, and companies should conduct comprehensive assessments tailored to their unique circumstances and operational landscape.

Contact an expert

Contact an expert




Sumarlin is a cybersecurity consultant with over 10 years of experience in the Information Technology field, including 4 years specialized in cybersecurity. With valuable experience in identifying vulnerabilities and enhancing enterprise security postures, Sumarlin has developed a broad skill set in cybersecurity, encompassing both offensive and defensive strategies. He is accomplished at bridging business strategies with technical information security to align organizational goals with robust security measures.

View all posts

You might also like