Pibkac in public sector
The word PIBCAK is used in acronym meaning „Problem Is Between Keyboard And Chair“ and it is a natural result of being a human. Human error is one of the largest information security challenges today. In heavily networked societies, inter-dependencies increase and organisations open their IT systems to a wide range of machines (computers and mobile phones) which means they lose direct control of data security. As business continuity becomes increasingly dependent on IT, disruption to these core processes can have a major impact on service availability. Criminals and/or criminal organisations are also aware of these vulnerabilities. Attacks on govenrnments’ and companies’ networks have increased in volume and severity. The motives of cyber criminals are various, from pure financial gain to espionage or terrorism and it is often easier to attack the human element instead of technology. The attacks against public sector are not rare also and human error might have even bigger consequences especially in public sector.
Human error is biggest threat to any organization’s cyber security. You may have the latest technologies and strongest firewalls, but your weakest link determines the strength of your security system. In fact, in IT a “system” does not refer only to software, a system consists of software plus human element. In a security system, the human element is especially important.
Even the hackers are aware that the easiest way to hack into an organization’s network is trying to crack the “human element” rather than technology. Manipulating or simply keeping eyes open about typical mistakes that staff is often making is hackers everyday work.
According to IBM Cyber Security Intelligence Index 2014 over 95 percent of all cyber incidents investigated recognize “human error” as a contributing factor. The most common human errors include system misconfiguration, poor patch management, use of default usernames and passwords or easy-to-guess passwords, lost laptops or mobile devices, and disclosure of regulated information via use of an incorrect email address. The most prevalent contributing human error is clicking on an infected attachment or unsafe URL.
Top five industries that had the most incidents were financial/insurance industry, manufacturing, information and communication, retail and wholesale, health and social services . The reason is rather obvious, since the hackers most often are after money, those top industries are the most attractive to them for phishing e.g. credit card details.
Most common motivations behind cyberattacks are cybercrime, cyber hacktivism, cyber espionage, and cyber warfare. When cyber crime's main motivation is money, then hacktivism, espionage and cyber war are more politically motivated.
According to CompTIA survey the biggest sources of human error are failure to follow general policies and procedures (42 percent), general carelessness (42 percent) and failure to get up to speed with new threats (31 percent) One of the leading human errors is sending sensitive documents to unintended recipients. Other security mistakes by workers are getting sensitive documents outside of the organization e.g. sending documents home via email, placing them on file-sharing sites or removable media (e.g. USB stick). The raising trend to use personal devices also for work is creating several security risks. Firstly, connecting personal devices into organization’s network is causing risk for spreading malware. Secondly, lost, stolen or unattended devices are major problem for security, since they may store sensitive information and documents and they open up an access to owner’s many different accounts.
Another typical weak point of users is careless password management. Using default passwords, sharing passwords with others, sticking passwords on post-it onto the computer display, or using too simple or same passwords everywhere are common mistakes made by users.
Not only simple mistakes by workers are huge security risk for an organization, 78% of successful data breaches in 2014 was using social engineering. Manipulating and scamming people into clicking infected URLs, downloading infected files and/or software is still very popular among hackers. Probably because hackers know that cracking people is much easier than cracking technology. Hackers know where the weakest link is in a system. Good news is, that this trend seems to be decreasing, in 2013 the number of successful social engineering incidents was 95%. But it is not because hackers are getting tired of it, but hopefully because people are getting more aware and are less likely to fall into the trap.
Hacking into websites that certain target groups are using is also often used way to get malware into organization’s networkCite error: Invalid
<ref> tag; invalid names, e.g. too many.
Since there are nearly one million new threats released every day, it is harder and harder for organizations to keep up. And still, even organizations with strong security practices are still vulnerable to human error.
Human error in public sector
Even though cyber-attacks against public sector take only nearly 30% of all cyber attacks (in March 2015) it does not mean that this is not a problem or that it is less important. Data breaches in public sector might have even bigger consequences.
