It’s so easy to become so focused on something that we can’t see the forest for the trees. As a hiker/backpacker/climber, I experience the literal version of that phrase quite often. In the world of cybersecurity, we spend a lot of time worrying about sophisticated cyberattacks, and we devote a lot of effort to creating complex cyber solutions to mitigate against these attacks, but we tend to forget that humans are oftentimes the weakest link in the cybersecurity chain. As one of my engineer friends is fond of saying: “Half of the safety elements we build into our systems are there to tell us when the users turn the other half off”.
The world of cybersecurity is full of stories regarding highly technical attacks, such as the Zombie Zero event where a rogue nation state paired an overseas contract manufacturer with a hacker organization to embed malware in new barcode scanners. These scanners were subsequently distributed around the globe. As soon as one of these rogue scanners was installed on the wireless network inside a victim company’s firewall, it infiltrated that company’s network and then exfiltrated every piece of scanned data to a botnet in China.
Not surprisingly, we get so focused on using technology to solve our problems (how about a better mousetrap?) that we often neglect the human part of the equation. We have predictable habits. We choose easily guessed shortcuts. Security isn’t always top of mind. For example, even with all the cyber awareness training that goes on, if someone sees a shiny USB memory stick lying on the ground in their organization’s parking lot, they will almost invariably pick it up. Later, despite all they’ve been told (perhaps they don’t think of the possibilities this object’s origin), they plug it into a system on the inside of the firewall and … da da da daaaa (cue threatening music).
Even today, people who should know better use weak, easily guessable passwords like “password123.” For example, as I discussed in my 2021 Data Security Year in Review blog, it now appears that the infamous SolarWinds attack (in which the Russian Foreign Intelligence Service managed to infect thousands of users, including U.S. Federal agencies, with malware) may have been facilitated by an intern using a weak password of “solarwinds123.”
There are many articles relating to this topic on the web, including, Why the Human Brain Is a Poor Judge of Riskand The Human Factor in Information Security. Also, there is a classic series of Washington Post articles under the umbrella heading “Net of Insecurity.” Part 1—A Flaw in the Design—starts by noting: “The internet’s founders saw its promise but didn’t foresee users attacking one another.”
One approach to help overcome human fallibility is to employ a Zero Trust (ZT) security model. The main concept behind Zero Trust is “never trust, always verify.” In other words, devices should not be trusted by default, even if they are connected to a managed corporate network, and even if they have been verified previously.
Recently, C4ISRNET posted a column titled DoD Must Focus on Skilled Cyber Defenders, Not Just New Tech, Warns Weapons Tester. As noted in this column, the Pentagon’s 2021 fiscal annual report of the Office of the Director, Operational Test and Evaluation, included the comment: “[C]yber assessments and operational tests continue to show that where systems or networks are actively defended by well-trained personnel in environments employing Zero Trust concepts, Red Teams emulating cyber actors have difficulty degrading critical [Department of Defense] missions.”
And, as I’ve mentioned many times before, a key aspect of a Zero Trust environment is to secure data at rest (DAR), where DAR refers to data that is physically housed in a storage device, such as a solid-state drive (SSD) in the form of a self-encrypting drive (SED).
At DIGISTOR, we specialize in helping military and government agencies and commercial entities of all sizes find the right encrypted storage solution to secure their DAR. With a wide range of secure storage offerings, from bare drives to removable solutions to Commercial Solutions for Classified (CSfC)-ready SSDs, we can assist you with specifying the appropriate storage devices to secure your important data. If you have any questions as to how securing DAR might apply to your own data security requirements, please feel free to contact us.