Stop Blaming the End User for Security Risk:
It's common among cybersecurity professionals to point to the end user as a top area of risk in securing the organization. This is understandable. Systems and software are under our control, but users are unpredictable, that unruly variable that expands our threat surface to each geographically dispersed user, personal device, and all-too-human foibles and flaws.
Certainly, threat actors target our users quite successfully — I'm not here to dismiss this obvious truth. But what is equally certain is this:We cannot train our way out of this problem. Enterprises pour significant investments into user security-awareness training, and still, they suffer embarrassing, costly breaches. So, focusing primarily on securing the end user isn't a sound strategy.
Fact: your users are a major risk factor. According to Verizon's "2022 Data Breach and Investigations Report," 35% of ransomware infections began with a phishing email. Fact: This is despite escalating investments in security-awareness training over many years. The cybersecurity awareness training market is projected to grow from $1,854.9 million in 2022 to $12,140 million by 2027. Fact: Even with all these investments, ransomware (just as one attack type) is also expected to grow aggressively, despite many organizational efforts, including training.
Sad, unavoidable fact: Our users are still going to make mistakes — we're all human, after all. A survey conducted to prove the need for more security training, in my view, proved its inability to stop the cyber crisis: Four out of five surveyed had received security awareness training; between 26% and 44% (based on age demographic) continued to click on links and attachments from unknown senders anyway.
We should conclude that organizational security must not rely heavily on securing the user, that they will be compromised, and then begin securing systems with this assumption in mind. Thus, even if an end user is breached, the amount of systemic damage that's done by that compromise shouldn't be large if proper security measures are employed and orchestrated correctly.
Should we be training our end users? Absolutely, emphatically, yes. Strong security requires a layered approach, and that means buttressing your security by securing every doorway to your systems. But we must start removing end-user risk from the equation. This requires some difficult choices and significant leadership buy-in to these choices.
[...] One thing is certain: No matter how much training we provide, users will always be fallible. It's essential to minimize users' options to click in the first place, and then ensure that, when they do, there are controls in place to disrupt the progression of the attack.
(Score: 5, Insightful) by jb on Friday March 31, @05:41AM (5 children)
Question: how many of those organisations were forcing their staff to use the world's least secure mail client? You know, the one that (leaving aside all of its many more technical defects, just looking at its UI defects for the time being) goes out of its way to present mail to recipients in such a way as to make it ridiculously easy for attackers to make a bogus message look like a legit one...
Yes, users need to be vigilant. But they also need to be given the right tools for the job. If an employer wants to reduce the incidence of staff getting scammed by email, then "LookOut!" (or its even less usable web-based counterpart) is absolutely the wrong tool with which to be reading email.
(Score: 1, Insightful) by Anonymous Coward on Friday March 31, @05:57AM (1 child)
Their quarantine stuff is terrible too - it lets phishing crap through but blocks emails that are clearly part of existing email conversations (you don't even need a retarded AI to figure out whether an email is part of an existing conversation and from already known senders).
(Score: 2) by legont on Saturday April 01, @03:47AM
Screw the Microsoft. My *bank* sends me spam with links to shit domains that they created which are asking for credentials. Totally legitimate ones.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 0) by Anonymous Coward on Friday March 31, @11:04AM (2 children)
I think I just avoided getting phished -- three emails came into my Gmail account that looked very official from a well known credit card company, including the sender's address, which Gmail will show with a mouseover in the Inbox display:
* We've updated your email based on your recent web visit (I hadn't visited their website)
* ... updated your phone number ... (ditto, haven't done that either)
Then an hour later,
* We've detected a new web access to your account from a new device, if this was you, you don't need to do anything. If this wasn't you, click the link below to report it.
I didn't think that I had any business with that credit card company, so I called them (got their phone number from a web search). Turns out that I have a joint card with them, primary is my SO...but I've never used that card or even authorized it (most recent physical card is still in a filing cabinet folder).
Talked with my SO, she hasn't used that card in years either, it's a backup that offered a good exchange rate for foreign currency purchases.
Called credit card company back and talked to the fraud department this time. As I suspected, I'd never given them my email address, so there was no way those three emails could be legit.
(Score: 0) by Anonymous Coward on Friday March 31, @12:11PM (1 child)
You give your email to the credit company and the bank? Why? They don't need that. This is how I don't even have to think about it when I get those emails. They are all fake. Cause my real bank doesn't know how to get in touch with me except by phone and or snail mail.
