Humans are the vulnerability CIOs and CISOs should look to fortify, defend against

Oct. 24, 2023
By identifying key employee risk profiles, security leaders can tailor their strategies to mitigate risks effectively.

The most significant recently disclosed vulnerabilities this year have one thing in common -- human beings.

If there is a software vulnerability, it is sure to have been introduced by a human being. If an exploit has been developed for a vulnerability, there is a human being involved in its execution. Ransomware is nothing without the ransomware actor. BEC compromises would not exist if there was not a human interaction that was being exploited.

If there is a common error in deploying a software product, or a widely exposed software product is the attacker target of the month, a human is certainly at the core.  CIOs and CISOs should educate the humans within their scope of influence -- their employees -- and should focus on utilizing their threat intelligence teams educating themselves on how to detect technical and physical indicators of malicious or inadvertently dangerous human activity.

The vulnerability that all CIOs and CISOs should focus on educating and hardening the most is their employee population. Similar to taking a hardware or software-focused inventory of your environment’s assets, also be sure to identify employees that are critical to business continuity. There are  five core employee risk profiles for security leaders to consider. There may be some employees that possess several of the profiles:

VIPs

This group consists of individuals who command authority and often have significant access. These individuals are often both publicly known personally and for their association with the specific organization. They and their families are often seen as easy targets for targeted spear-phishing campaigns or whaling efforts. 

Leakages are most often observed from immediate family members or closest friends. Best profile-based mitigation options include focused PII removal efforts that include any immediate family members and active monitoring for digital/physical harm. Advanced authentication practices and intense security awareness training are critical for this group and should be focused around the threats they are most likely to face, along with the risks most likely to be realized internally. 

Money Movers

This group is authorized to transfer the organization’s funds. These employees are likely to interact with external domains both via email as well as potentially telephone/SMS and can easily fall victim to business-email-compromise (BEC) attempts. Beyond the typical social engineering attempts, this group can also cause catastrophic impact if authentication practices are lacking. 

The most important security control to implement for this group is pre-transfer controls or a standardized payment / account detail update workflow. In this process, secondary confirmation checks must be conducted using pre-existing data, and these roles should be limited to internal interactions only.

When a third-party interactor engages with this team, they should communicate internally to facilitate necessary changes. This compartmentalization of duties improves the security posture of the organization and introduces the concept of a two-person review prior to the completion of any significant operational or payment related changes. If this group is externally facing, a quality DMARC or secure email gateway solution will be critical.

Sensitive IP Handlers

This group handles the organization’s most sensitive data. The best control for this group is to compartmentalize them where possible and limit external domain access where not absolutely necessary. This is also where technologies like UEBA and DLP should be first focused. 

System Administrators & Developers

This group typically has significant account access across multiple sensitive network segments and critical applications. They may also have access to products in development. 

Similar to the Sensitive IP Handlers above, the best mitigation strategy for this group is limiting external domain interaction where possible as well as adding UEBA controls. Ideally this group should only use their admin accounts when they need that access to perform a task. All other work should be performed leveraging a standard user account. 

Third-Party Interactors

Similar to the Money Movers group above, this segment of employees also sends and receives significant traffic to and from external domains. These employees also face telephone, SMS and email-based social engineering attempts. If these individuals also have access to sensitive IP, they may be subject to active recruiting efforts and other corporate espionage related activities. Some of these concerns can be better mitigated by performing more intense due diligence pre-engagement with each third-party entity. 

Human-Centric Cyber Strategies

As we've explored, the most potent security risks stem from human actions – intentional or unwitting. By identifying key employee risk profiles, security leaders can tailor their strategies to mitigate risks effectively. 

Each group will benefit from focused security awareness training, robust passphrase policies with complex characters and phishing-resistant MFA for core application authentication. 

In addition to trainings, CIOs and CISOs should have their threat intelligence teams study new vulnerabilities, evaluate the risk they pose to their respective companies, and create concrete, actionable detection and response plans. These steps are key to enhancing an organization’s overall cybersecurity posture. 

Paul J. Malcomb is an Intelligence Advisor at Nisos and brings over 15 years’ experience in cybersecurity and crisis management at Fortune 500, federal, state and local government and early-stage companies. Prior to joining Nisos, he was the sole Incident Commander for United Airlines, handling the worst incident response, insider threat, vulnerability-borne, third-party security situations. Previously he was on General Electric’s Cyber Crisis Management Team, where he was responsible for handling the worst cyber situations across multiple business units – managing those from escalation until closure, as well as handling all post-incident analysis.
About the Author

Paul Malcomb | Intelligence Advisor

Paul J. Malcomb is an Intelligence Advisor at Nisos and brings over 15 years’ experience in cybersecurity and crisis management at Fortune 500, federal, state and local government and early-stage companies. Prior to joining Nisos, he was the sole Incident Commander for United Airlines, handling the worst incident response, insider threat, vulnerability-borne, third-party security situations. Previously he was on General Electric’s Cyber Crisis Management Team, where he was responsible for handling the worst cyber situations across multiple business units – managing those from escalation until closure, as well as handling all post-incident analysis.