Intelligent CISO Issue 12 | Page 34

P RE D I C T I V E I NTELLIGEN CE  Vulnerability: How your people work Users’ vulnerability starts with their digital behaviour – how they work and what they click. Some employees may work remotely or access company email through their personal devices. They may use cloud-based file storage and install third-party add-ons to their cloud apps. Or they may be especially receptive to attackers’ email phishing tactics. Adenike Cosgrove, Cybersecurity Strategy, International, Proofpoint vulnerabilities. More than 99% of today’s cyberattacks are human-activated. These attacks rely on a person at the other end to open a weaponised document, click on an unsafe link, type their credentials or even carry out the attacker’s commands directly (such as wiring money or sending sensitive files). Credential phishing, which tricks users into entering their account credentials into a fake login form, is one of the most dangerous examples. In the cloud era, those credentials are the keys to everything – email, sensitive data, private appointments and trusted relationships. In the third quarter of 2018, for example, corporate credential phishing attempts quadrupled vs. the year-ago quarter according the Proofpoint’s Quarterly Threat Report Q3 2018 and email fraud rose 77% over the same timeframe. Time to identify your most attacked users Just as people are unique, so is their value to cyberattackers and risk to employers. They have distinct digital habits and weak spots. They’re targeted by attackers in diverse ways and with varying intensity. And they have unique professional contacts and privileged access to data on the network and in the cloud. Together, these factors make up a user’s overall risk in what we call the VAP (vulnerability, attacks and privilege) index. 34 Assessing vulnerability that stems from how people work is mostly straightforward – though it’s not always easy, or even possible, with traditional cyberdefences. It starts with knowing what tools, platforms and apps they use. The second part of measuring vulnerability is figuring out how susceptible your users are to phishing and other cyberattacks. Short of letting attackers in and seeing who opens a malware file or wires money to an attacker (not ideal for obvious reasons), phishing simulations are the best way to gauge this aspect of vulnerability. Simulated attacks, especially those that mimic real-world techniques, can help identify who’s susceptible and to what tactics. Someone who opens a simulated phishing email and opens the attachment might be the most vulnerable. A user who ignores it would rank somewhat lower. And users who report the email to the security team or email admin would be deemed the least vulnerable. All cyberattacks are not created equal While every attack is potentially harmful, some are more dangerous, targeted or sophisticated than others. Indiscriminate 'commodity' threats might be more numerous than other kinds of threats. But they’re usually less worrisome because they’re well understood and more easily blocked. Other threats might appear in only a handful of attacks. But they can pose a more serious danger because of their sophistication or the people they target. Rich threat intelligence and timely insight are the keys to quantifying this aspect of user risk. The factors that should weigh most heavily in each users’ assessment include: the cybercriminal’s sophistication, the spread and focus of attacks, the attack type and overall attack volume. You should also weigh these factors in context of what departments, groups or divisions the individual user belongs to. For instance, some users might seem not at risk based on the volume or type of malicious email sent to them directly. But they might actually represent a higher risk because they work in a highly attacked department – and are therefore more likely to be a key target in the future. Issue 12 | www.intelligentciso.com