People Vulnerabilities
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hi and welcome to Lesson 1.1.3, People Vulnerabilities.
00:00
Human beings are not perfect and in the security chain,
00:00
we are the weakest link,
00:00
we're much more vulnerable than technology or
00:00
process will ever be because we're just not perfect.
00:00
We make mistakes all the time
00:00
and attackers know this and there's a lot of
00:00
exploits that are directed
00:00
at human beings instead of at the technology.
00:00
Let's talk a little bit about
00:00
some of those vulnerabilities
00:00
and some of those things that people
00:00
do that make them vulnerable.
00:00
We can break up people vulnerabilities
00:00
into a few different categories.
00:00
Let's talk about end-users first.
00:00
Now an end-user is just anybody
00:00
who uses a compute device in the environment.
00:00
You've got people that use laptops or PCs or whatever.
00:00
I'm going to throw up some interesting stats here
00:00
on the screen and let's start with this one.
00:00
This is according to
00:00
the 2019 Verizon Data Breach Investigations Report.
00:00
Now that's a report that Verizon puts out every
00:00
year that talks about all of
00:00
the different breaches that were reported around
00:00
the globe and what they had in common,
00:00
what things keep showing up time and
00:00
time again so we can take action against them.
00:00
One of the interesting stats
00:00
was 32 percent, now think about that.
00:00
That's almost 1/3 of all of the breaches that
00:00
occurred in 2018 involve some email phishing.
00:00
That means that in a 1/3 of all data breaches in 2018,
00:00
an e-mail was sent to somebody
00:00
to try to get them to click a link
00:00
or open an attachment and that was
00:00
likely the vector of attack.
00:00
That's how an attacker got into an environment.
00:00
That's a huge number.
00:00
This is where we talk about people
00:00
representing such a big risk,
00:00
the stat shows it.
00:00
Another interesting one is, same report,
00:00
29 percent of all of
00:00
those breaches in 2018 involve stolen credentials.
00:00
Someone's password got stolen or
00:00
they had it on a sticky note,
00:00
or somebody hacked into their system or something,
00:00
but some stolen credentials were used,
00:00
and again, almost a 1/3 of all breaches.
00:00
The last stat I'll throw up there
00:00
is another interesting one.
00:00
This is from a company called Preempt and they
00:00
did a data science study back in 2017.
00:00
LinkedIn had a breach a while back,
00:00
and there were a bunch of credentials that were
00:00
dumped from that breach out into the public.
00:00
You could just go and grab it.
00:00
This Preempt grabbed all
00:00
of the credentials from the LinkedIn breach,
00:00
which by the way was 180 million credentials.
00:00
They also grabbed data from a bunch of
00:00
other different breaches and they compared the two.
00:00
What they found is that 35 percent
00:00
of the credentials used in
00:00
that LinkedIn breach so we're talking about
00:00
60 million or so credential sets,
00:00
they found in other breaches.
00:00
That means that people are reusing
00:00
passwords across multiple websites.
00:00
If I use a password in this website and this website,
00:00
and this website gets compromised,
00:00
well, I'm compromised now over here too.
00:00
If I use it across 20 websites,
00:00
I just increase my threat footprint, if you will.
00:00
That's a people problem.
00:00
IT administrators are not immune to it.
00:00
Administrators have their own set of vulnerabilities.
00:00
A lot of times what I'll see is administrators
00:00
give themselves just too much access to the environment.
00:00
It's easier to give themselves root access to
00:00
everything so that they have
00:00
it when they need it than it is
00:00
to really thoughtfully think through
00:00
what access you'll need
00:00
and give yourself permission based on that.
00:00
IT administrators,
00:00
a lot of times they have this,
00:00
well, it won't happen to me.
00:00
I'm too smart for that. I would never fall
00:00
for that or click a link or something like that,
00:00
or sometimes they bypass the process.
00:00
But what you have to keep in mind is that
00:00
if you're an IT administrator,
00:00
you have access to more sensitive information than
00:00
most people do and attackers know that.
00:00
They're going to craft specific spear-phishing attacks
00:00
or specific attacks geared towards you.
00:00
You're not going to get
00:00
the standard run-of-the-mill easy-to-spot attacks.
00:00
If someone wants the stuff
00:00
in your environment bad enough,
00:00
they're going to craft something directed at you as
00:00
an administrator that may very well fool you.
00:00
It's good that administrators don't have this,
00:00
I need rights to everything attitude,
00:00
but reduce that risk
00:00
by only giving yourselves access to what you need.
00:00
Executives are another one.
00:00
A lot of times executives,
00:00
they travel a lot and they're
00:00
connecting to unsecured Wi-Fis.
00:00
Executives have access to
00:00
even more sensitive information than IT administrators.
00:00
They know things about mergers and acquisitions
00:00
or upcoming stock trades or whatever.
00:00
They know all sorts of stuff.
00:00
When they connect to an unsecured Wi-Fi,
00:00
they run the risk of getting that data exposed.
00:00
I've also seen a lot where an executive will
00:00
mail something to their house if they are busy.
00:00
I'm just going to email this to myself,
00:00
to my G-mail account and I'll work
00:00
on it tonight when I get home.
00:00
Well, as soon as you send that email
00:00
out of your organization,
00:00
all the protections that your organization provided are
00:00
gone and now there's emails
00:00
floating around in an unprotected environment,
00:00
I've seen a lot of breaches happen that way.
00:00
Sometimes executives will take
00:00
a do as I say and not as I do approach.
00:00
For example, maybe there's a policy
00:00
that says you can't plug in USB drives
00:00
into systems in the environment because it's
00:00
a way that people can steal data
00:00
or a way that malware can be introduced.
00:00
But the executive says, "Oh no, no, no,
00:00
make an exception for me for that policy because I need
00:00
my presentations on a USB flash drive
00:00
because it's easier for me to access."
00:00
There are other ways to go about that.
00:00
An executive should think about,
00:00
are you putting your organization at risk by giving
00:00
yourself exceptions to the very policies
00:00
that you're forcing your organization to go through?
00:00
How do we mitigate people vulnerabilities?
00:00
There's just one thing, training and awareness.
00:00
Let's make sure we train people,
00:00
we make them aware of what the risks are
00:00
out there and aware of how to mitigate those risks.
00:00
It's just all about continual training and awareness and
00:00
continue engagement from the end-user population.
00:00
That's it for our quick lesson on people vulnerabilities.
00:00
Next up we're going to talk about Lesson 1.2,
00:00
where we're going to talk about some attackers.
Up Next
Instructed By
Similar Content
