The document discusses how human error is a major cause of security incidents, accounting for 95% according to IBM. Examples are given of incidents caused by expired certificates, unencrypted emails to the wrong recipient, and phishing emails. Two case studies are described in more detail: a lottery rigging scheme by an IT director that lasted 10 years due to a lack of oversight, and a company security breach enabled by an unconfigured firewall and employee clicking a phishing link. The document advocates for education, separation of duties, documented procedures and infrastructure protection to help address the problem of human error in security.
Case Study: The Role of Human Error in Information Security
1. The Role of Human Error in Information Security
2. The Human Factor in Information Security
Security
Incident
Configuration
Error
Social
Engineering
Information
Leakage
Phishing
According to the IBM’s
Cybersecurity Intelligence
Index, 95% of all security
incidents involve human
error. According to
Securis, 25% of data
breaches were human
error related.
3. Human Error Root Causes
Humans who hack humans
Unwitting Victims
Honest Mistakes
4. Incident Management & Disaster Recovery
Event
Detection
Event
Reporting
Incident
Classification
Incident
Triage
Lessons
Learned
According to NIST Special Publication 800-61, Rev. 2, “one of the most important
parts of incident response is also the most often omitted: learning and improving”.
5. Well-known Examples
• Equifax – expired certificates delayed breach detection
• Ericsson – expired certificates contributed to mobile services
outage
• LinkedIn – expired certificates lead to outage
• Marine Corps – unencrypted email with attachments sent to
incorrect recipient
• Multiple cities – fall prey to ransomware phishing emails
9. Hot Lotto Scandal
https://en.wikipedia.org/wiki/Hot_Lotto_fraud_scandal
• US-based multi-state lottery game called Hot Lotto was rigged to
the tune of $14.3 million USD (probably more) in prize money.
• Eddie Tipton was the Information Security Director for the
organization that oversaw the draw and its security.
• Eddie had access to all of the details about how the lottery
systems worked in multiple States.
• Eddie had physical access to all of the lottery data centres in
question.
• I worked for a main lottery Supplier at the time and was consulted
on the case.
10. Hot Lotto Scandal- How was it detected?
Eddie got greedy:
• He was banned form playing any lottery games as a condition of his job
• He had played a few times through surrogates and shared prize money
secretly
• He decided to play himself in his home town and then tried to cash in his
ticket in his home town (where he was caught on store surveillance
cameras)
• One of his surrogates tried repeatedly (unsuccessfully) to cash in a big prize
anonymously
11. Hot Lotto Scandal- Root Cause and Lessons Learned
Eddie had access to detailed lottery ops details
Eddie had unrestricted physical access
Eddie had little to no oversight (trusted role)
Eddie had been doing this for 10 years
Eddie got 25 years and the Hot Lotto game was discontinued
12. Hot Lotto Scandal- Root Cause and Lessons Learned
Lesson here:
Always apply “Four Eyes” Principal and Segregation of Duties.
13. Company X - Up & Coming Manufacturer
I was called on a Tuesday afternoon by a customer, Company X, to
help with a security incident:
• Phishing emails were going out to Company X email contacts from
Company X email addresses
• A few Company X laptops were reporting viruses
• Company X was growing very quickly from a small start up in a hot
sector into a large company with international clientele
14. Company X – Triage
Hacker was resident in LAN
Email breach was only one issue
Personal Health Information was at risk as well
Firewall had activity from China and Russia
15. Company X – Root Cause
Employee was found to have accessed a link in a phishing email
AND a firewall rule had been left misconfigured thereby allowing
access from the outside.
16. Company X – Lessons Learned
• Company X took immediate steps to shut down the current
breach
• Company X hired an outside security consultant to develop a
complete security program based on a Threat risk Assessment,
Privacy Impact Assessment and vulnerability and penetration
testing
• Company X implemented recommendations including a
complete ISMS, addressing non-secure infrastructure designs,
staff education, and documented IT procedures
17. Company Y – The Helpful Admin Assistant
*Sample image from Internet.
18. Company Y – The Helpful Admin Assistant
The Result
Admin Assistant was stopped before she could send the card codes
The Followup
Admin Assistant responds to email and agrees to purchase them on her personal credit card
The Setup
CEO Admin Assistant receives email from “the CEO” asking her to buy some iTunes cards
19. Company Y – Root Cause & Lessons Learned
• Company Y had an IT Department and an Information Security
Manager
• Company Y had done some security awareness emails to staff
• Admin Assistant had never seen an email like the one she
received nor had she been warned about them
20. Company Y – Root Cause & Lessons Learned
Company Y is extremely profitable, growing fast, a young
company, privately owned so… not much has actually changed at
Company Y….
21. What can be done to help the Human Error Factor?
Human Education – repeated and relevant (SATE)
Data Loss Prevention (DLP)
Separation of Duties / 4 Eyes
Infrastructure Protection
Documented Procedures
22. ISO/IEC 27001
Training Courses
• ISO/IEC 27001 Introduction
1 Day Course
• ISO/IEC 27001 Foundation
2 Days Course
• ISO/IEC 27001 Lead Implementer
5 Days Course
• ISO/IEC 27001 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
www.pecb.com/events