Firstly, governments store and process very sensitive data about citizens, therefore it is very important that this data is protected. Large scale data breach which includes personal information about public officials and/or citizens leads to huge PR scandal.
Secondly, data breaches are costly. Each leaked data record could cost in average $100 to a public institution.
Thirdly, in public sector public services are at stake. Everything from power, water, to critical infrastructure needs to be functioning and well protected. Attacks are getting more sophisticated and targeted, hackers are spotting everything that is keeping the national infrastructure functioning.
Motivation behind cyberattacks in public sector are different. When in private sector the motivation behind hackers is most often money (directly or indirectly), then in public sector it usually is political. Hackers (or the bookers of the attack) are often driven by expression of political view/statement, espionage, willingness to damage (e.g. critical infrastructure) and/or cause economic loss.
Security mistakes made by public sector workers are more or less the same than in other industries. According to Verizon research 34% of security incidents in public sector can be categorized as human error, compared to 25% in other industries together. These activities include: posting private data to public sites, sending information to the wrong recipient, failing to dispose of assets securely. 19% of incidents involved lost or stolen devices.
US federal network is one of the most popular targets, there were nearly 47 000 breaches in federal network and US-CERT responded to a total of 228,700 cyber incidents involving federal agencies, companies that run critical infrastructure and contract partners. Particularly in US, nearly half of the attacks against federal networks have been successful due to human error. “For example, about 21% of all federal breaches were traced to government workers who violated policies; 16% who lost devices or had them stolen; 12% who improperly handled sensitive information printed from computers; at least 8% who ran or installed malicious software; and 6% who were enticed to share private information, according to an annual White House review.”
Since attacks are getting more sophisticated and targeted, it is more and more important to invest into cyber security. As well as investing into high security technology it is as important to invest into workers’ awareness and training. The weakest link determines the strength of the chain, and currently hackers are well aware of the weakest link and are putting much effort into breaking the link, unfortunately quite successfully.
"It has emerged that passport numbers, dates of birth and visa class details of 31 G20 leaders were emailed in error to the organisers of the Asian Cup in Australia by an employee at the Australian Department of Immigration." Due to human error, that the person did not check the results of automatic e-mail autofill settings before sending out the e-mail the data was leaked. The information also included the sensitive data of president of the United States Barack Obama, UK prime minister David Cameron and German chancellor Angela Merkel. At first Australia did not communicate that the data was leaked. It is said that the data leaked was deleted from the recipient e-mail as soon as they noticed and it was not stored to any backup or server to prevent spreading the information further.
Unclassified information, such as the president Obama’s real time schedule etc was accessed by probably a group of Russian hackers. It is said that no classified information was accessed. Human error was the weakest link in this case as the attackers were using phishing e-mails and if the staff would have been educated enough in terms of cyber security then maybe the attack could have been prevented. Yuval Ben-Itzhak, chief technology officer at antivirus firm AVG has said that: "You can implement the best technologies available but if an authorised person is making the wrong decisions and letting someone in -- as happens in a phishing attack like this one - the technology can break down very easily” .
In June 2014 more than 35, 000 students’ personal information was leaked in California Riverside Community College District (RCCD), including names, birth dates and Social Security numbers. The mistake was again caused by human error. An employee of the College was trying to send the information to a sick colleague staying at home and was mistyping the e-mail, which caused the breach of information. Students whose information had been leaked were offered one year of free credit monitoring services and the College was told being undergoing changes to prevent future breaches like that from happening.
The office of Texas Attorney General Greg Abbot as a mistake gave out information of about more than 6.5 million voters’ Social Security numbers. The access to the database was given to attorneys in the belief that only 4 last digits will be visible. Unfortunately this was not the case and the full numbers were exposed.
Organizations can reduce the risks to their work by building up capabilities in following critical areas:
- Eliminating strategies. Eliminating those procedures and strategies that make it possible for system users to make an error. For instance, the organization could use automatic safeguards such like cryptography, password management, identity access management and strong authentication solutions, network access rules, and automatic standby locks.
