Human Vulnerability Management and Assessment in the Age of Zero Trust - June Jeremiah

a very good morning good afternoon good evening wherever you are my name is uh dr june jeremiah current cesar at mcs security solution an industry leader in vulnerability assessment and penetration testing are based in africa botswana my topic for today will be human vulnerability management and assessment in the age of zero trust before i can proceed with my presentation for today i would like to take this time to thank the audience for today and as well to thank beside conference organizers to give me the opportunity to present and share my knowledge to secure our cyberspace before i can before we start my presentation i have will look into the contents for today today we'll understand what is human

vulnerability and what are the impact it have on the information security we'll also look into how to address human vulnerability and we'll look into the types of trades that are used by malicious hackers to target employees within organizations will understand employee vulnerability assessment in depth and we'll look into the defense and counter countermeasures that can be implemented to combat against social engineering attacks let us look into the first part which is what is human vulnerability we understand a vulnerability is any weakness that can be exploited by a malicious hacker to gain access to the system or to sensitive information and also we understand human beings are the weakest link in cyber security chain therefore human vulnerability entails

all the weaknesses and the mistakes that humans impose while carrying data while staffing the internet so all these can be referred to as a human vulnerability we'll look into how dangerous our human mistakes for your cyber security first of all you need to understand that your employees within your organizations you need to treat them like kids because employees digest human beings and as human beings we are prone to do mistakes and to be careless or even ignorant with some of the things in our lives we understand that uh the mistakes that employees do within their organization they can cost you a lot of money a lot of organizations are investing in cyber security using different

technology as defense mechanism to be able to combat rising cyber threats however malicious hackers are finding themselves they are finding it easy to access most crucial assets within the networks by bypassing this through exploiting the human beings because human beings we are less aware we are less uh trained on cyber threats and so on most of the companies are failing to implement a training program just on cyber security for the new recruitment of the new staffs within the organization we can see that it cost about 3.5 million which is an average total cost to remedy any data breach that was caused by a human error and we'll we'll see that about 133 dollars it is the average per record cost of

bridge cost by human error and it takes about 242 days for any it manager to be able to identify if there is data breach or to resolve that data breach within the network therefore mistakes are continuous are they are going to continue within the network so it is always important for us to be aware to be able to understand the threat that we are facing to be able to understand how we can safeguard the information that we are handling to perform our daily tasks while we are within the corporate networks so we'll look into the next part which will be how to address human vulnerability within organizations the answer to this will be there is no

really a best solution that you can implement in your network and you are completely protected therefore that's why it is always necessary to have continuous programs cyber security training programs to ensure the staffs are empowered and are aware of any threats that is in the cyber space this could be a zero day exploit this could be any new attack vector that is being used by malicious hackers to gain access to the networks and also we need to understand that any solution that will implement within the organization it needs to be holistic and balanced balance in uh we are going to look into balance of these solutions between the people the process and the technology so the best solution

or the best way to address human vulnerability it is to combine people process and technology together to come up with secure strong defense mechanism to protect information within organizations so it is necessary and it is a good practice for top management to always consider balancing people process and technology together most of the time most of the companies they are investing heavily on technology buying artificial intelligence or machine languages are technologies to detect to monitor cyber threats these are very good mechanisms to protect the network however what of the people that are handling your data on regular basis to perform the daily task of the business operation are they aware of the of the threats are they equipped with enough skills

are they able to are they giving the right authority and are they using the right authentication measure to access data and how is the physical security of the of the organization so it is very crucial for us to be able to understand the ppt in terms of cyber security we need to ensure that we don't only invest in technology because technology does not use itself it is empowered by human beings we are the ones who use technology so if we are not being able to use technology in the right way we might expose sensitive data or even give malicious hackers access to the networks without our knowledge so it's very important that our organization should start to

