Forum Discussion
What security threats do you experience the most?
Hey everyone,
Stop what you’re doing - episode 2 of The Secure Element is out now!
Tune in as Bigdogburr and Theresa Lanowitz, Chief Cybersecurity Evangelist at LevelBlue, dive into achieving cyber resilience in an era of boundaryless computing.
Their discussion truly reinforced for me just how vital a holistic approach to securing all end-user computing is - from laptops to mobiles, and everything in between - especially with cyberattacks becoming so sophisticated.
The role AI plays in crafting these increasingly targeted attacks was a real eye-opener!
This episode got me thinking about the real-world threats we’re all facing. What are the kinds of cyber threats you are most confronted with?
Cast your vote in the comment section below:
- Phishing / Quishing/ Smishing (Email, SMS, or QR code tricks)
- Deepfakes (Convincing fake video/ voice calls)
- Malicious apps (Apps designed to steal data/ compromise devices)
- Network attacks (Rogue or Spoofed Wi-Fi, man in the middle, etc.)
- Other (please share more details in the comments!)
And share some wisdom! Do you have some tips on how to identify a cyber attack? If you’ve been targeted, what’s one key lesson learned that you think everyone should hear?
Looking forward to reading your stories.
Chat soon,
Emilie
20 Replies
I can terrifying 100% agree to this from mattdermody : "The biggest security threat or vulnerability we are exposed and actually affected by the most are the end users themselves."
But those sometimes are the result of IT handling passwords. They need to be too complicated, changed too often,... yeah sounds strange from security side but look at the results:
- users note down passwords on easy to see/find locations
- users store passwords in cleartext somewhere
- users always try to use still somehow "readable" passwords (like: Id0ntl1ke!t)
- ...
Which may finally less secure than using strong passwords (ofc) but somehow easy to remember and not too often to be changed and even better maybe make the use of MFA as much as possible (today i think this should be a minimum but still not the case).
Also using password managers are not secure because instead of mutliple passwords to be cracked, you only need one (the one from the manager). So if here Software is used which is not secure enough it's getting even worse.
You make an interesting point about the complicated and/or long passwords being too difficult for end users to remember Moombas
What do you think would be a good solution to handle passwords? Is it a good idea to allow end users to write them down? Maybe they could do so in a more secure way...
No, writing down is definitely nothing they should do ever.
But IT needs to find a good solution in case of good password settings, which the end user may be able to remember because with the good (not too complicated) password (but still matching character rules) which also may then result in the less need of renewing it.
This could lead to less written down passwords.
But in general, i still raise my hand for Authenticators being used as MFA or even additional to the password a physical device like employee card or finger print being used.
And just to add here: Sometimes you also just need to be creative to find a good way to create your own good passwords.
Example: Year-Day-SystemToAccess-SomethingUnique
Result of Example: 2023-05-Java-IHate
This contains automatically numbers, characters and (Capital) letters where year and day is the one you changed the password for example.
So everything is something you can somehow easy remember and just need to put in together and being different from system to system.
Such an interesting topic! And like others have said, there’s really only one answer: people. When it comes to security, they’re the weakest link.
You can enforce complex passwords, but they’ll write them down on a sticky note. Make them simpler, and they’ll choose something easy to remember (and easy to guess). Add a number requirement? They’ll just tack on a “1.” Ask for a new password later? It becomes the same one with a “2.” People really are the gift that keeps on giving.
I don’t have much to add to what’s already been said about us simple creatures.
But let me offer another angle. A growing concern I see among customers is the targeting of specific individuals within an organization. For example: a CEO travels to a country that’s considered questionable from an EU perspective. On the way back, a security officer pulls them aside at customs. Their smartphone, tablet, and laptop are handed over and disappear behind a closed door.
Eventually, the devices are returned with a casual “everything’s fine.” That’s the moment to worry. There is a big chance they have isntalled something on the devices to track its movements or actions on the OS. Once home, those devices should be wiped—or better yet, trashed. They can no longer be trusted in a corporate environment.
Then there’s the janitor or cleaning crew—people with legitimate access to secure areas. Tracking their phones to identify sensitive locations is a real risk. Banning personal phones helps, but there’s always a loophole. People will always try to do what they’re not supposed to.
This is becoming a real issue for more and more companies on the NIS2 directive list. I’m hearing these stories far too often. And honestly, there’s not much you can do—except travel with hardware that can be shredded on return. Some vendors offer tools to check device integrity or add layers of encryption, but it’s still a rising concern.
That's a great addition to the conversation Michel !
And a terrifying thing to consider; that some attacks are targeted towards certain individuals in the real world, with direct access to their devices and the company data...Thinking it could come from security officers at custom is scary - because individuals do not have much choice in these situations but to hand their devices (and most would not imagine there could be any malicious intent).
So, you'd definitely advice to keep devices in your suitcase when travelling? Or at the very least, ask for the device to stay in sight (if at all possible)?
I guess the issue - and this is still people-related - is that spammers learn and evolve as fast as the security measures get deployed...
It really is terrifying and makes me rethink certain places I would visit on private trips. Or make sure my devices are protected.
