Human factors in cybersecurity relate to scenarios in which human error results in a successful data or security breach; they are the weakest component of any ICT infrastructure’s security and pose the largest dangers and threats to a corporation or organization.
In terms of cybersecurity, sharing these concepts and emphasizing common blunders and best practices can help keep families and organizations safer on a regular basis.
Cyber security is considerably more than simply computer systems and networks. The individuals who use these technologies are equally important: humans with all of their flaws. The attacker uses social engineering to take advantage of the “human factor,” which is allegedly the weakest link in the security chain.
Technical flaws are only a small part of the risks associated with Internet use. When cybercriminals are halted by up-to-date software and operating systems, firewalls, and anti-virus scanners, they try to entice victims to install malware or share sensitive data in other ways.
Cyber thieves on the Internet, like door-to-door con artists, pretend to have a personal relationship to their victims or promise them prizes or perks. Many more variations of this strategy, known as social engineering, are in use or under consideration. In certain cases, contact is made indirectly through the victims’ friends.
Social engineering exploits human attributes such as a willingness to help others; trust, fear, or respect for authority are even used to manipulate individuals extremely cleverly. As a result, cyber thieves persuade their victims to divulge sensitive information, circumvent security functions, pay money, or install malware on their personal devices or computers connected to a workplace network.
Social engineering is nothing new: it has been the foundation of schemes for as long as people have existed. Criminals now have new and incredibly successful ways to reach millions of prospective victims in an era of digital communications.
The core characteristic of social engineering attacks is the lie of a false identity and the intent of the perpetrator. For example, the criminal may pose as a technician or employee of a company like PayPal or Facebook or a telecommunications company in order to convince the victim to share login data or account information or to go to a prepared website.
The classic example is the supposed system admin who calls the employee because the user’s password is needed to resolve a system error or security problem. Another common example are phishing e-mails that misuse the EU General Data Protection Regulation that took effect in May 2018 to persuade victims to click links to give their consent.
We consider these examples typical in the sense that the perpetrator intends to give the victim the impression of increasing the security of a system or service. Victims who believe this feel they have acted in good faith or done the right thing. Unfortunately, this plays right into to the hands of the perpetrator, who wants to steal access data or infect your system or software with malware. In the worst-case scenario, the malware will allow the criminals to infiltrate an otherwise well protected company network.
Digital communication channels like e-mail are especially attractive targets for social engineering. In a face-to-face situation, con artists must conquer all five senses of their victims. By contrast, digital communications are much easier pickings. In addition, private and professional social networks offer con artists an easy opportunity to gather and link a wide variety of background information about people or employees of a company.
This information can be used to carry out more targeted attacks. It makes it easier to gain the trust of victims by building a relationship to them. For example, a con artist might then be able to refer to hobbies, friends or colleagues and subsequently convince victims to do things they are not supposed to do.
Phishing is one of the most well-known forms of social engineering; it literally means fishing for passwords. The idea is to convince victims in a very realistic e-mail to click a link and then enter passwords or other login data on a fake website, allowing attackers to then collect this data.
In addition to mass phishing e-mails, a more targeted variant known as spear-phishing is becoming increasingly common. In these cases, e-mails are tailored to a small group of people or to individuals or employees before being sent out. This significantly increases the potential “hit count”.
Under CEO fraud, criminals attempted to manipulate employees at a company who are authorized to take decisions or make payments in such a way as to persuade them to transfer great sums of money, supposedly on behalf of senior management.
Social engineering is used by criminals to take advantage of deep-seated human needs and wants, for example, to help others quickly and unbureaucratically, in order to achieve their nefarious goals. This makes it difficult to defend yourself consistently against this type of attack.
To reduce the risk of social engineering fraud schemes, you should follow the basic rules listed below:
- Use social networks responsibly. Decide carefully what personal information you want to share, considering that criminals could collect it and misuse it to try to fool you.
- Do not share any confidential information about your employer or your work on private or professional social networks.
- Never share passwords, access data or account information over the telephone or in e-mails. Remember that banks or other credible companies never ask customers to send confidential information via e-mail or over the telephone.
