Ask an IT person what the weakest link in their organization’s security is, and you’ll invariably get a witty take on the same derisive answer: “Meatware.” “Our walking, talking vulnerabilities.” “PEBKAC” (problem exists between keyboard and chair).
In short, they point the finger at users. In part because, for the majority of successful breaches, the common entry point typically is a user. But another reason is that despite all the security tools and policies IT departments have in place, users will always be a wildcard — the one thing they can never fully control.
It’s easy to understand the frustration. Over the past 20 years, the topic of cybersecurity has become a public discussion. Most users have become more exposed and sensitized to the risk, and have some amount of awareness training. Still, the Identity Theft Resource Center describes a 40% rise in breaches in 2016, and the Ponemon Institute and Experian have highlighted continuing organizational concerns around the exploitability of users.
Is the appropriate response to blame the victim when increasingly sophisticated attacks and the rise in credential thefts are making any user’s goal of protecting themselves much more difficult? Or should the security community, instead, be providing them with better information and defenses, including a more complete view of the criminal tactics involved?
In this two part series, I’ll start by detailing some recommendations to create more aware users, who may even become just a little more paranoid about these risks. In Part 2, I’ll describe new tactics criminals are using to launch newer and more sophisticated link-based attacks against users, and offer further suggestions for how we can help users by equipping them not just with information, but with technology.
Phishing Has Evolved: Helping Users Avoid Socially-Informed Attacks
In its early forms, phishing was used as a means to deliver malicious payloads directly to the desktops users, with the expectation that the unwary would click to open malicious PDFs, images, documents, or disguised executables. The messages were generic and came from dubious sources, so users were taught to ignore attachments from sources they didn’t recognize. As this started to impact phishing success rates, better informed campaigns developed.
To improve their chances, attackers have adopted more tactics that make it difficult for victims to differentiate between legitimate and malicious messages. Not only do they hide malicious links in what appears to be safe attachments, they also mine social media profiles and contact lists to make their emails look like they’re coming from someone the victim knows and trusts.
The new methods are working. According to Wombat Security’s State of the Phish report, phishing emails personalized with the recipient’s first name had click rates 19 percent higher than those with no personalization.
Users can’t be expected to keep up to speed with the traps that are being set for them without some help.
To protect themselves, users need to know that these new risks exist, and security professionals should add two talking points to their awareness arsenal:
1. Never respond to connection requests that arrive in email - When someone attempts to connect, go to the actual site or application and look for the invitation before considering accepting. As an example, it is a very simple matter to create a forged LinkedIn request that looks very much like the real thing, but to use the links to direct victims to malware sites instead, without ever involving the real LinkedIn.
LinkedIn has a support page that provides some guidance on recognizing a real invitation. I regularly speak to audiences where some large minority hasn’t considered that these kinds of invitations may be illegitimate.
2. Be prudent in your connections - This is both a personal and a community responsibility. Users should not connect to people with whom they have no association or personal contact. Doing so does more than jeopardize their own security, it adds their imprimatur to the authenticity of the connecting individual, who may well be malicious.
There was an enlightening and well-documented exercise of this delivered by security researcher Thomas Ryan at DefCon USA 2010, titled “Getting in Bed with Robin Sage”. In it, Ryan created a fictitious security analyst who managed to connect to hundreds of individuals, including “executives at government entities such as the NSA, DOD and Military Intelligence groups.” A similar operation, but not officially disclosed or documented, was allegedly conducted by British GCHQ, according to der Spiegel reporting in 2013. Users should also be encouraged to regularly review their existing connections, pruning out any that appear to be fake.
These well-established attacks continue to succeed among our users, for all of the reasons described. In this first installment we have begun to help the users help themselves. In Part 2, we’ll look at ways that the threats are advancing and technical means through which security teams can support their users and reduce the amount of blame to go around.