There is not much such individuals can do in the security officer example. Suitcases and everything will be searched for and all devices should be considered insecure. So we advice customers to either accept that their device will be shredded upon return, or leave your devices at home and bring a temporary device with you to work on.
And that is a nice example of why DeX and Android's built in features will provide excellent tooling to just travel with a simpel Android phone and check your mail via a remote desktop client while traveling.
I agree with mattdermody in that the biggest threat is people - mostly staff/admin of systems that themselves are not security specialists and just don't understand the problems. Whether it is them falling for a phishing scam, using weak passwords (pets names) or using unsecured networks (hotels, airports, coffee shops etc). And its not just digital security they need to think about. Just the other week I was in a local coffee shop next to a table of people I knew worked in a local solicitors office opening telling, what I assume was a new starter, the pin code for the digital lock on the office back door. Now I am just one step away from physical access to their computers and every step nearer to hardware makes the job easier for someone wanting to do harm.
As engineers we can do all sorts to protect the system we are creating - yes we can make mistakes, but we can also acknowledge that and offer bounties, use 3rd party testers etc to keep testing our defences. What we don't have much control over is stupidity - at least not without making the system an absolute nightmare to access for users!
That's really interesting! Thank you for sharing BenMcc 🙂
I can't believe the scene you're describing; sharing vital business information - giving access to their offices - in the middle of a coffee shop sounds very risky and not just for the business, but also for all their employees and clients as data has become a very valuable currency...
So, where do you think we can go from here? Is it a case of educating end users and people in general? Or a case of restricting access to certain networks or even places?
Good question. We have been dealing with the same issues since the 90's - A time when I started giving talks about social engineering being the easiest way to access computers system. An hour in a pub listening to people, favourite sports teams, pets, family members and you have a wealth of information to try out. There was video not long ago with the host approaching some teen saying they could guess their bank pin code in just 3 attempts, after asking some random question about favourite numbers, number of siblings etc he made a few guesses all to the delight of the teen he got wrong. He then said "oh well it didn't work - what is it then?" to which the teen replied with her pin number. Social engineering at its simplest!
To give more context to my recent experience; I live in a smallish village, low crime rates etc so sitting in the local coffee shop feels a lot safer than perhaps in the middle of a major town centre - but it is that sense of security that is the problem for digital security. People with weak password who say "well I have nothing to hide if someone reads my emails" just don't understand the implications especially when they then also use the same passwords for business systems, or that email account is used as the recovery email for other systems or other password resets etc.
We see daily terminations of Play Developer accounts because a dev has added, some random person they met on a social platform, access to their account and have been rewarded by that person uploading apps that clearly violate the policies. The account holder wasn't trying to break the rules and didn't think they were doing anything wrong, in some cases they were just trying to be nice and help someone else out. I would love to live in a world where I could absolute trust that the next person wasn't out to exploit or do me harm - wouldn't we all? The reality is we have to protect ourselves and that extends to the digital world but until people get that message systems are still going to get broken into. Education in this field doesn't seem to have work (at least not in the last 30 years) so we now implement other systems, 2FA, passkeys, biometrics - all of which people find a way to exploit within days and it's mostly not the hardware, software or algorithms that are exploited but some form of social engineering, perhaps some member of royalty for some country that just needs a bit of help to move some funds because of some impending war....
I don't know how we get this message across to the users of systems I have been trying for years! You can probably guess as this sounds more like a rant than a factual post! 🤣 I, like many, am frustrated trying but we have no choice but to keep trying.
The biggest security threat or vulnerability we are exposed and actually affected by the most are the end users themselves. As a point of clarification I deal exclusively with enterprise line of business devices that are shared. Examples include inventory management devices in warehouses and retail stores, point of sale registers, kiosks, digital signage, etc. The end users leveraging these devices are often the biggest threat that we have to manage. There is a never ending battle to keep these end users off non-productive websites and apps like Youtube, Chrome, etc in order to keep them on task on on their business apps only. This is a constant struggle as these end users have a lot of time on their hands interacting with these devices in order to come up with creative workaround. Think for example a warehouse worker that might be interacting with their device 8-10 hours a day every single week. These users find ways to break out of lockdowns and access websites, apps, and settings that they shouldn't. One of the most frustrating examples is when there is some sort of privacy policy linked within an app that launches out to Chrome, or an in app webview with an editable URL bar. A classic example of this is the stock Calculator app. We provided end users access to this app for legitimate business reasons until we figured out they were accessing the privacy policy which was linking them out to Chrome which led them to get out to the internet. Ironically it was therefore Google itself making our devices more insecure and vulnerable to attack. Why a calculator needs a privacy policy is beyond me.
Either way, I have dealt with countless weekly incidents of end users abusing their devices and working around restrictions. Far far more issues than the ones people seem to pay more attention to. The calls are coming from inside the house, so to speak.Thanks for sharing your insights, mattdermody
It was a very interesting read - I was expecting that the end users would be the human error factor but not in the way you mentioned, where they are actively trying to bypass lockdowns to access websites, settings and apps they shouldn’t.
Where do you think they gain this knowledge? How do you manage these incidents?
I enjoyed the urban legend reference, by the way :)
