Top 5 human errors that lead to data breaches
Malicious actors can identify and take advantage of security vulnerabilities in a matter of hours. Security vulnerabilities are an important part of this problem, but do not tell the whole story. More often than not, the victims themselves play a role in leaking their personal and financial information, due to a human error on their part.
While preventable, human errors are difficult to predict, as they can be caused by both experienced and junior developers, employees and outside consultants. They are the result of the pressure to deliver on time, and the habit of solving problems quickly, thinking that a more secure and permanent fix will come later. Time and time again, experience has shown that people never come back to secure the temporary fix they implemented.
Based on our experience throughout the years, we have put together a list of top 5 human errors that generate data breaches. These are common enough to have potentially happened in your company, and are likely to happen again in the future. After all, up to 60% of all data breaches happen because of a human error.
1. Source code repositories
Password and API key leaks on source code repositories are common mistakes. Unfortunately, they are among the most damaging that your employees can make. A company password or access key can be revoked, but until it is, it enables a malicious actor to impersonate your company, and access all of its data. Unless a strict routine is put in place and enforced, it is easy to write in code your infrastructure’s password, and then to commit this code to an open-source code repository. Many of these technical secrets remain online for months, and can even be retrieved from the commit history. Detecting leaked technical secrets can be difficult, but it is becoming easier with the development of new entropy and machine learning algorithms.
2. Open databases
Most databases have no need to be accessed directly from the internet. Their access is controlled by credentials, security keys, and even user origin. Access rights are extremely powerful, but also difficult to configure. Some databases such as MongoDB are created with open settings that have made it possible to access private data, even when developers thought their database was secured. Databases make for extremely valuable targets as they often contain usernames and passwords. With the rise in computing power, poorly encrypted passwords are easy prey for malicious actors.
3. Poor password policies
Having to remember long and complex passwords is not in human nature. When forced to change passwords regularly, the task of memorizing passwords becomes even more complicated. Password managers have helped users choose a unique and complex password for each website they visit, but these are still too rarely adopted. Malicious actors take advantage of weak passwords, wherever they are used and leaked. The account you register on a training application for example can be leaked. That password, if the same as your workplace, could lead to the compromise of your corporate network. Reusing passwords, especially those that are easy to crack when encrypted, is a significant human error that can be easily fixed with a password manager.
4. Phishing Links
One of the oldest techniques malicious actors use to steal credentials and personal information is to convince employees to click on fake emails and SMS texts. Phishing remains an ongoing security problem, even though most employees have become quite familiar with it. This is because phishing emails have increased in sophistication and awareness around the same time. This type of human error is extremely effective as phishing emails only have to work once to let a malicious actor in. Thousands of employees can recognize the phishing email, but a single weak link is enough to take down an entire network.
5. Deficient rights management
We recently discussed the sudden change in the free service for Docker Hub. This pushed developers to make a quick change to their routine, and to move to a new infrastructure that they did not fully understand. This is one of many examples that showcase how rights management issues can create massive data breaches. Each service has its own naming convention, while penetration testing to ensure access is secure is both expensive and time-consuming. The shift to a new cloud service provider is ripe for mistakes in rights management, especially when combined with the above human errors.
How to reduce human error impact?
The more your company grows, the higher the risks for human errors to occur in your organization. Pressure to deliver projects on time and within budget also open the door for human errors.
The best strategy is to have clear internal processes that everyone, from freelancers to permanent staff, must follow at all times. Regular training and reminders regarding those processes can go a long way in preventing human errors. Should these fail, an efficient inspection of source code repositories and the criminal underground can flag, often in minutes, when a human error has led to a data breach. This real-time notification significantly reduces investigation and remediation costs.
It’s a company’s greatest nightmare to discover that a human error has enabled malicious actors to wander around their networks for months, or years. It is a challenge to conduct forensic analysis over a long time period to properly understand the extent of a data breach. There is great difference between continuing business operations and having to shut down for days or weeks while the investigation is ongoing.