“People are nothing more than another operating system,” Lance Spitzner, training director for the Securing the Human program at the SANS Institute, once remarked. “Computers store, process and transfer information, and people store, process and transfer information. They’re another endpoint. But instead of buffer overflows, people suffer from insecure behaviors.”

Cyber situational awareness is the key to minimizing the effect of human error on an organization’s cybersecurity posture. In the past, the domain of endpoints was restricted to devices such as PCs, laptops and smartphones. Nowadays, many experts consider human beings themselves to be the most vulnerable and highly targeted endpoints of all.

To compromise a user’s device, a cybercriminal must first compromise the user by exploiting human nature. This is the driving principle behind the social engineering schemes that facilitate many of today’s most pervasive attacks.

The Weakest Link in the Cybersecurity Chain

Humans are considered the weakest link in the cybersecurity chain because their nature often leads them to exhibit noncompliant behavior. According to Verizon’s “2016 Data Breach Investigations Report,” cybercriminals continue to exploit human nature with sneaky tactics such as ransomware and phishing. The report noted that in 63 percent of intrusions, attackers leveraged weak, default or simple passwords to gain access to data.

Cybercriminals commonly deliver malware through fraudulent, misleading emails purporting to contain family photos, important documents or retail offers that are too good to be true. Many organizations deploy phishing filters, advanced firewalls, network access controls and endpoint scanning tools to mitigate this threat, but no technology can account for human error entirely. These solutions can protect against only known malware designs, which is why fraudsters continue to tweak malware code to bypass the most advanced security tools.

A company that includes 1,000 employees with poor online hygiene has 1,000 insecure endpoints. A threat actor could easily design a malicious email campaign to deliver malware through one of those human endpoints. IT teams must secure each individual endpoint, human or otherwise, while cybercriminals only need to crack one to infect the entire system. If humans are the primary targets of cybercriminals, they ought to be prepared, informed and weaponized as the first line of defense.

Human Endpoints: The First Line of Defense

Securing human endpoints requires a comprehensive strategy that focuses on cyber situational awareness, suspicious incident reporting, risk monitoring and risk appraisal.

Cyber Situational Awareness

Cyber situational awareness is the ability to identify, process, and comprehend information in real time. Awareness is different from training in that it is continuous and integral to daily learnings.

The first step in building an effective defense strategy is to gather as much knowledge about the threat as possible. This enables the security team to prepare for attacks and makes it more difficult for fraudsters to gain access to the network. It also empowers human endpoints to exhibit caution before opening email attachments from unknown senders, sharing passwords with actors impersonating system administrators or inserting unknown USB drives into network devices.

Over time, users learn to differentiate between genuine and malicious emails and activities. Since threats are not constant, organizations should provide employees with daily cyber situational awareness education covering the latest developments in malware, vulnerabilities, threat intelligence, security alerts and best practices. This awareness goes a long way toward establishing a security foundation strong enough to withstand even the most deceptive threats.

Incident Reporting Platform

Once a culture of security awareness is firmly in place, the next step is to establish an actionable platform for reporting suspicious activity in real time. Such a process would hold employees responsible for identifying malicious activities and incentivize them to detect and report incidents. Moreover, it increases the eyes and ears of the organization and bolsters collective human intelligence. Artificial intelligence might be the next big thing in cybersecurity, but human intelligence is irreplaceable.

Cyber Risk Monitoring

Each human endpoint represents a cyber risk proportional to his or her online hygiene and behavior. Traditionally, organizations have not gauged cyber risk related to employee actions. Given the increase in the frequency, lethality, potency and intensity of these cyberattacks, however, IT teams should monitor every individual user profile and compile information into a cyber risk index. This index can calculate a score based on each user’s role, location, system entitlements, understanding of security practices, situational knowledge and red team performance. An employee’s system access levels should correspond to this score.

Performance-Based Appraisal System

IT teams should adopt both persuasive and coercive measures to reduce the cyber risk associated with an individual user. Organizations must endeavor to link appraisal with cyber hygiene. It is imperative to motivate employees to align with the organization’s cybersecurity culture.

Strengthening Human Endpoints

Cyberattacks will continue to target human endpoints as long as these employees remain the weakest link in the cybersecurity chain. The success or failure of the attacks depend on user awareness. Human endpoints must be every bit as ingenious and sophisticated as the cybercriminals targeting them. A security culture driven by cyber situational awareness is the best line of defense against these malicious actors.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read