Endpoint

5/31/2018
10:30 AM
Christy Wyatt
Christy Wyatt
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Facebook Must Patch 2 Billion Human Vulnerabilities; How You Can Patch Yours

The situation Facebook is in should be prompting all security teams to evaluate just how defenseless or protected the people in their organizations are.

Everyone loves to watch giants get attacked. The heat of the moment provides fantastic entertainment. Typically, the spectacle reveals some truth. However, we usually don't get a clear picture of everything that's happening until after the dust settles. Such is the case with Facebook.

Now that things have calmed a bit, those of us in the security industry who have been watching the saga unfold are learning some valuable lessons. Chief among these is that by making only a few missteps, any business can turn millions of humans into vulnerabilities that unscrupulous actors can exploit. In this case, a lone developer accomplished this with an app that users, and Facebook, regarded as harmless.

What were some of missteps Facebook made? It failed to arm itself with sufficient visibility over its environment. It had an ineffective early warning system. It didn't devote enough resources to user education and defense. And the social giant has been opaque about its business model and how it collects and monetizes members' data. While Facebook may currently be the one in the spotlight, it's vital to remember that it's not the only business that is failing to protect its users. These same oversights and problems plague most organizations today.

The 2018 IBM X-Force Threat Intelligence Index revealed that vulnerable humans, which it refers to as "inadvertent insiders" (aka insider threats) are responsible for exposing more than 2 billion records and causing 20% of reported security incidents. The Ponemon Institute estimates that this class of user is costing organizations more than $283,281 per incident annually. Some damages can't be measured in terms of dollars or records lost but by the impact they've had on world history. The Hillary Clinton campaign argues that attacks against vulnerable campaign insiders contributed to her 2016 presidential election loss.

The situation Facebook is in, along with findings like these, should be prompting security teams to evaluate just how vulnerable or protected the people in their organizations are. It should also be motivating them to find ways to "patch" any human vulnerabilities that exist. 

What's a Social Network, or Any Business, to Do?
Facebook CEO and co-founder Mark Zuckerberg says the platform will make sweeping changes to curtail future abuses. Let's hope they work. If Facebook, or any organization, is serious about protecting its people, there are certain essential steps they need to take. Here are four that all organizations should take right now:  

1. Gain visibility. Organizations need to get a grip on the behaviors of partners, customers, employees, and third-party application developers. To accomplish this, they don't have to resort to requiring anyone to adhere to intrusive monitoring practices that amount to surveillance and eavesdropping. To be effective, screen-shot captures, key stroke logging, and other invasive tactics aren't needed. There are a wide range of technologies available that Facebook or any company could choose from that will provide the visibility and intelligence needed to spot suspicious trends before they spiral out of control.

2. Enable early warnings. Many organizations have tools and technologies in place to notify them when suspicious behaviors take place. Many "early warnings" end up being false positives, which lead to alert fatigue. For early-warning alerts to truly have value, they have to be powered by technologies that understand behavioral context, know when events are normal or anomalies, and what the intent of observed actions are. A smoke detector is of little use if it doesn't have a siren that lets people in the facility it's protecting know when there's danger. Nor would it have any value if it "cried wolf" when there is nothing to worry about.

3. Educate and protect. Organizations that want to shield their users against bad actors need to invest in providing security and scam education to users. Studies suggest that with education, humans can reduce their susceptibility rates to scams by as much as 70%. To further protect humans, businesses may need to build in alerts that that let them know when they are about to engage with risky apps, click on questionable links, or get involved in dubious conversations. Access to a threat intelligence feed can also prove useful. The latest information about attacks in the wild will allow security teams to take proactive measures.

4. Be transparent. Had Facebook been up front with users about the fact that every bit of information they share is collected and analyzed for marketing and advertising purposes, then the 87 million users who were fooled may have thought twice before engaging with an app that was collecting personal information. Any organization committed to protecting its users against privacy and trust violations needs to be transparent about its data policies and business model. Users who understand how the businesses they engage with and work for use the data they generate and share will be in a better position to understand what types of online activities and behaviors are potentially harmful.

When it comes to vulnerabilities in the world of technology, our minds tend to focus on hackers exploiting weak computer code in order to gain access to systems and data. While this is certainly one example of how the vulnerability scenario plays out, history has taught us, and Facebook has highlighted, that it isn't the only one. By now, all businesses should be thinking about their human vulnerabilities and taking steps to protect them against scams and attacks that could compromise their personal privacy and lead to costly and embarrassing incidents.

Related Content:

Christy Wyatt, CEO, Dtex Systems Christy Wyatt is chief executive officer of Dtex Systems and serves as a member of the board. Most recently Christy was chairman, CEO and president of Good Technology, the global leader in mobile security across the Global 2000. During ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/4/2018 | 8:08:39 AM
Don't tell the truth
Consider anything real about you on FB is exposed already --- so change your personal data going forward to be a lie and at least you are covered on that score!!!   Doing that tonight.  
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why Password Management and Security Strategies Fall Short
Steve Zurier, Freelance Writer,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19270
PUBLISHED: 2018-11-14
In yurex_read in drivers/usb/misc/yurex.c in the Linux kernel before 4.17.7, an out-of-bounds user space access in the read handler of the yurex USB device driver could be used by local attackers to crash the kernel or potentially escalate privileges.
CVE-2018-19271
PUBLISHED: 2018-11-14
Centreon 3.4.x allows SQL Injection via the main.php searchH parameter.
CVE-2018-19277
PUBLISHED: 2018-11-14
securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file
CVE-2018-19186
PUBLISHED: 2018-11-14
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the route.php paymentMethod parameter.
CVE-2018-19187
PUBLISHED: 2018-11-14
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in a success.php echo statement.