consider implementation of ppt when they are thinking of any solution to implement to protect that data so look into the next part that will be the types of threads that are targeting organization employees we have a lot of attacks that are sufficient now and then some of them that are targeting employees most of them they are taking advantage of the email application most of the businesses they are communicating they are using email as the basic medium for communication on business matters or even to do their regular operation within the organization therefore malicious hackers they are taking advantage of these applications to manipulate users to perform tasks that are malicious to perform tasks that they are not intended to do to be

able to gain access to the systems to harvest passwords and to be able to compromise systems without the knowledge of the user so we understand that we have malware programs so malicious programs these are software's that can harm a computer this could be trojan this could be ram somewhere and many more other remote access control tools we also have what we call phishing attacks which are now becoming common in the pandemic we have seen a lot of uh phishing attacks at rise because they are taking advantage of the pandemic itself we also have password attacks and we have the denial of service attacks as well as men in the middle attack which is now surfacing

mostly uh through email which the new attack is called business email compromise which is one of the bad attacks that is causing a huge financial damage into different countries economies because attackers are using this method to convince our people to perform transactions to re to reveal sensitive information that they are not supposed to gain access to so all these kind of attacks they are targeting the employees so the employees within the organization they need to be trained to be able to identify such attacks so they can stop this attack before they act or do any action that can compromise the digital assets or digital infrastructure of the company or the organization we also have drive by download

we have mal harvesting and we have uh ruby softwares as well so all these are some of the attacks that we need to look into and also our staffs our employees need to be understanding all the types of attacks and how these attacks they might target them and how this attacks they come into their email applications on regular basis and how to stop them and how to spot them and how to report them to the i.t managers because most of the time the most uh issue is that most of the employees they are getting bogus links on regular dates in their email but they are failing to report this kind of attached to them to the management or the i.t manager

to be able to safeguard the organization infrastructure from these attacks in the future so most of the people are failing to report most of the people are not empowered they don't know what they are doing most of the people they lack the knowledge and most of the people that are just being ignorant as as it is we are human beings and all these are some of the characters that we have we tend to forget we tend to make mistakes which is normal so we need to empower ourselves to be prepared to be our first line of defense to protect our digital assets so this can be done through our employee vulnerability assessment which is one of the best

assessment to conduct in your organization to ensure that the workforce itself is it prepared is it cyber ready to take any cyber threats and protect the information organization information we we understand employee vulnerability assessment will enable us to be able to analyze the human risk within the organization will be able to empower the workforce and will also be able to secure the business itself so by analyzing the human risk with with employee vulnerability assessment most of this up most of these solutions they are coming in a cloud service whereby you are able to generate reports to monitor the progress of your staffs to be able to analyze who is at risk within your workforce to understand who

require more training to require to see to understand who is more secure who understand cyber security and the threats more within the organization so all this they come with employable mobility assessment because by us performing employee vulnerability assessment we are able to get insight into the security strength of the workforce itself through employee secure score reports or employees risk assessment which combines a multitude of metrics to transform end users security education into analytic engine so we are going to use all the data that we can get from our workforce and be able to understand their pattern of behavior when it comes to how they are managing their uh how they are managing threats when they are

coming into their emails or how are they able to manage the data that they are handling the data at hand so all these are some of the benefits of performing employee vulnerability assessment within the network or within the the staff members we understand that by keeping uh to keep the business safe requires the help of knowledgeable employees that means they need more than just annual training most of the organizations they are only performing cyber security training once in a while so cyber training should be done on weekly basis to to assess it's an ongoing process which we must be able to perform on regular basis to understand our security poser of the people who are handling the data within

the organization which is the employees so we need to ensure that the employees on regular basis they are monitored they are examined and you ensure they are empowered with the technology that you have to be able to understand the threats they are exposed to to understand all what they are required to do the policies they are supposed to follow and so on and all these will be generated in a report that is easy to understand for their top management and come up with remedy solutions on how to mitigate social engineering attacks we can also look at the fact that eva which is a employee vulnerability assessment it highlights the importance of dark web monitoring simulation