(Score: 0) by Anonymous Coward on Friday March 31, @03:47PM
> You give your email to the credit company and the bank?
GP here:
Generally no, I'm with you--snail mail, paper statements, and phone number only. But there have been a few exceptions when I was working with an officer at a local bank branch and email was a convenient way to communicate.
Since my prior activity with the suspect credit card was like 10 years ago, I just didn't remember if there had been any reason to give them an email back then. And, happy ending, it turned out that they didn't have an email for me (and I didn't give them one now either).
(Score: 2) by canopic jug on Friday March 31, @05:51AM (3 children)
What is that, a trap? The link tries to pull in javascripts from at least 10 domains on the first pass. Turning on javascripts for the hosting domain doesn't cause the text to render. Hard pass on turning on more. There's no telling what they will be doing and are completely unnecessary anyway if the goal is to show text. If the goal is something else then I want no part of it.
Is there an alternative link for the same material? It is important that people stop blaming the victims for m$ shortcomings. The end users are, after all, only using the computer as advertised: clicking on links, trading documents, and reading e-mail with maybe the occasional text or voice chat thrown in. If a product line is unfit for purpose, we need to bring that fact back into public awareness and get those products off the market and kill that company off with heavy fines and jail for the execs.
Money is not free speech. Elections should not be auctions.
(Score: 3, Informative) by janrinok on Friday March 31, @06:57AM (1 child)
We do try to find 'clean' site links but it is a fact of internet life nowadays that many sites require javascript just to display on the screen. There are several bots that are in use that strip out such code but the end result is often that they find nothing of the story at all and we have to revert to manual methods.
We cannot publish the entire story - that would be a clear breach of the 'fair use' doctrine. We try to select the salient points for the summary but that then leaves it up to the reader to decide whether or not to click the links.
There is one site that actually has several non-displaying paragraphs of different trackers in every story. Fortunately, they are easily spotted by an editor and quickly removed. If they ever start burying them in random places the source will probably become unusable by sites such as ours.
(Score: 2) by canopic jug on Friday March 31, @08:29AM
Fair enough. I guess some of us will do without. Darkreading's topics tend not to turn up elsewhere.
Money is not free speech. Elections should not be auctions.
(Score: 2, Informative) by Anonymous Coward on Friday March 31, @08:40AM
Protip: use a browser with no javascript support at all for those troublesome sites. The site renders just fine in dillo and links. Alternatively, if it's popular enough, just prepend archive.ph/.
(Score: 5, Interesting) by mhajicek on Friday March 31, @06:37AM (3 children)
Last employer, the CEO got his email account compromised twice, and then his successor did it once, all in a two year span. Those were the only people in the company who did.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 3, Insightful) by Opportunist on Friday March 31, @11:56AM (2 children)
If "rules apply to the peons, not the king" is what runs a company, it's time to move on to one that will last longer.
(Score: 0) by Anonymous Coward on Friday March 31, @05:51PM (1 child)
To be fair, there are rule makers and rule followers in any organization. It's a perk of climbing the ladder than you make rules that others are obliged to follow - a source of narcissistic supply, if you will. The CEO having
sucked enough dickinheritedrisen to the top of the ladder does not follow rules made by those lower in the hierarchy. It is the natural order of things.(Score: 2) by Opportunist on Saturday April 01, @03:19PM
Not in companies where I'm responsible for security.
(Score: 4, Insightful) by looorg on Friday March 31, @07:00AM
> Systems and software are under our control,
Really? Here install this more or less black magic box in your network, install some drivers and you are good to go. How is that under the users control? Their options are as limited as the EULA:s they come with. Accept it or don't use it. There is no in between here, it's very binary. They are clearly trying to pass the responsibility of their shoddy work onto the users -- we made it, at minimum specs, by the lowest bidders or components and now it's all your responsibility -- we might patch things if we can if we must. But it's totally yours now ... enjoy.
Yes users are very unpredictable and do the weirdest things all the time. But they can't or shouldn't be held responsible for the poor security of developers and their products. The users will click on attachments and things that have no idea about, they'll pick the worst passwords and lets just conclude that their security thinking is subpar. It's been like that forever and it will be like that forever. So in some regard developers hoping for something better or trying to pass the blame buck around are just engaging in wishful thinking.
