The first line of defence for any network to repel a cyber attack is often considered the security software on the perimeter of the network – namely the firewalls, and other monitoring software. While a properly configured security framework is essential for any company network, as well as home/small office network, the human element cannot be totally discarded.
The human element is often the first line of defense when the infrastructure fails to detect a cyber attack. With cyber attacks becoming more sophisticated, this will happen more since this software can often only detect and stop what it has been set up to do. Perimeter monitoring is becoming the go to source for malware defence since this software will look for unusual behavior (e.g. the same user logged on from geographically different locations, or excessive disk activity). However, none of this is fool proof.
Malwares New Trick
A trick that malware is starting to use more is that it quietly infiltrates your network and then sits dormant while moving laterally from machine to machine and infecting as it goes. At some later date the malware triggers and starts to exfiltrate data and execute other malware payloads such as ransomware. As a result you may have been infected with malware months before you actually detect the attack through monitoring. At which time, the attack could be launched simultaneously for extra devastation.
It is thought that more than 50% of attacks start in this way.
The Human Firewall
The concept of the Human Firewall is simple. It is essentially a commitment of a group of employees to follow best practices to prevent as well as report any data breaches or suspicious activity. The more employees you have committed to being a part of the firewall, the stronger it gets.
This concept applies to family members as well.
Whether you are in the office, or working remotely, awareness of what a cyber attack looks like to the end user is of increasing importance. This is where cyber security awareness training comes in and the prime purpose of this website.
Awareness comes from education and knowledge of the various attacks that can present themselves to you. This can come from:
- Social Engineering attacks
- Malicious Adverts
- Fake Websites
You can also volunteer information that can be used to form a cyber attack without actually knowing it. For example by liking a Facebook profile:
- I know your Facebook profile and I can then find out anything you publicly post on your profile including hobbies, activities, family members, your pets name
- I can then move laterally to Google and find out a lot more about you
- I can then also go to LinkedIn and find out what you do for a living.
Take a look at the following video if you need any proof:
Another form of gathering information is to sit next to someone on a commuter train who is working on a laptop. The PC will probably have an asset sticker on it showing the company name. By looking at what’s on screen you can probably find the persons name. Then looking on LinkedIn you can find their profile and therefore their position in the company. You may also be able to find their company email address, or possibly take a guess (e.g. firstname.surname@company). If that same person is working on company documents, then you may also be able to get information by glancing at their screen about what they are working on.
Another one is your Porn Star name – for example, your pets name as a child and the street where you lived. We see these types of things on social media all the time and we often as a laugh post our porn star name. This gives someone important information that they can use to guess your password.
Scary – isn’t it. We all leak information everyday that can be used to perform cyber attacks. And this isn’t using sophisticated surveillance software. Anyone can do it.
You should also be wary of free WiFi in coffee shops and hotels. This can be a very realistic attack vector when these are spoofed.
Configuring the Human Firewall at Work
Here are a few tips:
- Make it easy for people to comply – complex procedures and policies are not always beneficial, instead post simple info-graphics on notice boards, and focus on specific weaknesses/message of the week
- Keep cyber security awareness education ongoing – education should be continuous, receiving updates and briefs as new threats arise. Others should be educated whenever they change job titles as well as on a quarterly basis.
- Incentivize and Encourage Participation – this can be as simple as giving each member special recognition for doing things like catching phishing emails. You can sweeten the pot with prizes or other awards.
- Be Inclusive – people shouldn’t feel intimidated or that they aren’t tech-savvy enough to be a part of the human firewall. In fact, it’s essential they are encouraged to join. This should apply to all levels of the company from the entry level employee to the board of directors.
- Keep it Human Focused – those that participate should do their best to help others with cybersecurity concerns, thereby helping change culture and behavior. Avoid treating people like cogs in a machine.
- Monitor the Education – this can be as simple as sending a fake phishing email and see who clicks on the link.
- Evolve – Threats are always evolving and new ones are appearing. As a result there should be regular bulletins available on internal websites as well as alerts when a new scam/phishing email is doing the rounds.
There are many companies that provide Cyber Security Awareness training, but our Guidance Pages are probably a good place to start.
Configuring the Human Firewall at Home
At home we are often more at risk to cyber attack than in the office since we don’t have all the sophisticated monitoring software in place. we should have a firewall enabled on your home router and you will install anti-malware software on your PC and mobile devices. However, as I demonstrated above this is not fool proof.
The standing advice here is to be aware of what is happening and the precautions to take. The Guidance Pages on this website are a good place to start as is our Twitter feed which is where we post articles published in the tech press about current attacks are data breaches.
Make sure your email address hasn’t been disclosed in a data breach. websites like ‘Have I Been Pwnd‘ are a good service to check this.
The tag line for our website is
“Promoting Cyber Security and Privacy as an integral part of what we do.“
This is the essential message that you need to take from this blog post. When you are online, you have to be continuously aware of what you are doing and alert to any threats.
This doesn’t mean you don’t put in place all the technical barriers as well.