- Take special care when you receive e-mails from people you don’t know: if there is even a hint of doubt or reason for suspicion that an e-mail could be part of an attack, better not to respond at all. If it is a false alarm, the sender will most likely try to contact you via a different channel. Take time for a 3-second security check.
- If an e-mail requests an immediate response, take the time to give the sender a call to be sure that the e-mail is legitimate.
The human element has been found to be a contributing factor in the majority of cyber security incidents, and discussions surrounding human performance in cyber security remain a relevant topic. However, the scientific basis supporting discussion and decisions on addressing human sources of risk remains insufficient.
It is also important to acknowledge that human decision-making, situational awareness and flexibility is fundamental to enhanced cyber security resilience. Though defenses may be automated, their reliability is always human-mediated. Cyber security is an explicitly socio-technical problem. Human error remains a leading cause of most malicious attacks in cyber security. Other disciplines, such as healthcare, aviation, and defense, have utilized human factors research to reduce and treat risks. In comparison, the cyber security sector lags behind in leveraging human factors.
- Human error is the leading cause of cybersecurity breaches. In 2021, found to be responsible for 95% of these breaches according to the “IBM Cyber Security Intelligence Index Report”. This means that, if the human factors were mitigated, only 1 out of 20 security breaches would take place.
- This human error is usually caused by the misinformation of users and workers. People can endanger their company and their personal data because of a lack of awareness. In a company, this can lead to a large breach or security incident with an economic impact of millions of dollars. In the day-to-day, it can mean the theft of credit cards or the compromise of users’ personal files and data.
- A study conducted by Interpol showed that, during the first four-month period of 2021 (January to April), cyberattacks increased greatly: 907,000 spam messages, 737 incidents related to the malware and, 48,000 malicious URLs.
- According to feedback from Interpol, 59% of the main Covid-19 related cyber threats involved phishing, scam and fraud; 36% of attacks included malware; 22% contained malicious domains; and 14% involved fake news. These divs are alarming: a phishing attack costs large companies nearly $15 million a year on average. The cost of phishing in 2021 is more than three times its cost in 2015 (Ponemon Cost of Phishing Study, 2021).
Cyber attackers are taking advantage of lockdowns, working from home, and online studies to steal information by posing as companies, public entities, and universities. Cybercriminals know how to take advantage by attacking the lowest hanging fruit.
It is very important to know the attacker to protect yourself effectively. The motive behind these crimes is not the same for all types of attackers: money, information, theft, elimination of competition, or having fun, are among the most frequent reasons.
It is also crucial to fight disinformation to learn which are the most common attacks, the characteristics found throughout them that can help not to be deceived and, the best ways to recognize each one.
Data Exposure & Common Mistakes
Cybercriminals use user information to select their victims. They obtain such valuable information on the Internet through Digital footprint and social media. It is the responsibility of users to be aware of the information they publish and to be aware of the most common cybersecurity mistakes that users continue to make.
Good Practices & Recommendations
But it is not only necessary to know the cybersecurity risks, attacks and mistakes already mentioned, there are best Cybersecurity practices designed to help you prevent fraud and scams and surf the internet as safely as possible that should always be considered.
Cybersecurity awareness training, keeping software updated and, keeping good practices in mind are still the best solutions against misinformation.
Types of Human-related Security Incidents
A security incident is any event related to compromised data resulting from missing or failed security measures. Specifically in cybersecurity, an information security incident involves the unauthorized access, use, disclosure, breach, modification, or destruction of data.
Typically an event is categorized as a “security incident” when it is widespread enough to disrupt your normal business operations. That’s not the same as a “security event,” which is a single incident that usually doesn’t disrupt your organization. A security incident is a more serious problem – and it doesn’t necessarily need to be a successful attack to necessitate a response from your organization.
A cybersecurity security incident could be anything from a potential threat to a successful attack; just because your information wasn’t compromised doesn’t mean you should ignore the incident altogether. Any security incident that occurs, successful or not, should result in a review of the tools, policies, and procedures you have in place to prevent similar events from happening again.
In many cases, the result of a cybersecurity incident is a breach of personal data. Such incidents can inflict huge financial and reputational harm on the victim. In 2021 the average cost of a data breach was $4.24 million, a figure which is likely to grow considerably in the coming years. Businesses also face additional costs for regulatory fines, fees, and even legal action in extreme cases.