(Score: 2, Funny) by khallow on Friday March 31, @11:55AM (1 child)
There's an obvious solution here just in the title. The title begs the question and assumes the end user is necessary. Get rid of the end user and you don't have a security risk! Hmmm, you don't even need a sloppy, insecure system at all once you've taken care of the end user. You can get rid of it all, resulting in perfect security!
I just hope the internet can deliver a genuine, hard problem for us to solve next!
(Score: 3, Insightful) by krishnoid on Sunday April 02, @04:13PM
Or have the actuaries and CIO talk to each other to see what kind of security processes the company needs to put in place and be audited against, to get the maximum discount on their cybersecurity insurance. That's a whole multi-century sector designed around risk mitigation, why try to roll your own?
(Score: 2) by VLM on Friday March 31, @04:01PM (2 children)
The question is who. Who's it more realistic to dump more money into training, in attacks blocked vs $ spent?
Clearly spending more money on dev training and IT personnel training won't help. May as well spend it on security theater for the end users.
If we could wave a magic wand and say "software devs, create no new security related bugs" then we'd have done that a long time ago.
(Score: 0) by Anonymous Coward on Friday March 31, @05:56PM
More security theater it is. 6 passwords, changed weekly, a key pass, finger prints and registration slip signed by 7 supervisors.*
*Unless you're CEO or anexecutive in which case lol let the plebs worry about that
(Score: 2) by jb on Saturday April 01, @05:07AM
We can. That's what formal verification is for. Only trouble is, when you try to scale it up to anything non-trivial it becomes orders of magnitude more expensive than any other approach to development and of course nobody is willing to pay.
But to achieve acceptable risk (a much lower standard than "proven correct" to be sure, but also a *hugely* higher standard than any current vendor offers) one does not have to go to such extremes. There are many techniques for secure (acceptable risk) approaches to software development that are really quite easy (and nowhere near as labour intensive as formal verification) to follow. But for some reason the "mighty" software houses, with all their "massive resources", seem completely unable to grasp even the simplest of them (despite the fact that much of the free software world has been doing so successfully, for decades).
The real problem of course is that letting accountants or marketers make software engineering decisions (which is how all major vendors are run these days) is about as sensible as letting software engineers perform brain surgery. The only difference is that a competent software engineer understands that he's not a brain surgeon, so wouldn't have the audacity to try in the first place.
(Score: 2) by hendrikboom on Friday March 31, @04:20PM (1 child)
Sad, unavoidable fact: Our system administrators are still going to make mistakes — we're all human, after all.
Sad, unavoidable fact: Our programmers are still going to make mistakes — we're all human, after all.
Sad, unavoidable fact: Our hardware designers are still going to make mistakes — we're all human, after all.
(Score: 0) by Anonymous Coward on Friday March 31, @04:49PM
(Score: 5, Insightful) by istartedi on Friday March 31, @05:17PM (2 children)
I won't believe anybody's serious until HTML email is dead. OK, formatting is not a problem; but you're not serious about security if you send clickable links. Your link may be fine, but the cultural acceptability of the practice is what makes phishing possible. My web client won't show images without permission due to the "web bug" tracker, but that's small potatoes. They really need to treat all links as potentially malicious.
Need a password reset? No link. Code. Go to web site, use code. Need to log in to your broker? Same deal. Also, brokers and even things like California's health care site are using copy-paste code from companies like Twitter and Google, because as we all know tweeting about your health plan is of vital importance (sarcasm).
Ohhh.... but secure communication isn't pretty and convenient. Yeah, having your account raped isn't very convenient either.
I'll believe companies are taking security seriously when these things happen. I'm not holding my breath.
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by legont on Saturday April 01, @04:00AM
Yes, exactly, the issue is they actually train users to accept unsafe practices. All of them, but doctors are the worst.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 0) by Anonymous Coward on Saturday April 01, @10:15PM
> Need to log in to your broker? ...
In my case it's an email from SAS Ariba announcing a new purchase order. The email includes a link to the page where I submit invoices to my big customer (Fortune 500 company). I will say that invoice submission through Ariba has generally been pleasantly fast, compared to a previous system that the same F500 company had in-house.
But the Ariba email never seemed all that good to me--I have to keep it around all year (monthly invoices against a year-long purchase order). I've tried saving the link and pasting that into the browser, but that didn't seem to work--maybe there is a date code or something else that changes over time when I click on that link in the email?