Forbes: When It Comes To Cyber Breaches, Humans Are Going To Be Human
Original posting on Forbes, March 13, 2024
By Brian McMahon, CEO of Threater
I’ve accepted over time that when it comes to security, there are two worlds: the world most people live in and the world security people think we should be living in.
In the “security people” world, we don’t reuse passwords. We don’t click on suspicious links and then enter our credentials into a spoofed website (which is to say nothing of the assumption that most people can identify such links and/or websites). And when we get a notification email from a company telling us they’ve been breached, we immediately go change our passwords across every site, just to be safe.
The vast majority of people, however, do not inhabit the “security people” world. They reuse the same password(s) over and over (and over…and over) again because there are too many accounts to remember. They worry about things like needing to log in from a different device that doesn’t have their suggested password saved. And for those who have a “system” for slightly altering their passwords for each service, I can assure you threat actors know about all of them, and their scripts will automatically stuff those variations in, too.
My point is this: Humans are people. People make mistakes. People often won’t take a more inconvenient route to do something they don’t fully understand when they aren’t forced to. And, most importantly, we need to internalize the idea that people won’t change willingly, so we must secure our networks and data accordingly while enabling users to successfully secure their data.
If you’ve followed cybersecurity news recently, three breaches keep coming up well past the typical news cycle for stories like this: MGM Resorts, 23andMe and “MOAB” (a.k.a., the “Mother of All Breaches”). On the surface, these breaches are all very different: Threat actors used different tools, techniques and procedures to accomplish each of them and the impacts and fallouts of the breaches have been wildly different, too.
However, if we move past the surface facts of these breaches, we can see how they’re more connected than what we initially might realize. Looking at these three breaches in the aggregate can help us understand why it feels like we’re constantly behind the cybercriminals and how we in the security world need to think more like the attackers.
First, a very quick overview of these three breaches.
MGM Resorts: A ransomware group found high-ranking MGM Resorts employees on LinkedIn, called into MGM’s help desk pretending to be those employees, and within 10 minutes had reset their passwords and multifactor authentication (MFA) methods. Soon after, the entire resort’s operations and casino were taken down, resulting in over $110 million in lost revenue despite not paying the ransom to the threat actors.
23andMe: Threat actors obtained login credentials from other breaches and then ran scripts that could test all those logins/passwords to get into users’ 23andMe accounts, knowing that many, many people reuse the same passwords or variations of the same passwords. The company reports that 0.1% of all accounts—about 14,000 users—were compromised through this credential-stuffing attack, but that breach allowed the threat actors to scrape millions of other users’ personal information, including genetic ancestry. In the aftermath, 23andMe has taken the stance—in both the courts and the court of public opinion—that the breach was caused by users reusing passwords and not opting into additional security measures 23andMe did not require at the time, such as MFA.
MOAB: Perhaps the least flashy of the three we’re talking about, but security researchers recently discovered a database of 26 billion records of stolen credentials and personal information, including breaches from widely-used sites such as LinkedIn, Dropbox and Adobe. While most of the records are from other breaches, this is now the largest collection of these types of records that are easily accessible to threat actors on the dark web.
These breaches—most breaches, actually—point to the undeniable fact that most people connected to the internet are, in fact, not “security people.” A helpdesk employee reset someone’s password and MFA after asking for basic identifying information any threat actor could find on the internet about the target they were impersonating. People didn’t opt into extra authentication methods that are inconvenient and reused passwords that had been caught up in a breach. When many people receive an email about yet another breach on an account, they sigh, try to remember to reset some passwords and then move on with their busy lives, numb to the fact their credentials are now available on the dark web, ready to be reused.
We can no longer keep putting the burden of security on the end users and pretending that eventually they will overcome their human nature and change their habits because it’s the “right” thing to do. Conversely, we can’t jump to the other end and assume people are incapable of learning or changing, either. It’s up to all of us security people to make it possible for humans—amid all our errors—to do better, even if it means holding the line and forcing some (currently) unpopular decisions such as requiring MFA, checking and enforcing software updates and enforcing strong password policies. All of these decisions and policies require us to be open and honest with people about why these are important until they eventually become second nature.
The good news, though, is that the faster we internalize that systems are filled and operated by humans, we can start seeing how to secure them for the world we live in. As keepers of people’s data, we need to stop blaming people for being human and instead own up to adopting security measures that anticipate their shortcuts and mistakes while enabling them to take ownership of the security of their data. The threat actors have made the idea that humans will make mistakes, which is the foundation of their entire business model. It’s time for us to do the same.