The Human Element: Understanding Why People Are the Weakest Link in Cybersecurity
The event selected to analyze is the Red Cross attack that occurred in January 2022, which compromised "more than half a million records" (Jennings).
The servers and network attacked belonged to the International Committee of the Red Cross and exposed sensitive personal user data and confidential information to the organization. As stated on the Red Cross official website, the data compromised was confidential and of "more than 515,000 vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention" (1). Additionally, the attack impacted the "Restoring Family Links" program administered by the Red Cross used to reunite separated family members by "conflict, disaster, or migration" (1). Therefore, it is fair to consider that the impact and damages of this breach go beyond monetary loss and the risk associated with the exposure and collection of personally identifiable information.
A similar incident would be the Office of Personnel Management breach, not necessarily in size but in the nature of the attack and the similarities in the victim organizations' positions. In the Office of Personnel Management breach, once it was discovered there was an intrusion, a delicate choice was made that impacted the result of the incident. The OPM responders (or decision makers during the response) chose to allow the intruders, a group that goes by "X2by", to continue accessing the system. They sought to allow the intruders more time within their network with the justification to allow their internal team to monitor and gather intelligence around the attacker's techniques and methods. Unfortunately, this also allowed the infiltrating group time to install malware elsewhere in the network outside of where they were being monitored, resulting in a backdoor that was installed that the Office of Personnel Management team missed later (Fruhlinger 1). When it came time to reset, they were not able to swiftly boot the hackers out of their system; it was too late at that point.
One might wonder what this type of response would be considered on the spectrum of response tactics; deciding to allow intruders to stay on the network to observe their behavior may not be the type of active defense method they thought it was. Though not to discredit the exercise of observing intruders' behavior and the value it can bring to gathering intelligence on intruder techniques and tactics. Typically, however, this sort of exercise is planned, and the intruders are being monitored while in a decoy network segmented from the rest of the network and far away from what would be considered the organization's crown jewels (most valuable information). This strategy is called a honeypot and is considered a less aggressive active cyber defense technique (Hoffman Levite 9). This exercise resulted in a pricey penetration test considering the total cost of the breach and the actual value of the information gathered by monitoring the intruders. To think if the team had reset the system right away to "purge the attackers from the system," the Office of Personnel Management may have been spared from this monumental catastrophe (Fruhlinger 1).
The Red Cross breach, though the incident played out a bit differently, was also preventable. Greig reported that a vulnerability flagged prior to the breach was already exploited in the wild and had a subsequent patch available. In the Red Cross's official response, it was brought to the readers' attention that the attackers were highly specialized and used advanced tools to exploit the vulnerability. However, one could argue that it appears there was a lack of urgency to patch this vulnerability on behalf of the Red Cross. The vulnerability in this incident is reported to have been an "authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution" (Greig 1). As mentioned, a known vulnerability that was disclosed before the incident, having had information disseminated across the industry on patching in addition to warnings. Perhaps the decision not to prioritize patching the vulnerability resulted from decision-makers at the Red Cross weighing the risk of possessing the vulnerability against the odds of it being exploited in real life (so to speak). Perhaps unnecessarily, special attention was given to the attackers' skills in the public announcement from the Red Cross, even though this was a known vulnerability with a known solution and ample warnings communicating the risks. It appears a bit off base to treat the incident as inevitable; either it was an attempt to appear helpless in the matter, or it is another instance of China's cyber skills being underestimated.
The Red Cross attack shares critical attributes with the Office of Personnel Management data breach, which was deemed the "greatest theft of sensitive personal data in history" (Adams 1). Though the Red Cross incident may not be classified as a mega breach (or even a super mega breach), the nature of the incident shares similar characteristics from the perpetrator's side with the Office of Personnel Management hack. The most apparent being that China was behind both exploitations; it has been speculated that the objective was to obtain intelligence information on foreign entities in both instances. Chinese intelligence has collected and compiled a database of more detailed information on their rivals than any other nation in history, an impressive achievement no less (Graff 2). Additionally, there appears to be a lack of preventative measures taken by both organizations. Both were presented with opportunities to pursue and implement preventative and active deterrence measures; and had reasons, from their perspective, that justified either disregarding best practice or making a risky judgment call.
It does not end here; viewing these cases from a macro perspective will lead us to a new line of questioning; that if highly guarded branches of the government like the Office of Personnel Management are vulnerable, as well established organizations like the Red Cross. What hope is there for the mid to small-sized companies whose budget for cybersecurity is what the DoD spends on toilet paper? There is good news and bad news; the good news is that cyber defense is not only about the technical components that make up an organization's environment; the human layer has just as an essential role and is a crucial component to building a segmented and layered defensive system - which is also the bad news. Since the best and most secured architectures are vulnerable as long as humans interact with them, in modern times, this concept has begun to take steps even further; hacking has expanded beyond 1s and 0s, and adversaries are discovering ways to get root access to our reality. As Hanson and O'Connor discussed, democracies can be crushed, elections can be influenced, and long-term distrust can be rooted in communities by adversarial nations hundreds of miles away (5).
