Seriously?! Can You Not Do That? | Chapter I - Bad Habits and InfoSec Apathy

By Sean Martin, CISSP

Chapter I | Bad Habits and InfoSec Apathy

People generally don’t think about security. While some organizations have put together InfoSec training programs to raise awareness, if this instruction is only attended a single time so they can tick a box for compliance, then the employees will likely forget what they’ve learned when it matters most. Ultimately, it comes down to habit: employees do what they do because that’s how they’ve always done it. It’s what they need to do in order to get their job done, qualify for that bonus or raise or shave off a few minutes so they can make it to their kid’s soccer match.

This issue isn’t limited to specific roles within the organization. Executives, engineers, customer support, legal, human resources – even the IT folks – all have ambitions and goals, and a set of habits that they use to reach them.

“One example we see is developers using live data for test and development, without anonymizing or neutralizing the sensitive data,” says Paula Long, CEO and co-founder of DataGravity. “For example, Uber, not too long ago, was storing database and credential information on GitHub and had an application bug that revealed driver information to customers.”

“Often it is what employees don’t do that can put a business at risk,” says Greg Hoffer, VP of Engineering at Globalscape. “It is human nature to fall into old habits of doing things a certain way because, well…that’s the way we’ve always done it. That’s a vulnerability ripe for exploitation.”

In addition to habits, employee apathy and ignorance add to the security and privacy challenges faced by organizations.

“People don’t always think about the impact of what they are doing,” says Long. “For the most part, how they handle information does not materially impact their job so it not something they need to worry about.”

It could be as simple as data wandering. Employees may not care how or where the information is stored or shared. They may not even think about processes and procedures, let alone policies, for how the data is handled. So using “shadow IT” systems and services may not even cross their mind as they are trying to complete their work.

“Data can easily leave secure repositories and find its way on public shares, in Dropbox, or emailed to the wrong person,” adds Long. “This has happened to everyone.”

Habits and actions often involve more than pure business operations, as is evidenced by the post-breach analysis conducted by Stroz Friedberg.

“In many of our cases, we often uncover employees using machines for more than the intended business purpose,” says William Dixon, VP Cyber Resilience, Stroz Friedberg, an Aon Company. “As we discussed in a recent webinar with Nir Valtman, Head of Application Security at NCR Corporation, as much as half of retail systems are used for more than checking out customers at the cash register. We see employees using the machines to access their social media accounts, read their personal cloud-based email, and even buy products from their favorite (competing) retailer.”

A Live Panel Discussion During Black Hat USA 2017

Want to learn more about the human element of cybersecurity? Join us live what should prove to be a very engaging conversation.

In these cases it comes down to policies and awareness on what the intent of the point of sale workstation’s intended use is versus the actual use once it has been deployed.

“A good mix of technical and administrative controls can go a long way, especially when dealing with point of sale systems,” adds Dixon. “Locking down these systems has become very popular and boxes in what can and can’t be done by the user.”

But it’s not just these seemingly benign actions that put the company at risk. There are activities that employees engage in that have known malicious ties.

"Some of the year's largest reported breaches are a direct result of malicious insiders or insider negligence," said Christy Wyatt, CEO at Dtex Systems. "With limited visibility into user risk, companies face unlimited exposure which can have heavy legal and/or financial implications. Organizations that actively monitor what's happening on their endpoints and quickly act to address risks can protect their most important assets: their employees and their data."

And this could very well be the case. Once the employee’s system is compromised, much more damage than the employee could ever imagine might happen.

“Once an attacker is in a system and has employee or trusted partner credentials, he or she will elevate access and privilege so they can toy with any area of the business,” says Mordecai Rosen, general manager for CA Technologies’ security business. “Look at the Sony breach as an example. In this Fortune article that details the attack, it was called ‘The hack of the century.’ That breach essentially denied Sony from doing business. It shut down the company’s email system for days, resulted in a high-level executive leaving the company due to email information disclosed, and cost the company revenue since they didn’t release a movie as planned.”

And, of course, it’s not always about someone breaking in to steal the goods; sometimes they are already inside. Malicious employees might be looking to make a buck or make their next gig that much easier…all through the collection and removal of proprietary data.

“Many people do not equate data theft as having the same criminal impactions as grand theft auto,” explains Long. “Everyone knows stealing a car is a felony; what they might not realize is that taking source code they wrote, court briefs they prepared, or lists of customers they recruited when they leave a company is also a crime. I honestly believe in most cases it’s not deliberate, it’s just not thought about. If called on it, most people would be embarrassed they had done this.”

Research may prove otherwise. And while the intentionally malicious cases may be hard to spot, they are clearly quantified in the 2017 Verizon Data Breach Investigation Report as it states that in 60% of the cases, insiders absconded with data in the hope of converting it to cash in the future. But sometimes it’s a case of unsanctioned snooping (17%) or taking data to a new employer or to start a rival company (15%).

If it takes just one poorly made decision to take down a business and people tend to act without thinking about the consequences, employers can help by creating a system of checks and balances. One of these counterbalances to human error is smart password management.

Interested in more topics from this series?