Do not invite them in: what “human error” can mean in practice
Although you may or may not be a fan of vampire movies, you certainly know that vampires should not be invited into your house. One of the characters in the movie Lost Boys (1987) once said: “Don't ever invite a vampire into your house, you silly boy. It renders you powerless.” A statement that well applies to the topic of this blog, i.e. that we should never be handing keys to cyber criminals; this can also render you powerless.
So called “human errors” cause more data loss than malicious attacks, according to the UK’s Information Commissioner’s Office (ICO) and at Digital Shadows it is no secret that the largest threat to an organisation’s data is its own employees – whether deliberate or not. Back in February, a colleague published a blog that stated, “while smart cyber criminals hacking corporate systems get lots of publicity, the reality is cyber exposure incidents all too often have non-criminal, accidental causes.” The same was reiterated by the study “Managing Insider Risk Through Training & Culture” published by Experian Data Breach Resolution and the Ponemon Institute, which explained how more than half of the surveyed companies experienced security incidents due to malicious or negligent employees falling victim to cyberattacks or exposing information inadvertently.
If “to err is human”, mistakes can also be easily corrected once aware of the risk. Let’s look into one type of incident often detected by our Searchlight platform here at Digital Shadows. By doing this you will receive an insight in what constitutes a common “human error” that could be affecting your organization one day: the easy access to codes and compromised credentials on the open web. All analysed instances contain compromised credentials made available on the public website github[.]com, a web-based Git repository hosting service providing access control and several collaboration features.
For the purpose of this post, we collected data on the number of incidents that we have sourced from Github in the past six months and the result was quite revealing. Over 500 incidents included client information publicly available on Github. But that’s not all. Out of this total amount, we assessed the severity of seven incidents as “Very High” according to our in-house severity matrix, due to the public repositories being recently updated and containing identifiable client systems information and code—including a clear text username and password set. This shows a fairly worrying average of one serious incident detected every month. Although we can’t say for sure why this is happening, it does not appear to constitute an exception in what is becoming such a common – and unfortunate – scenario of login credentials being pushed to public repositories while rushing to get the work done. In this case, GitHub's help page provides detailed instructions on how to avoid exposing sensitive data on the repository and how to remove them if already exposed.
Keep in mind that prevention is better than a cure in such matters. Simple, well-executed preventive measures continue to be more important than complex systems. In fact, technological defences will not protect your computer if human nature does not care as much. As previously said, “to err is human” but “to persist is devilish.” Yet the blame cannot be pinned solely on the guilty individual. According to an Experian study, companies do understand the risk posed by careless or negligent employees that in turn could lead to a data leak or other security incidents. However, these same companies do not cultivate employee security awareness, leaving prevention largely forgotten. It appears that 60 percent of the respondents believes that employees are not knowledgeable or have no knowledge of the company’s security risks.
Simply put, cybersecurity should be every employee’s concern. Here at Digital Shadows we don’t like to sit back and wait for something to go wrong before we try to understand it – and neither should you. This is when cyber situational awareness comes into the picture; preventing, detecting, and helping contain cyber-related incidents while providing your organization with a better understanding of where your vulnerabilities lie within your organization.
“We blew it, man, we lost it! We unravelled in the face of the enemy!”, said the vampire in Lost Boys, when caught. “Shut up! It's not our fault, they pulled a mind scramble on us! They opened their eyes and talked!”, replied his fellow vampire. We all also need to open our eyes, detect and avoid silly mistakes that can simplify things for cyber criminals. Identifying and effectively handling internal risk is key to the more efficient management of the external one.