The Human Factor - Your strongest and weakest link

The maxim "Humans are the weakest link in cybersecurity" has been consistently echoed for as long as I can remember. However, one can make the counter-argument, "Humans can be the strongest defence."

Recently, I experienced these contrasting results of human potential in cyber security defence and vulnerability in a single cyber-attack incident.

The Australian Cyber Security Centre (ACSC) conducts a cybersecurity awareness campaign every October to promote cybersecurity hygiene for Australians. I am sharing my recent learnings to support the ACSC campaign.

A compromised Office 365 account for a finance team member allowed an adversary to falsify a request to change our bank account details. The request was being sent from a legitimate email account and domain. Hence, the source's legitimacy could not be questioned, but the scanned bank check was falsified and could be determined at close inspection.

The request email was sent to three customers, with one invoking a standard callback process to confirm the validity, which alerted us of the cyber-attack. Our ICT team started an incident investigation with forensic analysis confirming two other customers were issued with a similar request. Both customers were notified 48 hours after the breach, requesting termination of the bank change request.?

A rudimentary procedure to enforce a callback for any customer or vendor request to change bank details averted the cyber threat and identified the breach simultaneously. The callback procedure exemplifies the human element’s potential in any cyber defence strategy. The same could not be said about our other two clients, who processed the changes without any callback to confirm the validity of the request.?

No amount of cyber defence or monitoring technologies would have averted this type of attack. Once the Office365 account is compromised, the human element is the best mitigating control for this attack.?

Here are some tips to consider when developing your callback procedures, sourced from JP Morgan | Chase article “Developing a Strong Callback Process”:

• Please always contact the email sender or trusted vendor (in person or by using a known telephone number) when you receive instructions to change bank account information.?Never rely on contact information sent in an email or respond to the email request directly.
• Establish a tiered confirmation process to reduce vulnerability. For example, if an employee doesn’t perform the callback and instead asks another employee or manager to validate, they should follow a verification process to ensure protocols are followed.?Never assume that the callback process was performed as expected—always confirm. This practice aligns with the Zero Trust information security principle of?“Never Trust, Always Verify”.
• Never release funds if you can’t validate the request, even if it’s marked urgent or time-sensitive.
• Develop escalation protocols to use if an employee performs a callback but remains suspicious.
• Work with vendors to create shared protocols for validating email requests.

Sources: