Home Global-ICTGlobal-ICT 2015 Untrained IT users: Who they are might surprise you
Global-ICT 2015

Untrained IT users: Who they are might surprise you

by Administrator
Drew MorinIssue:Global-ICT 2015
Article no.:7
Topic:Untrained IT users: Who they are might surprise you
Author:Drew Morin
Title:SVP, Head of Cyber Intelligence business unit
Organisation:TeleCommunication Systems, Inc. (TCS)
PDF size:406KB

About author

Drew Morin, Senior Vice President and Chief Technology Officer
Senior Vice President and Chief Technology Officer Drew Morin is responsible for the technical direction, coordination and development activities across TeleCommunication Systems’ (TCS’) business units. A co-founder of TCS, he has been involved in its successful startup through rapid growth and an initial public offering. He also leads the company’s Cyber Intelligence Group and corporate information systems. Mr. Morin joined TCS in 1988.
Mr. Morin has over 30 years’ experience in the analysis, design, development and implementation of integrated voice/data/video communication systems for applications in both the government and commercial sectors. At TCS, he facilitates and supports innovation and product development, enabling the cross-utilization of the company’s portfolio of technologies across all business units. Mr. Morin serves as a driving force behind the development of Intellectual Property for TeleCommunication Systems, establishing a vibrant patent generation program that has resulted in the allowance of over 400 patents to the company and the generation of another 400 pending award. In addition, he oversees the implementation of a documented common methodology for TCS’ software product development. This process serves as the basis for TCS’ ongoing certification initiatives, such as ISO 9001:2008, ISO 27001:2005 and TL 9000.
Prior to TCS, Mr. Morin was a communications systems engineer for BDM Corporation where he designed, developed and implemented next-generation systems, including a tactical wireless data communications network and one of the first secure local-area networks. Presently, he is a member of CTIA’s Cybersecurity Working Group, which addresses cybersecurity practices and collaborates with government and industry, facilitating innovation and cooperation on advanced countermeasures to evolving threats. He serves on several FCC advisory boards, including as a co-chair of the Cyber Security, Resilience Industry Council V Working Group 7, Workforce Development and as a member of the Task Force on Optimal PSAP Architecture (TFOPA). He also resides on the World Trade Center Advisory Board. Moreover, Mr. Morin has been a featured session speaker at several industry events, including CTIA-The Wireless Industry Association, The Association of Public-Safety Communications Officials International (APCO), US Air Force Space Symposium, Department of Homeland Security Strategic Industry Conversation and the International Association of Privacy Professionals (IAPP). Mr. Morin earned a Bachelor of Science degree in systems engineering from the University of Virginia and a Master of Science degree in systems engineering from George Mason University. He holds 8 patents with another 21 pending.

Article abstract

Executives set the tone within an organization; their buy-in is evident by the cybersecurity policies they implement and in the manner in which those policies are enforced. IT managers receive guidance from upper management, and require executive-level support to make cybersecurity policies work. Executives must understand that cybersecurity is not just a requirements checklist; cybersecurity means managing cyber risks to an acceptable level. An uninformed executive can cause as much, if not more, damage than an untrained IT manager, IT staffer, or end user. Facing constant pressure to deliver improvements in financial results, executive-level decision makers may dismiss cybersecurity best practices as too cumbersome or as an impediment to processes that are running smoothly. This mistake can be extremely costly to the organization.