- Prevention and education. Prevention is about installing fundamental measures, including placing responsibility for dealing with a cyber crime within the organization (for example appointing a Chief Information Security Officer - CISO) and developing awareness training for key staff. Also using prevention strategy approaches to support somebody who should be responsible (like above mentioned CISO) for the correct execution of tasks, such as making checklists, create awareness campaigns, procedures, disciplinary measures, litigation threats, training and retraining. Organisations can significantly decrease the cost of data breaches by teaching staff not to cut corners and train people on how to handle confidential and sensitive data – this is a big and perhaps the most important component in preventing and reducing data breaches. Organisation can do it in two ways: through general awareness security training and by deploying technology like data loss prevention technology. Organisation can classify that as employee education, but actually doing it in real time. It's not blocking data from moving somewhere - it's educating and training the employees.
- Mitigation strategies. Using a reduction strategy to mitigate the consequences of mistakes by making sure detection mechanisms and measurements are in place to correct situations before they become an incident. Examples include audits, internal control, breach detection solutions, system monitoring and surveillance.
- Use data loss prevention technology to find confidential and sensitive data, and protect it from leaving the organization.
- Deploy encryption and strong authentication solutions.
- Detection. Through observing of critical events and incidents, an organization can strengthen its technological detection and prevention measures. Observing and data mining together form a perfect tool to detect strange patterns in data traffic and to find the location on which the attacks focus and to monitor system performance and potential vulnerability.
- Response and recovery. Response and recovery strategy refers to activating a well-rehearsed and recovery plan as soon as evidence of a possible attack occurs. When an attack occurs, the organization should be able to deactivate directly all technology affected. When developing a response and recovery plan, an organization should perceive cyber security as a continuous process and not as a one-off solution. The incident response plan should also include proper steps for customer notification.
Additionally to education mentioned above, it might be helpful also to develop so-called “Helpful Programs.” In the aviation and healthcare industries favor a “holistic error prevention approach” to transform conditions in the organization, environments and systems that people work. These systemic and socio-technical strategies could be of great benefit to information security. For instance, Crew Resource Management (CRM) is a learning program developed for airline crews to train how to manage and behave during an accident or some incident. Crew Resource Management training encompasses communication, situational awareness, problem-solving, decision-making, and teamwork. Using the Crew Resource Management in healthcare and aviation has proven to significantly reducing human errors. The same Crew Resource Management application can also use in IT, and when applying this method it is important to recognize that your people are your strongest links in times of crisis. Security incidents and events will happen, and people should be trained to understand, to know and contain them. Rehearsing possible conflict scenarios with your team and taking the time to speculate other risks will prepare the team for possible scenarios. In the case of an ongoing cyber attack or data breach, your people will be prepared to make the best use of equipment, procedures and also to support other team members.
Decades’ worth of data from aviation incident reporting systems has been used to redesign aircraft, air traffic control systems, airports and pilot training. IT security specialists should also keep examining security incidents and near misses. Without working on such analysis and research, there is no way to uncover recurring mistakes and human errors. Inquiries should target the people involved, the team, the workplace, the organization, third parties and the IT and communications technology systems. The essential issue is not to find out who made a mistake, but why and how the incident occurred. Like Georges Canguilhem used to say “To err is human, to persist in error is diabolical.”
Also distractions, fatigue, workload, poor environmental conditions, poor system and process design influence the number of medical errors. These elements should also be included in information security risk assessments. For instance, overworked staff members are more likely to deviate from the expected security behavior.
Finally, leadership and effective management is essential to change the conditions in which you work. Local “leaders and champions” like security officers, auditors, data protection officers, compliance officers, crisis managers, quality managers, etc. can motivate others, but significant changes in a secure and resilient organization require technological investment, direction and support from the managers who demonstrate their commitment to information security.
