Time
4 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Transcription

00:01
hi and welcome to lesson 1.1 dot three people vulnerabilities.
00:05
You know, human beings are not perfect. And in the security chain, we are the weakest link were much more vulnerable than technology or process will ever be
00:16
because we're just not perfect. We make mistakes all the time, and Attackers know this, and there's a lot of exploits that air directed at human beings instead of at the technology.
00:27
So let's talk a little bit about some of those vulnerabilities that some of those things that people do that make them vulnerable.
00:34
We can break up people vulnerabilities into a few different categories. Let's talk about in users first known in users, just anybody who uses a computer device in the environment. You've got people that use laptops or PCs or whatever. I'm gonna throw up some interesting stats here on the screen,
00:50
and let's start with this one. This is according to the 2019 Verizon Data Breach investigations report.
00:55
Now that's a report that Verizon puts out every year that talks about all of the different breaches that were reported around the globe and what they had in common. What things keep showing up time and time again so we can take action against him. And one of the interesting stats was 32% Think about. That's almost 1/3
01:15
of all of the breaches that occurred in 2018
01:18
involves some sort of email phishing.
01:19
That means that in 1/3 of all data breaches in 2018 an email was sent to somebody to try to get them to click a link or open an attachment, and that was likely the vector of attack. That's how an attacker got into an environment that's a huge number. So this is where we talk about people representing such a big risk. This stat shows it.
01:38
Another interesting one is 29% same report. 29% of all of the breaches in 2018 involves stolen credentials. Someone's password got stolen or they headed on a sticky note or somebody you know back into their system or something. But some sort of stolen credentials were using again. Almost 1/3 of all reaches
01:59
and the last debt I'll throw up there is another interesting one. This is from a company called Preempt Um, and they did a data science study back in 2017
02:08
where they took there was, ah, breach linked in had a breach a while back. And there were a bunch of credentials that were dumped. From that breach out into the public, you could just go and grab it. So this preempt grabbed all of the credentials from the linked in breach, which, by the way, was 180 million credentials.
02:25
They also grabbed a data from a bunch of other different breaches,
02:29
and they compared the to. And what they found is that the credentials 35% of the credentials used in that linked in breach. So we're talking about 60 million or so credential sets
02:40
they found in other breaches. Well, that means that people are reusing passwords across multiple websites. So I use a password in this website and this website and this website gets compromised while I'm compromised. Now, over here, too. So if I use it across 20 websites, I just increase my my threat footprint, if you will.
03:00
That's a people problem.
03:04
I t administrators are not immune to it. Administrators have their own set of vulnerabilities. You know, a lot of times what I'll see his administrators give themselves just too much access to the environment. It's easier to give themselves root access to everything so that they have it when they need it than it is to really thoughtfully think through what access you'll need
03:23
and give yourself permission based on that.
03:25
I t administrators. You know, a lot of times they have this. Well, it won't happen to me. I'm too smart for that. I would never fall for that or click a link or something like that, or sometimes they bypass the process.
03:35
But what you have to keep in mind is that if you're a nightie administrator, you have access to more sensitive information than most people do, and Attackers know that. So they're going to craft specific spear phishing attacks or specific attacks geared towards you. You're not going to get the standard run of the mill easy to spot attacks if someone wants to it.
03:53
If the stuff in your environment bad enough, they're gonna craft something
03:57
directed at you as an administrator, that may very well fool you. So it's good that administrators don't have this. I need rights, toe everything attitude, but really be reduced that riffs by only giving yourselves access to what you need
04:12
and executives or another one. You know, a lot of Times executives, they travel a lot. They're connecting toe unsecured wife eyes. You know, executives have access to even more sensitive information than I t administrators. You know, they know things about mergers and acquisitions or,
04:26
um, you know, upcoming stock trades or whatever they know all sorts of stuff.
04:30
So when I connect to an unsecured WiFi, they run the risk of getting that data exposed. I've also seen a lot where an executive will mail something to their house or their busy right? So I'm just gonna email this to myself to my Gmail account. I'll work on it tonight when I get home.
04:45
Well, as soon as you send that email out of your organization, all the protections that your organization provided have gone. And now this e mails floating around in an unprotected environment. I've seen a lot of breaches happen that way,
04:56
and sometimes sometimes executives will take a do as I say and not as I do approach. For example, maybe there's a policy that says you can't plug in USB drives into into systems in the environment because, you know, it's a way that people can still data or away that malware could be introduced. But the executive says, Oh, no, no, no. Make a make an exception for me for that policy because
05:15
I need my presentations on a USB flash drive because it's easier for me to access.
05:19
Were there other ways to go about that? And so executive should think about? Are you putting your organization at risk by giving yourself exceptions to the very policies that you're forcing your organization to go through?
05:33
How do we mitigate people? Vulnerabilities? What's its? There's just one thing. Training and awareness. Let's make sure we train people. We make them aware of what the risks are out there and aware of how to mitigate those risks. It's just all about continual training and awareness and in continuous engagement from the end user population.
05:54
That's it for a quick lesson on people Vulnerabilities. Next up, we're gonna talk about less than one dot to where we're gonna talk about some Attackers

Up Next

Infrastructure Security

This course will cover the concepts needed to identify and prevent threats across an enterprise environment. The course content will cover the practical application of security principles, models, and technology covered in previous courses.

Instructed By

Instructor Profile Image
Scott Russ
Security Architect at Nerdery
Instructor