Using technology to their advantage, cyber criminals will do everything and anything possible for financial gain. Here are some of the most common types of security incidents executed by malicious actors against businesses and organizations:
Unauthorized Access Attacks
This type of incident involves any unauthorized attempts by a threat actor to access systems or data using an authorized user’s account. How a cybercriminal gains access to user accounts often remains a mystery, even long after an attack. Still, your organization can do a few things to prevent this type of security incident from occurring.
If you don’t already do so, require multi-factor authentication (MFA) for all users. This will require users to provide additional identifying information (say, a one-time verification code sent to their phone) after they enter a correct username and password. Many times, multi-factor authentication alone can deter a potential security incident from occurring, since criminals will simply move on to another target that doesn’t use MFA.
Also, consider encrypting your sensitive corporate data at rest and in transit using suitable software or hardware technology. This way, attackers won’t be able to access confidential data such as your account or credit card details even if an attack succeeds.
Privilege Escalation Attacks
This type of incident occurs when an attacker attempts to gain unauthorized access to an organization’s network, and then tries to obtain more privileges using a privilege escalation exploit. A successful privilege escalation exploit grants threat actors privileges that normal users don’t have. Usually, this type of attack takes place only after a hacker has already compromised an organization’s endpoint network security by gaining unauthorized access to a lower-level user account. With privileged access to your most sensitive information, there’s no telling what a cybercriminal might do.
To prevent this type of security incident, start by looking for and remediating any security vulnerabilities in your IT environment. Ideally, your organization should do this by conducting regular vulnerability assessments and scans as part of your overall risk management program.
Another tactic is to use the “principle of least privilege” to limit the access rights for users to the bare minimum permissions they need to do their jobs. Also consider security monitoring tools to help you collect and analyze potential security threats, so you can respond appropriately.
Insider Threat Attacks
Insider threats are malicious (intentional) or accidental (unintentional) threats caused by employees, former employees, or third parties, including contractors, temporary workers, or customers.
While preventing insider threats can be difficult, you can take some steps to reduce the chance of an incident. First and foremost, you should implement spyware scanning programs, antivirus programs, firewalls, and a rigorous data backup and archiving routine.
You should also train your employees (and any contractors) on security awareness before allowing them access to your computer networks. A robust security awareness training program should also include routine training sessions to avoid any unintentional security incidents resulting from user error.
You can also implement employee monitoring software to reduce your risk of a data breach or intellectual property theft by identifying careless, disgruntled, or malicious insiders. Additionally, an internal whistleblower program (that protects employees who come forward) can help your organization to gain intel about potential security incidents.
A data loss prevention policy will also let insiders know what’s expected of them when handling company data and that they’re being monitored for unwanted behaviors. Sometimes this alone is enough to prevent internal actors from acting carelessly or maliciously.
In this type of social engineering attack, the attacker assumes the identity of a reputable entity or person via email to distribute malicious code or links that can perform various functions, such as obtaining login credentials or account information from victims. More targeted phishing attacks are known as spear phishing attacks, where the attacker invests more time researching the victim to pull off an even more sophisticated attack to steal information.
On a technical level, a gateway email filter will help you trap a large number of mass-targeted phishing emails and reduce the overall number of emails that reach your users’ inboxes. You probably still won’t be able to prevent every single phishing attempt from entering every single inbox, so you’ll need to take other steps as well.
Start by educating your users so that they’re better able to identify phishing attempts on their own. In some organizations, incentive programs encourage employees to identify and report phishing emails in exchange for a reward. These types of programs have prevented phishing attacks from leading to more serious types of security incidents, like malware attacks.
Malware is a broad term for various malicious software, including Trojans, worms, ransomware, adware, spyware, and other types of viruses. Malware can either be inadvertently installed when a user clicks on an advertisement, visits an infected website, or installs freeware or other infected software; or, it can be installed intentionally by insider threat actors or malicious actors with unauthorized access.
