Is the “human factor” in security breaches over blown?

Google “breaches and human error” and you’ll be greeted with a seemingly endless list of articles that declare 82%, 88%, and even 95% of breaches are the result of human error. I’ve always been skeptical of these assertions, but a recent article about a VMWare vulnerability got me thinking.

The article in question detailed a VMWare vulnerability that appears to be the source of a number of network compromises. CISA, Department of Homeland Security’s Cybersecurity Infrastructure Security Agency, estimates that over 3,200 servers have been compromised globally as a result of this vulnerability. 

3,200 is a big number, but I’ve personally heard of one reported breach that’s been attributed (by name) to this (the Florida Supreme Court), apparently, ubiquitous vulnerability. One. But then again, silence is golden. From the same article linked here:

“A dozen universities contacted by Reuters, including the Georgia Institute of Technology in Atlanta, Rice University in Houston and institutions of higher learning in Hungary and Slovakia, did not immediately return messages seeking comment.”

Having spent a number of years in this industry, and having read countless articles on high profile (and even not-so-high-profile) breaches, I’ve noticed two common themes: 1) it’s rare for any breach report to include the root cause or initial access vector used by the bad guys, and 2) when it is reported, it’s nearly always attributed to phishing or some other form of “human error.”   

As discussed previously, it’s relatively easy to find analyses that blame the vast majority of breaches on that indispensable (“our employees are our greatest asset”), yet oft-maligned figure in cybersecurity, the human. Misconfigurations (careless humans), phishing (stupid humans), disgruntled employees (bitter humans), social engineering (gullible humans)... these are the breach causes most often enthusiastically offered by organizations that suffer breaches on the rare occasions any initial infiltration source is offered.

But I’m wondering (aloud) if maybe something is missing from the analysis that underpins these stories and studies: are 90% of all breaches the result of phishing? Or, perhaps more credibly, is it that 90% of all breaches for which the initial access vector is disclosed are the result of phishing? 

Think about it. Enterprises might be required to disclose a breach publicly (if data has been compromised), but they’re certainly not required to reveal the cause of the breach. So, when they do decide to do so, voluntarily, is it possible they’re cherry-picking the breaches that deflect blame to the unassailable “human factor”? Are they electing not to disclose those breaches that result from an unpatched vulnerability so old that its “zero-day” status expired when we were all still attending Zoom weddings? The former (dumb employees) is completely understandable and nearly impossible to eliminate… the latter (a two-year-old unpatched vulnerability) is, well, just plain embarrassing.

Among cyber security professionals, it’s generally assumed that the initial access vector for nearly all breaches falls into three categories:

• Stolen credentials
• Unpatched vulnerabilities
• Phishing

The laws of human nature along with those of corporate public relations are immutable. If there’s an opportunity to deflect blame, it’ll be taken advantage of. If an organization has no requirement to admit that they were breached because they didn’t take the proper steps to understand and manage their external credential exposure (there are a number of tools to do so), they won’t. If they’re not required to disclose that they were breached because of an unpatched vulnerability that they’d known about for 6 months (the average to patch is over 7), why would they reveal that? But, companies know they are not held responsible either legally or in the eye of the public if they can point to a careless employee’s click as the reason they exposed a million medical records. So why not admit it?

The numbers just don’t seem to add up. With more than 24 billion sets of stolen credentials available on the dark and public webs, and more than 26,000 new vulnerabilities discovered in 2022 alone, are we to believe that only 10 to 20 percent of all breaches result from that sea of opportunity?

Maybe, but it just doesn’t pass the smell test. I could be wrong, and perhaps I have too much faith in humanity, but I think we’re underestimating both the human race… and the bad guys.