Last week, the website KrebsonSecurity published a story on the recent creation of a large number of fake LinkedIn profiles – and not just any profiles, but specifically of CISO roles at Fortune 500 companies. Further in the article, Krebs shows that at least one of these fake CISOs made it onto the CyberCrime Magazine’s CISO 500 list, which is a fee-based list that operates on a subscription basis. This was a great example of how misinformation can multiply and spread as we continue to rely on internet-based information and reporting. It reminded me of the most important (and often the weakest) link in information security: humans.
Considering the human aspect of information security reminded me of Kevin Mitnick’s first book, ‘The Art of Deception’, which discussed how it was always easier and faster to trick a person into giving you information or access you normally would not have vs. the technical approaches of finding vulnerabilities in an organization’s infrastructure and exploit those to get access to the internal network and resources. A quote from Kevin Mitnick about LinkedIn: “I can go into LinkedIn and search for network engineers and come up with a list of great spear-phishing targets because they usually have administrator rights over the network. Then I go onto Twitter or Facebook and trick them into doing something, and I have privileged access.”
Human nature is to be more trusting of people you know vs. the people you don’t. Hackers have exploited social media to gain information about end users since the early days. For several years, Facebook users were targeted the most, but it makes sense for hackers to use platforms like LinkedIn which tends to be straight up business users vs. Facebook which has a broader audience. With a stolen Facebook login, threat actors can easily spread malware among that user’s group of contacts, since people tend to be more trusting of posts / requests coming in from friends or family than from strangers. What this has done is push out the boundaries of Zero Trust to individuals and how they interact with the internet world (and more importantly how they trust others). It’s why spear phishing (a technique used to target individuals and businesses by impersonating popular web sites or management employees they are familiar with and using strong language to pressure a user into entering credentials into a compromised website, or downloading malware) is still one of the most effective attack vectors out there.
Being a science fiction fan, the deliberate injection of disinformation reminded me of how Neal Stephenson handled it in the book Fall. Several of the characters used an ‘editing’ service that verified information coming in from the internet, and only that ‘verified’ internet feed was the one they relied on for information. In effect, this describes Zero Trust with respect to the internet – we all have to apply Zero Trust to anything we read or see online – like in the first example with LinkedIn. I won’t ruin the book, but there are also good examples of how disinformation can be weaponized – and today there are good examples of that all over.
The takeaway here is that there will always be a human element in cybersecurity, and in a Zero Trust framework is no different. Humans can be influenced with disinformation and tricked into actions that can affect your security posture, and ZTA helps mitigate risk when this inevitably happens.
IT and Security professionals can reduce the impact of human error by implementing as many of the following strategies as possible:
- Multi Factor Authentication, preventing unauthorized access by hackers that have gained access to employee credentials, as well as notifying users that their password has been compromised / changed without their knowledge.
- Email content checking and security – preventing clickable links in phishing emails from reaching end users.
- Outbound traffic firewalling – if an end user is tricked into clicking an unsafe link, prevent that connection from reaching known malware / ransomware sites.
- Implementing UEBA (User and Endpoint Behavior Analysis) – monitor any activity that is out of the ordinary / baseline, which could indicate a compromised user account is exfiltrating data or encrypting it as part of a ransomware attack.
- Configuring microsegmentation using user based policies – leverage user and group names to ensure users can only access VM’s, data, and applications they are allowed to access.
- Prevent EUC (i.e. VDI) users from accessing others in the VDI pool: this technique will prevent a compromised end user from attacking or enumerating other EUC users in the same VDI pool, thus limiting the spread of malware.
- Using PKI, including client certificates, as an immutable way to identify end user network connections.
- Incident reporting – notify the InfoSec team when anomalous activity occurs, including user behavior, so the damage can be mitigated or minimized.
In closing, as Zero Trust frameworks are rolled out, don’t forget to consider human behavior and the tendency to trust others they know or do business with. Make sure your framework mitigates the human element of trust wherever possible using the strategies discussed.