The signs of a malware attack include unusual system activity, sudden loss of disk space, unusually slow speeds, repeated crashes or freezes, increased unwanted internet activity, and pop-up advertisements.
To protect your organization against this type of security incident, you should install an antivirus tool to detect and remove any malware. Whether you decide on real-time protection or routine system scans to detect and remove malware, whichever security solution you choose should protect your organization against any existing malware and any future malware attacks.
Distributed Denial-of-Service or DDoS Attacks
This type of security incident occurs when a threat actor floods the target system with traffic or sends information that triggers an attack to shut down an individual machine (or an entire network) so that it cannot respond to service requests. Typically, these attacks can be dealt with by simply rebooting the system.
You can also reconfigure your firewalls, routers, and servers to block any future unwanted traffic. Keep your firewalls updated with the latest security patches as part of your overall patch management program to keep your systems, software, and applications at their most secure. If you choose, you can also integrate front-end hardware into your network to help analyze and screen data packets to classify them as they enter the system.
Man-in-the-Middle (MitM) Attacks
This type of incident occurs when an attacker secretly intercepts and alters messages between two parties who believe they are communicating directly with each other. In a man-in-the-middle attack, the attacker manipulates both victims to gain access to their data. This can occur via session hijacking, email hijacking, and Wi-Fi eavesdropping.
Although this type of attack is difficult to detect, there are some ways to prevent it. You should first consider implementing an encryption protocol that provides authentication, privacy, and data integrity between communicating computer applications, such as Transport Layer Security (TLS). Or a network protocol that gives users, particularly systems administrators, a secure way to access a computer over an unsecured network such as a Secure Shell Protocol (SSH).
You should also educate your employees on the dangers of using open public Wi-Fi networks, because it’s much easier for hackers to commit cybercrime by exploiting these connections. For the most network protection, use a virtual private network (VPN) to help ensure more secure connections.
A password attack is expressly aimed at obtaining a user’s password or an account’s password. To do so, hackers use various methods, such as password-cracking programs, dictionary attacks, password sniffers, or simply guessing passwords via brute force trial and error.
A password cracker is an application or program used to determine an unknown or forgotten password to a user account. When in the hands of a hacker, a password cracker can be used to gain unauthorized access to company resources.
A dictionary attack is breaking into a password-protected computer system or server by systematically entering every word in the dictionary as a password until the attacker guesses correctly. While this method might not be the most efficient, if a hacker does guess a correct password, he or she may then try to log in to multiple accounts using the same hacked password.
A brute force attack is when a hacker or bot attempts to log in using a series of generated passwords over and over again until the attacker succeeds. This type of trial-and-error attack can also cause websites to crash, which is another reason why multi-factor authentication is so important.
These types of security incidents can be difficult to prevent completely, but you can take some steps to defend yourself against them in the future. As mentioned above, multi-factor authentication is the best way to prevent unauthorized logins. Even if a cybercriminal guesses the correct password, that alone won’t be enough information to let them into your system.
You should also insist that your employees use strong passwords that include at least seven characters as well as a mix of upper and lower case letters, numbers, and symbols. Users should also change their passwords regularly and avoid duplicating passwords for multiple accounts. Any passwords your organization stores should be done so in secured repositories and should also be encrypted.
Web Application Attacks
This type of incident occurs when a web application is used as the vector for an attack. Web application attacks include exploits of code-level vulnerabilities in the application and attacks that thwart authentication mechanisms.
For example, a cross-site scripting attack is a type of web application attack that occurs when an attacker injects data (such as a malicious script) into content from otherwise trusted websites.
To avoid this attack, your organization should review code early in the development phase to detect any vulnerabilities automatically, by using static and dynamic code scanners. You should also implement bot detection functionality to prevent bots from accessing your application data. Finally, a web application firewall will help you monitor your network and block potential attacks.
Another type of web application attack is an advanced persistent threat (APT), a prolonged and targeted cyberattack typically executed by cybercriminals or nation-states to gain access to a network and remain undetected for a period of time. Ultimately, this type of security incident aims to monitor the target’s network activity and steal data rather than cause damage to the network or organization.