As human life becomes more intertwined with technology, it is no longer as ridiculous as it once was to consider adding layer eight to the OSI model. For years, that has been a joke, coming from the analysts and technicians who have had to ask if a caller's computer is not working because it is not turned on. "Must be a layer 8 issue," they might say. Nevertheless, all joking aside, maybe it is time to treat the human element as seriously as the other seven layers. If the most significant and common vulnerability across secured systems is still humans, what can we do to reasonably omit humans from the process where they are not needed? This question does not mean the dawn of a Matrix-like future where humans are abused by machines but instead evaluating where in the security process human decision-making is no longer essential or beneficial. Considering automated solutions, building better systems where security principles are baked in, and removing as many opportunities for mistakes will help reduce the resulting vulnerabilities introduced by humans. For example, the OPM and the Red Cross breach both involved a human decision-making point that significantly impacted the course of events and was, in retrospect, short-sighted. The Red Cross issue could have been addressed and prevented with stricter patching policies, but the OPM breach only reached its magnitude because of a judgment call. To further add to the insult to injury on the case against unsecured humans, there are notable examples of similar events in recent history, for example, the Equifax breach. Stepping through the detailed post-mortem provided in the 2018 report "To Congressional Requestors," we learn about the vulnerability that was subsequently exploited in the now infamous Equifax hack. Unfortunately, the company appears to have a history of poor security practices based on the numerous previously disclosed breaches (10). However, none were the size and scale of the highly publicized breach that resulted in the compromise of 147 million records of Americans (Ng 1). This hack has become infamous because of how disastrous the incident was in scale and preventability. There is a clear pattern of weak follow-through and initiative on behalf of the Red Cross to secure the organization's environment. Brewster observed that the breach was "depressingly predictable: a vulnerability in a piece of software" (1), commenting that a patch was made available before the hack took place.
In the National Cyber Strategy released in September 2018, there appear to be numerous initiatives and plans to protect, promote, and preserve. However, there appears not to be much discussion around fail safes and how we can account for human error better in alignment with the theme of the incidents discussed in this paper. The recent executive order on "Improving the Nations Cybersecurity" has more teeth to it (published in 2021 by the Biden administration). The approach outlined where it was stated that "The Federal Government must also carefully examine what occurred during any major cyber incident and apply lessons learned" (1). Notably, this will allow for closer examination of critical issues that must be addressed holistically. As with any ecosystem with subsequent complexity, the issue of addressing security in the cyber domain will require immense collaboration and support across all organizations and entities. Every network maintained across the United States is a link in the chainmail of the overarching cybersecurity protection defending the nation.
With layer eight being identified as one of the most challenging layers to secure and predict, we look to the future to set ourselves as a nation on a trajectory for success. Nevertheless, unfortunately, the OPM, Red Cross, and Equifax breaches will not be the last. Moreover, though cyber strategies have been written and initiatives are in place, it is fair to question if these measures will be enough to spare us from a grim future plagued by none other than the human condition.
Adams, Michael. “Why The OPM Hack Is Far Worse Than You Imagine.” Lawfare, 31 Oct. 2019, www.lawfareblog.com/why-opm-hack-far-worse-you-imagine.
Brewster, Thomas. “How Hackers Broke Equifax: Exploiting a Patchable Vulnerability.” Forbes, 14 Sept. 2017, www.forbes.com/sites/thomasbrewster/2017/09/14/equifax-hack-the-result-of-patched-vulnerability/?sh=55ba58775cda.
Cyberattack on International Committee of the Red Cross. www.redcross.org/about-us/news-and-events/news/2022/cyberattack-on-international-committee-of-the-red-cross.html. Accessed 28 Sept. 2022.
Fruhlinger, Josh. “The OPM Hack Explained: Bad Security Practices Meet China’s Captain America.” CSO Online, 12 Feb. 2020, www.csoonline.com/article/3318238/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html.
Graff, Garret. “China’s Hacking Spree Will Have a Decades-Long Fallout.” WIRED, 11 Feb. 2020, www.wired.com/story/china-equifax-anthem-marriott-opm-hacks-data/amp.
Greig, Jonathan. “Red Cross Traces Hack Back to Unpatched Zoho Vulnerability.” ZDNET, 16 Feb. 2022, www.zdnet.com/article/red-cross-traces-hack-back-to-zoho-vulnerability.
Hanson, Fergus et al. “Hacking Democracies - Cataloguing cyber-enabled attacks on elections.” 2019, https://www.aspi.org.au/report/hacking-democracies
Hoffman, Wyatt and Levite, Ariel. 2017. Private Sector Cyber Defense: Can Active Measures Help Stabilize Cyberspace? Carnegie Institute for International Peace
Jennings, Mike. “Top Data Breaches and Cyber Attacks of 2022.” TechRadar, 4 May 2022, www.techradar.com/features/top-data-breaches-and-cyber-attacks-of-2022.
“National Cyber Strategy.” NIST, 9 May 2019, www.nist.gov/itl/applied-cybersecurity/nice/resources/executive-order-13800/latest-activities/national-cyber.
Ng, Alfred. “How The Equifax Hack Happened, and What Still Needs to Be Done.” CNET, 7 Sept. 2018, www.cnet.com/news/privacy/equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed.