Full Article

The story is becoming all too frequent: an organization uncovers a cybersecurity breach and initiates a comprehensive investigation. Only then does it become apparent that the cybersecurity breach is really the result of a systemic breakdown in people and processes, as opposed to a single point of failure in technology. While you may likely have heard the sensationalized stories about “zero day” attacks that exploit newly discovered vulnerabilities in software or hardware products, it is more often that a cybersecurity breach occurred because of the untrained user.
Spear phishing – targeted phishing attacks – have an 80% chance of being viewed and 50% of users still click through links in these emails. While exhibiting an almost guaranteed success rate, this is only the first step in a progression toward escalating privileges to gain broader and deeper access. This progression takes time and leaves evidence that can be detected by the appropriately trained cyber professional using the sophisticated tools available to network defenders today. While the end user might be the initial source of network intrusion into a network by introducing malicious code through negligence or just plain ignorance, the damage of a security breach can be compounded by untrained users in various roles throughout an organization.
A recent study, co-published by ISACA and RSA in early 2015, found that less than half of those surveyed felt their organization’s security teams could respond to anything beyond “simple” cybersecurity incidents. The study further showed that more than 40% of the companies surveyed experienced some form of “non-malicious insider” security breach. These figures are as surprising as they are unnecessary; there are whole programs and frameworks designed to educate cybersecurity staff and spread cyber awareness to system end users.
What these survey results reveal is that the definition of “untrained user” is more than an under-skilled end user. In recent years, we at TeleCommunication Systems have joined the forward-thinking companies that have expanded the concept of the untrained user to include employees from all strata throughout the organization. In addition to a typical end-user who clicks on a phishing email, our definition includes an IT or cybersecurity professional with out-of-date credentials or the wrong skillset or a C-level Executive who makes system-wide decisions based on inadequate or faulty data. Each of these user profiles is unique. Each one has different levels of system access and responsibility. Mostly importantly, each one can do far different types of damage to an information network.
Untrained executives
As a result of the growth in cybersecurity breaches, the Boardroom is becoming more involved in risk management. They are requiring that company executives oversee and review all cybersecurity programs. A strong cybersecurity program protects organizational assets, reputation, and credibility. Critical business operations such as e-commerce, logistical operations, financial operations, and others are increasingly interconnected and exposed to the outside world.
Executives set the tone within an organization; their buy-in is evident by the cybersecurity policies they implement and in the manner in which those policies are enforced. IT managers receive guidance from upper management, and require executive-level support to make cybersecurity policies work. Executives must understand that cybersecurity is not just a requirements checklist; cybersecurity means managing cyber risks to an acceptable level. An uninformed executive can cause as much, if not more, damage than an untrained IT manager, IT staffer, or end user. Facing constant pressure to deliver improvements in financial results, executive-level decision makers may dismiss cybersecurity best practices as too cumbersome or as an impediment to processes that are running smoothly. This mistake can be extremely costly to the organization.
U.S. Executive Order (EO) 13636, “Improving Critical Infrastructure” (Whitehouse.gov, 2013) maintains the cybersecurity threat is here, it is real, and it can have catastrophic consequences on critical infrastructure. Executives in all organizations can reduce cybersecurity vulnerabilities in the following ways: by placing greater importance on the integrity and protection of the network data; by establishing informed and responsive cybersecurity policy that reflects mission realities and marketplace threats; and through organization-wide communication and education on cybersecurity expectations. Overseas executives—particularly those who wish to do business with U.S. corporations—should familiarize themselves with this EO, and with the authoritative guidance provided by cybersecurity entities, such as National Institute of Standards and Technology (NIST) Cybersecurity Framework and its National Initiative for Cybersecurity Education (NICE). These provide high-level cybersecurity risk mitigation strategies and training recommendations.

Untrained IT staff
While the concept of untrained IT staff appears counter-intuitive, cybersecurity knowledge and skills atrophy over time. Today’s IT managers and their supporting staff—particularly cybersecurity first responders—are overwhelmed with vast amounts of data. The data includes Intrusion Detection System alerts, spam email, phishing attempts, new patching requirements, trouble reports from users, and more. Overwhelmed by the sheer volume of data, an untrained IT staff member can have difficulty discerning when an attack is happening and fail to determine the best course of action.
In the CIO Journal, Deloitte Financial Advisory Services LLP points out that untrained cybersecurity first responders often make routine mistakes when responding to cyber-incidents. For example, many first responders, upon detecting a possible attack, often rush to identify, contain, and remediate the extent of the damage. Their haste, however, can compromise critical evidence that determines exactly how (and/or when) the attack occurred. Data compromise can even prevent authorities from having available the evidence they need to prosecute criminals.
Competing priorities between staff members (i.e.; those between first responders and forensic personnel) can adversely affect the reaction and response to an incident. First responders are anxious to remove the problem while not giving the forensic team enough time and information to fully evaluate the issue. This creates an environment in which problems have higher probabilities of resurfacing, because the root cause of the incident is never revealed and/or remediated.
Robert Spitler, a specialist master with Deloitte, recommends that organizations develop clear incident response plans that delegate who has the authority to take decisive actions. The plans should also specify who will collect evidence to reduce the risk of data loss (Spitler, 2014). Response plans help first responders to stop issues from promulgating further into the network, while allowing a forensics team to evaluate evidence and reduce the chance of repeat occurrences.
Untrained end-users
Constant attacks are prevalent on nearly every network. Untrained end-users present the largest attack surface for would be hackers, and as a result they are the most frequent target of those with malicious intent. Attackers understand that untrained users are susceptible to attacks that seem legitimate, enticing, or entertaining. A common attack that targets untrained users is phishing. Phishing is a criminal activity designed to gain personal identity information or other credentials in order to carry out an attack for the financial gain of the attacker. According to the Anti-Phishing Working Group (APWG), in the first quarter of 2014 the second highest number of phishing attacks ever was recorded with over 125,000 phishing sites detected (APWG, 2014).
End user training applies to everyone in an organization. The training must be supported at the Executive level; it must be routine and meaningful. No one can be exempt, because threats evolve daily and training quickly becomes outdated. Users must be aware that they should not open emails from unknown sources. They should also be alert to hyperlinks and attachments that appear to be legitimate. These links can be cleverly disguised “tricks” that execute malware or direct them to malicious sites.
IT managers should conduct routine user assessments. Phishing emails, generated from within the IT department, can measure how users respond to potential threats. These emails can identify how many personnel executed what could have been an attempt to compromise the network.
Another measure that reduces the chances of compromise is two-factor authentication. Even if users are hooked in a phishing scam—one wherein their username and passwords are compromised—a second authentication method (i.e: a personal identification number, biometric tool, or token) greatly reduces the chances the phishing attempt will penetrate network security controls.
There are many articles, “horror stories” and just plain scare tactics concerning the cybersecurity threats to enterprises today. Organizations can live in a state of denial–which is definitely not ideal in this instance–or they can prepare for the inevitable. The best starting point to handle the potential for fear is to combat it with knowledge. There are many sources for cybersecurity workforce development. A comprehensive training plan should address at a minimum the three constituents we have discussed in this article:
– End-User Awareness that addresses the basics of cyber hygiene
– Cybersecurity practitioner training that includes general skillset development, followed by role-specific, in-depth training
– Cybersecurity management training that clarifies policy requirements and cybersecurity plan implementation
Other valuable resources for cybersecurity training and implementation are the NIST Cybersecurity Framework and the NICE cybersecurity education and workforce development framework. These provide flexible guidance that organizations can adapt to their specific needs.
TCS has partnered with ISACA® to develop the Cybersecurity Nexus (CSX) suite of cyber certifications to address each level of corporate cybersecurity expertise: from Practitioner to Expert. This certification was specifically engineered to incorporate every facet of the NIST/NICE Framework; it is a tool that organizations can use to bolster their cybersecurity readiness, and to ensure their personnel do not become “untrained users.”

 

Related Articles

Mobile – privacy or security, a balance we...

Availability and reliability take priority

Demystifying Cloud Computing:A secure environment for your business

As satellite-enabled networks deliver critical connectivity around the...

Top five ways to increase business IT security

Mobile transactions: New security and convenience

Four principles for protecting privileged accounts from becoming...

A strategic vantage point in the network

Data security and the mobile workforce

Securing an app-centric society

Upcoming Events

Contact us
Copyright © Connect-World 2022. All rights reserved

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More