People are the weakest link in any cybersecurity system. Conversations about the cyber issue typically focus on systems, the primary targets of hackers and cyber criminals, as opposed to the people using them. Hackers can always count on the “human factor”— whether it’s an innocent mistake or calculated malfeasance—to help them gain access to an otherwise secure system.
Malicious insiders are usually disgruntled employees who retaliate against their employers (or former employers) by exploiting their understanding of or control over the network in question. Due to network privileges, insiders have the capability to do incredible damage. For example, in 2008, a network administrator for the city of San Francisco was fired and subsequently locked the entire city administration out of its own network. He was able to use his privileged position to hurt the city government in a way that few outsiders could. Malicious insiders also sell or release confidential information that belonged to their employer. Edward Snowden, the former National Security Agency contractor who leaked classified documents that exposed NSA global surveillance activities, is arguably the most famous example of this type of insider threat.
More often than not, hackers exploit the actions of careless employees to gain access, a tactic known as social engineering. By far, the most common and effective tactic is spear-phishing, which infects networks through links and email attachments that are tailored to their recipient so that the individual in question thinks they are genuine. Almost all highly-effective cyber criminal groups employ this tactic to breach targeted networks. Employees are also often duped by hackers who use a legitimate pretext—such as posing as customers or technical support—to solicit specialized information. These deceptions are usually enabled by lax security procedures rather than by any ill-will on the part of any employee.
Even the private emails of the leadership of the intelligence community are at risk. The CIA Director and the Department of Homeland Security (DHS) Secretary reportedly had their personal email accounts recently hacked. The alleged breach was orchestrated by a hacker who contacted the New York Post to tout his feat. The hacker told the paper he was an American high school student, and that he used social engineering to trick employees at Verizon into providing CIA Director John Brennan’s ”personal information and duping AOL into resetting his password.” The hacker claimed Brennan’s account contained sensitive files. He posted some of the documents on Twitter. When The Cipher Brief reached out to CIA for comment, an Agency spokesman said, “We are aware of the reports that have surfaced on social media and have referred the matter to the appropriate authorities.”
The most effective way to deal with the cyber problem is to stop treating it as an IT issue and create a culture of cybersecurity throughout an organization. That means employers must instill within their work force common sense practices such as the careful handling of strange email, questionable attachments, and private communication devices in the workplace. It also includes creating procedures for distributing information and determining network privileges. Above all, it means learning from the experience of San Francisco and avoiding a situation where too much power accrues in the hands of a single employee or group of employees.
Luke Penn-Hall is the Cyber and Technology Producer at The Cipher Brief.
