Want to listen instead?
The Human Element of IT
We recently spoke with Chester Wisniewski, the principal research scientist at Sophos. Chet works with researchers across the globe who are engrossed in the details of emerging cyber threats to provide clients with the larger security picture and, ultimately, a more effective defense. Chet has been involved in the field since he was a network engineer in the 1990s when cyber security barely existed outside of military or governmental entities. In 1995, businesses started waking up to the need for cybersecurity in an interconnected world when The New York Times got hacked, and Kevin Mitnick got arrested. We picked his brain about where and how he gathers information, the value of the human touch in IT, and why coating the moon with peanut butter never works.
The Value of Micro-Communities
Chet stressed the importance of micro-communities to grasp the latest factors impacting cybersecurity. These small networks of researchers are embroiled in the minutiae of distinct threats – whether that is spam, ransomware, or something else. Their focus on the details allows Chet to understand whether threats are escalating, diminishing, or moving in a new direction. Grassroots security conferences in major cities – are another excellent data source. Whether in person or via Twitter, these allow Chet to see threats in real time.
Organizations provided more remote access tools with so many people working from home. Chet has seen a race to lock down those tools for the last two years. In early 2020, there was much abuse of remote desktop, which is built into windows and lets users remotely see their computer. Many organizations enabled that to get employees through the early pandemic. Criminals immediately started stealing passwords and abusing that access to infect networks. Most of the firefighting this past year has been around helping organizations lock down those remote entry points by using tools like multifactor authentication.
The Value of White Hat Hacking
Sophos has two offensive security teams, the largest of which is primarily focused on attacking its own products. The last thing they want is for something they use to protect clients to be turned into a weapon. They have internal and external teams continuously testing products for weaknesses. Another offensive security team looks more broadly at Linux, Windows, containerization, and any direction most organizations are heading to ensure they understand any mistakes or vulnerabilities.
Chet notes that he is less afraid of vulnerabilities than misconfigured pieces or incomplete rollouts. Sophos’s rapid response service evicts criminals from networks under active attack. When they later do a root cause analysis, more often than not, it’s a misconfiguration or a missing patch that permitted access.
The Human Element of IT
That human element of cybersecurity cannot be undervalued. Organizations get overconfident in tools or processes but are of no value if configured incorrectly. One example is a client proud of a $20,000 firewall set up by their previous provider. When Executech’s team checked the server room to determine which model it was, it wasn’t plugged in. It was just sitting on their rack. While that’s an extreme case, minor misconfigurations can lead to problems. Security systems are frequently installed and then disabled by users – not for malicious intent – leading to outdated drivers and patches.
Often, organizational leaders have outdated mindsets because they carry lessons learned in the 90s or 2000s into today. The threat has changed dramatically, so security must adapt. In the past, most attacks were automated, so organizations could rely on antivirus and firewalls to provide 96-97% protection. Experts knew criminals were exploiting Microsoft vulnerabilities; they could count on patches to be released. Today, prevention will be less effective because humans drive the attacks. Because they’re human, they’re creative. They’re tenacious. They’re persistent. They don’t just give up because a firewall says no. They try another way, and they try another way, and they try another way until they find that accidental configuration mistake that lets them in.
Layered IT Security
That’s where layered security comes into play. We don’t just layer because sometimes one layer is more effective than another, which is true, but there’s also the human element. Someone may have misconfigured one of the layers or disabled it temporarily and forgotten about it. Having those extra layers gives clients another opportunity to sound an alarm bell. If you think about security in a bank, there are always multiple ways for alarms to be set off. We’re looking at the very same thing on computer networks. We count on that firewall to do its job, but if it’s misconfigured, we’re hoping anti-spam does its job. If some threat makes it to a laptop, that endpoint security should still be there to raise some alarms.
Since the new threats are human and we can’t rely exclusively on tools, we need humans to counteract the threat. It’s just like a bank where you have a security guard who walks around the building making sure none of the windows are broken, and nobody’s propped a door open while going out for a cigarette. That’s the kind of approach Chet takes to network security: Has an IT employee temporarily propped the door open while doing something and left it open when they went home for the night?
Chet believes machines are a huge help. Artificial intelligence allows them to shrink their footprint and be more efficient at what they’ve been doing all along. Sophos’ lab receives hundreds if not thousands of malicious file samples daily. Machine learning can ingest millions of samples and say, “look at these ten that don’t look like the others,” and those are the ones the human analysts focus on. So the humans and the machines working together are far more successful at providing a high level of protection than either would ever offer alone. Machines are far better at dealing with gigantic volumes of spam and malicious files and attacks; humans can understand the context that they will never be able to teach a machine.
Chet’s Advice – Prioritize IT
Chet notes that the human threat element isn’t going to go away.
“As long as there’s a human element, you need well-trained humans watching for those intrusions. For smaller organizations, it may be unrealistic to have a full-time trained security team… That’s where partners like Executech and service providers like Sophos come into play.”
“We need to understand that we have to prioritize where our resources are going because we’re never going to have enough resources, right? And I think some companies are trying to spread it too thin. I heard somebody say it’s like trying to coat the moon in a layer of peanut butter. It gets so thin that you can’t even tell you’ve done it in the end, and I think we get that way with security. We know patching those exchange servers sitting there facing the internet is a far bigger priority than patching a laptop. If my laptop gets compromised, IT can reimage it, and it probably costs the company about $1000 for that incident. Sure, it’s annoying, and I’m without my computer for a day. My productivity sucks. But, I’m back to where I started. If that exchange server gets hacked, that’s on average $1.4 to $1.5 million per incident…. Unfortunately, I think the mindset is still that many companies are worried about patching their nine laptops, which takes me more time and energy for less benefit. If I have limited resources, I’d focus them on where the threat is, and that’s on your server in your cloud right now.”
For the full interview with Chester Wisniewski, listen to our Between the Bytes podcast and follow @chetwisniewski on Twitter.
Need help with your cybersecurity? Reach out to us!