simulated fishing and also vital education to improve employee cyber security awareness when we are talking of the dark web monitoring dark web is the database that is holding a lot of information only about four percent is on the surface such as google such as uh yahoo b and so on these are the information that is on surface to us as users but when we look into the deep web itself this are some of the index information that carries sensitive information and also whereby most of the information that hackers or malicious attackers they sell this information in dark web markets and so on so it's necessary to have a tool or a solution that will be able to

monitor or crawl through the dub web and understand uh and see what kind of information from my organization has been leaked and what kind of what kind of information that uh is in there jacquard or dark web regarding my employees so all this kind of information it can be used to be able to come up with new security measures to protect the information because we'll understand that there's a data leakage and the information is being sold in there dark market also so we can also perform simulated phishing attacks whereby we impersonate attackers and see and attack our employees to check where do they stand do they understand fishing attack can they spot fishing attack when it's coming into their

inboxes can they stop it or will they fall prey to such a text so those who fall prey you will understand you need to do more training for them you need to uh to to empower them so that they can perform better and keep your digital assets safe so it's very important for us to understand employees in general they are not really the weakest link in this cyber space that we are living in of the internet of things it is very difficult for any technology we see big companies such as apple such as google such as sony being compromised by malicious hackers bypassing all the technology uh bypassing all the security mechanisms that they are using from different

technologies all these kind of technologies hackers are able to bypass them and compromise and take advantage of employees by manipulating them by tricking them to reveal sensitive information so we can understand that if hackers are now taking advantage of the employees we can now change or transform our employees or our staffs to become our first line of defense because they are the ones who are being targeted first by the malicious hackers hackers don't nowadays they don't spend most of the time targeting organization uh through trying to compromise uh uh paged vulnerabilities or misconfigurations in the network because a lot of jobs it's a lot of work for them the more the technology is growing the more

it's becoming easier for malicious hackers to come up with new attack vectors that can easily trick in trick users to reveal sensitive information so we understand in this situation simulated phishing attacks they will come to help us in terms of understanding the threat landscape and also raising awareness to the users so we have to make sure that our employees our they are our first line of defense and we don't consider them as the weakest link in the cyber security we can transform that and make a change so that employees will now be recognized as one of the first line of the defense so this is very important for us to be able to secure our digital information

so look into uh the next part uh we we can see that true employee vulnerability assessment organizations are able to demonstrate how well are compliant how well the employees are complying with the procedures and the process the procedures and the process like i mentioned in the beginning of the training how to address uh human vulnerability we need to balance between the process between the people between the technology so if we do employee vulnerability assessment on regular basis we'll be able to identify and see are the employees within my organization following the right procedures are the employees within my organizations following the right process to perform their daily tasks we can also be able to validate current

training methodology that's the training methodology i'm giving my employees is it empowering them to do better is it tiring to do is it easy to understand because what is important it is to get the message and the message once it is processed well it will be hard for employee to perform mistake on regular basis so we need to improve training in such a way that it is performed uh maybe through cloud service whereby it is automated ongoing training programs which users can always check their progress see their report and be able to understand their security to exposure know where they stand when it comes to protecting the digital assets within the network we can also be able to test

incident uh detection we can also be able to do reporting and respond uh implement response mechanism within the organization because we already know where is the problem it will be easy for us to come with the response mechanism does this employee need training does this employee uh need uh further training on cyber security or does this employee need to be uh his email account or email address need to be changed also has have you been compromised before have the information of this email address been leaked before in there in the dark web so all this will be able to help us to protect our information more and more uh we will be able to do

more and more of security for our information we can also be able to provide a valuable data that can be incorporated into ongoing security awareness program so once we do eva uh organizations will be able to gather all the valuable information that can be used to perform ongoing training to improve the security of the organization so cyber security vulnerability assessment employees vulnerability assessment it is very crucial because most of the companies they are failing to invest in trainings programs which is one of the cheapest uh measure to protect your digital infrastructure but they are failing to invest in the cheaper space to protect their information they invest heavily on high technological security defense mechanisms which