A mixture of strategies and action plans may help to prevent human errors and mistakes from turning into security incidents. Successes in a human error reduction in aviation give hope while studies of medical errors provide valuable insight. Information security can significantly improve when you keep learning from other sectors and collaborate to share knowledge.
Like already mentioned before, according to IBM Cyber Security Intelligence Index 2014 over 95 percent of all cyber incidents investigated recognize “human error” as a contributing factor. The most common human errors include:
- system misconfiguration
- poor patch management
- use of default usernames and passwords or easy-to-guess passwords;
- sharing passwords with others;
- leaving computers unattended when outside the workplace;
- lost laptops or mobile devices;
- using personally owned mobile devices that connect to the organization’s network;
- disclosure of regulated information via the use of an incorrect email address;
- and finally the most prevalent contributing human error is clicking on an infected attachment or unsafe URL.
Human error can appear in both private and public sector. When in private sector the motivation behind hackers is most often money, in public sector it is rather political. Hackers are often driven by expression of political view/statement, espionage, willingness to damage and/or cause economic loss. There are several case studies related to human error and public sector which have taken place because of human mistakes or because of hackers taking advantage of possible human errors and have attacked different public sector organisations.The consequenses of public sector breaches/attacks can be quite big, because governments store and process very sensitive data, data breaches are costly and public services/intrastructure might be at stake.
After all, organisations can reduce the risk of human error in threatening their security by eliminating procedures that might make it possible for system users to make an error. Organisations should also use prevention, education and mitigation strategies to raise awareness regarding possible human errors. Confidential and sensitive data should be processed really carefully and strong authentication solutions should be introduced. Even when the prevention is thought out, it is also important to have a response and recovery plan to eliminate the possible attack with as little damage as possible.
Making errors makes us human, and those mistakes can never be 100% prevented. Human error or so called “PIBKAC” is therefore an inevitable part of every organisation’s security and it is important to be aware of this to prevent it and to quickly recover from the attacks.
How to Reduce Human Error in Information Security Incidents by Nicole van Deursen: http://securityintelligence.com/how-to-reduce-human-error-in-information-security-incidents/#.VUZUpfmqoSV
Most Data Breaches Caused by Human Error, System Glitches by Thor Olavsrud: http://www.cio.com/article/2384855/compliance/most-data-breaches-caused-by-human-error--system-glitches.html
How Businesses Can Protect Themselves From a Data Breach by Christopher Burgess: http://securityintelligence.com/how-businesses-can-protect-themselves-from-a-data-breach/#.VUdrgvmqoSU
To Err Is Human: Why Your Users’ Identity Is Your Security’s Weakest Link by Veronica Shelley: http://securityintelligence.com/to-err-is-human-why-your-users-identity-is-your-securitys-weakest-link/#.VUeLS_mqoSU
Cybersecurity Awareness Is About Both ‘Knowing’ and ‘Doing’ by Joanne Martin: http://securityintelligence.com/cybersecurity-awareness-is-about-both-knowing-and-doing/#.VUeLUfmqoSU
The Role of Human Error in Successful Security Attacks by Fran Howarth: http://securityintelligence.com/the-role-of-human-error-in-successful-security-attacks/#.VUeLVfmqoSU
Cybercrime fighters target human error by Erika Check Hayden: http://www.nature.com/news/cybercrime-fighters-target-human-error-1.16933
Human Error Accounts for Over 95 Percent of Security Incidents, Reports IBM by Thu Pham: https://www.duosecurity.com/blog/human-error-accounts-for-over-95-percent-of-security-incidents-reports-ibm
“Come Steal Our Data!” How Passwords Alone Make Your Business Vulnerable to Cybercriminals by Steve Fawcett: https://www.duosecurity.com/blog/come-steal-our-data-how-passwords-alone-make-your-business-vulnerable-to-cybercriminals
The human factor and information security by Konstantin Sapronov: https://securelist.com/analysis/36067/the-human-factor-and-information-security/