To avoid this type of attack, your organization should monitor incoming and outgoing traffic to prevent hackers from installing backdoors and extracting sensitive data. Again, web application firewalls at the edge of your network perimeter will help to filter any traffic coming into your web application servers. A firewall can also help filter out application layer attacks, such as SQL injection attacks which are often used during the APT infiltration phase.
How to Prevent Security Incidents
For each of the common security incidents described above, we included several steps you can take to prevent, or at least reduce the chances of, an incident occurring. To make things easier, we’ve compiled those suggestions into a singular and actionable list so that you can start preventing and mitigating security incidents for your organization.
Security Incident Detection
The first step to preventing security incidents is to put the right tools and processes in place to detect security incidents before they occur. Security incident detection is important for detecting and responding to incidents before they do damage but also so that you can track and trace the origins of the security incident and put the appropriate security controls in place to prevent it from happening again. Make sure all operating systems are up to date.
Monitor User Account Behavior
Implement behavior analytics tools to monitor user account behavior. Before looking for any anomalous behavior, you need to set the baseline for what “normal” behavior looks like. Once you’ve established that pattern, you can start looking for departures from it, especially for privileged users. Any unusual behavior could be an indication that a security incident is taking place.
You should also monitor for unauthorized users attempting to access servers and data, or requesting access to data that isn’t critical to their job function. This type of behavior indicates two scenarios: an insider attempting to gain unauthorized access to confidential information for malicious purposes, or a malicious actor has already gained access to a user account and is using that account to attempt to gain access to more privileged data.
As a general rule, you should always use the principle of least privilege regarding your data. This means only granting access to data to those employees who need access to perform their duties. To implement this principle, however, you’ll need to start by categorizing your data by sensitivity, so that you know which data your employees should have the least access to. You’ll also need clearly defined roles for the users in your organization, so you’ll know which data different types of users need.
Monitor Network Traffic
Your organization’s network is the gateway into your systems and data. Keeping it secure is the best way to prevent attackers from gaining unauthorized access to your organization’s sensitive information. It’s important to monitor the traffic coming into your network, and the traffic leaving your network perimeter.
This traffic might include insiders uploading large files to personal cloud applications, or sending large numbers of email messages containing attachments to addresses outside the company, or downloading large files to external storage devices such as USBs. You should also monitor for any traffic sent to or from unknown locations-especially if your company only operates in one country.
In general, your administrators should investigate any unknown or suspicious network traffic to ensure its legitimacy. Even if nothing malicious is occurring, it’s better to be safe than sorry.
Monitor Suspicious Activity
Beyond monitoring user account behavior and network traffic, you should also monitor other types of activity. For example:
- Excessive consumption or an increase in the performance of server memory or hard drives could mean an attacker is accessing them.
- Changes in a configuration that haven’t been approved, such as reconfiguration of services, installation of startup programs or firewall changes are often a sign of possible malicious activity.
- Hidden files that might be considered suspicious due to file names, sizes, or locations and could indicate a data leak.
- Unexpected changes such as user account lockouts, password changes or sudden changes in group memberships.
- Abnormal browsing behavior like unexpected redirects, changes in browser configuration, or repeated pop-ups.
- Suspicious registry entries, which are usually a result of a malware infection.
Security Incident Management
As you continuously monitor for threats, your organization will inevitably need to evaluate the risk an attack could pose as well as the vulnerabilities an attacker might exploit to do so. If you haven’t already done so, now is the time to implement a risk management program designed to help your organization identify, analyze, prioritize, and mitigate cyber risks.
Cyber Risk Management
The cyber risk management process never ends. Once you begin, you’ll need to keep the program alive and well if you want it to benefit your organization.
Start by creating a list of your company assets and keeping it current; it’s impossible to know how to protect your assets if you aren’t exactly sure what those assets are. Then conduct a risk assessment to determine the level of risk each of those assets presents to your organization. Next, prioritize those risks and create a mitigation plan for each one you identify. Finally, after mitigating your existing cyber risks, it’s time to start the process again.
In general, your organization should regularly conduct vulnerability assessments to identify vulnerabilities in your systems, software, and applications throughout the risk management process. In addition, you should also regularly conduct risk assessments to determine whether your internal security controls are working effectively to prevent threats from doing damage.