by most of the time hackers normally find needs to bypass them by compromising their the employees so we need to prepare our employees for our staff in terms of be cyber ready be cyber prepared and also to practice good cyber hygiene so we'll look into the next part which will be the defense mechanism and counter measures but before i go into the defense countermeasures and uh into the defense and the countermeasures let us look into one of the demonstration for one of the cyber threats and we explain it in depth how employable mobility assessment will be performed maybe through uh spear phishing simulated attack to be able to help employees to understand the threats that they are exposed to so

let us just look into the demonstration itself so i'll just quickly look into uh log into my account here then we can proceed with the testing and the demonstration on fishing our text and see how it works and see how we can be able to assist employees to understand this kind of threats and how to avoid them from ocarina in the future so let me just login to my account uh then we can do the demo all right okay here i logged in so here i'm going to use um a simple tool in kali linux which is uh se toolkit it's a social engineering toolkit that we can use to create a fake website uh create

fake malicious pdf programs and embed them with an exe file executable file so that once we send it to the user we can be able to compromise that machine and be gain access to to the machine or we can use a bugas link that we can send to the user and force the user to be able to re reveal sensitive information so in this case we'll just set up our we'll do some of the setup so we just choose number one which will be our social engineering attack and which form of attack that we are looking to we want to do a take on on our on creating a fake malicious uh web form that a user will

have to log in and then reveal sensitive information so we'll choose number two which is website attack vector and then here what are we trying to do we want to harvest the credentials the logins email password also for a particular application could be a bank it could be a social media network a website or so on so we'll select number three because we want to harvest their credentials so it will say what are you trying to do are you trying to have a web template or a cyclone so we just want to to clone out the website so let's just click here and then here we just put the ip address of my server so that would be 168

dollar one three five dot one two eight so this is where my back and control then we can enter the url that we want to clone so we let's say right now we want to clone our facebook.com so we can just type www.facebook.com so we just click enter so it will already clone uh the website for us so what will happen is let's say now we entice the user to to send him a message a fake message that is appearing to be coming from facebook and we want the user to be able to give us access to their email password and then we can gain access to the social media account so what we are going to do is we are just going to

go to our browser here and we type here uh let me log in here test at mcs cybersecurity.com so i'm going to test here what we are going to do we are going to set up a simple spear phishing email at spear phishing email attack so that we can entice the user to reveal sensitive information to us so let us just log in mcs cybersecurity.com login we just log into my test email uh once i logged in then we'll just do that the presentation of the amount the the fake uh the fake login page and how we can be able to spot such attacks and uh how we can perform this in employee vulnerability as aspect so we

are now logged in to our test message so let's just go to the send and here i'll just use attempt attempt email a temporary email just to send email uh to to send email is from facebook because we are trying to entice the user to feel that this email is legitimate and they can trust and believe because those are the weaknesses that we have we can easily trust when we are online we can even easily reveal information and we can easily just uh believe that this email is trusted then we can be able to give access to the hacker so in this situation we have here what we the email is already composed so i'm

going to send this email let's say uh as you can see from the sent message where i'm highlighting i have spoofed an email that look alike like facebook whereby the email is coming from billy at facebook.com but if you look at it i just omit the xero then it's like facebook.com so hackers will trick you with different means so that you believe and you trust so that they can gain access to your information so it's important for a user if his own employment vulnerability assessment program they will be able to identify all this uh like the email of the sender they will be able to identify if the link that they are sent to is burgers or not so we can see that

here we can just post there uh the email we want to send so we can just paste the email address then i can just click send so once i click send uh yeah it's sending so once i click send we can see that we'll receive the email here so the email it's coming from facebook and uh it's it's a receipt for uh jeremiah june on the account so so for payment of fourteen dollars for an ongoing uh advert that i posted on facebook so you can see that here we have something that attract the user like see the full receipt so if i click here see the food that see the full receipt you can see it has taken me to a

facebook login page so i can just log in and say jeremiah at one two three yeah dot com then the password we can put one two three four five six then we click login so once we log in we can see that we have been redirected to the original facebook login page so we have tricked the user if it's someone who is not aware they will be able to click and believe that that link is coming from uh you are expecting such in similar email from facebook on regular basis you get those emails then all of a sudden you get the same email it's appearing it's coming from facebook uh it has all the details all the design

the templates everything look the same like how you normally get your original emails from facebook so once you have logged in you have not realized that actually you have given access of your facebook account to the hacker so we can see here we have tried to harvest the username and password so let's see if we have managed to harvest the username and the password so you can see here where i'm highlighting i've managed to get the password one two three in the email address s how i key it in the url here so the point that we are just doing this demonstration as a proof of point that the more you train your employees the more they can be your defense in

identifying high-tech uh attacks that are crafted by malicious hackers malicious hackers remember they are smart all they are doing they are trying to trick you to reveal that sensitive information and we all know that malicious hackers are to be considered as a good hacker you are supposed to be good with social engineering skills so most of the haircuts they master social engineering skills because they know that is the easy way to be able to compromise the systems within the network so with that said this attack was a phishing attack so we have crafted email that look exactly like it's from facebook we have enticed the user to receive the email even when you look at the email it is

saying it's coming from facebook billing.facebook.com but if a user is not educated and or a user is ignorant they will not be able to identify that the spelling of the domain facebook is not correct therefore that means this email is not legitimate so the more we train our staffs the better we are able to uh protect the digital information so it is important for us to be able to conduct employee vulnerability assessment for instance if we perform this as a phishing email targeting our employees we will understand that one of the employees still is lagging to identify uh between the difference between efficient email and a legitimate email because the person might be falling for

that attack several times then you know there's a room for improving that employee to make him better to be one of the best defense mechanism you can have in there in the network so our employees our assets they are supposed to be used to secure our digital infrastructure so the more we perform the vulnerability assessment within the employees itself the more we can be able to build a cyber defense around our network uh devices around our corporate network and so on so we'll look into the last part of the slide which will be there uh the counter measures to protect us against social engineered attacks so we can see that if we have properly written

security policies it will be easy for us to monitor the employees uh are they able to comply with the regulations or the policies that you have set in the organization so if you have clear policies employees will be will be able to follow these policies and easy and then we have simulated phishing attacks whereby we can just do the attack like the one i demonstrated then we can be able to identify who whom among the employees is falling prey to such attacks so all this it will be good for us to be able to improve our employee preparation in terms of cyber threats and then we have advanced email security solutions we understand that most of

these attacks they are coming through the email so we should implement email advanced email security solutions such such that we can avoid advanced persistent threats that keep coming through the emails by passing the high-tech tech uh security mechanism that could be implemented within the network and we can have weekly micro cyber security training programs to ensure that our staffs are prepared at all times because different uh most of the time different attacks are faced with different exploits for example the zero-day exploits if employees are not aware of such they will still fall prey to those attacks so it's best you always engage them on what is happening around them around them what is new in terms of the attacks that are now

targeting organizations and so on and we'll look into uh dark web data monitoring crawling the data web uh the dark web and be able to see which information from my organization is leaked into the dark web markets and so on and then we can have monthly newsletters on cyber security awareness just to empower the workforce so that they are prepared and ready for any attack that can be targeting them so it is very important we understand that we can test the weakness of our employees and improve it and transform the workforce to become our first line of the defense with that said i'll finish my presentation here if there's any questions please uh feel free to ask

and uh this is my contact details uh i would like to say thank you guys so much for attending and uh thank you beside for giving me the chance to present and i hope all the information that i've shared uh it might it should be able to help in improving the security of our cyberspace so thank you guys thank you so much