Publications

Patching human vulnerabilities

Today’s complex threats

Today’s threat landscape is very complex. Cybercriminals use a wide range of threats to hijack people’s computers and to make money illegally. These threats include Trojans of many different kinds, worms, viruses and exploit code which is designed to enable malware to make use of vulnerabilities in the operating system or applications. Cybercriminals also employ a range of sophisticated techniques to hide malware activity or to make it difficult for anti-virus researchers to find, analyse and detect malicious code.

So it’s easy to see the problem of cybercrime, and solutions to it, purely in technical terms. But I believe it’s also essential to deal with the human aspects of cybercrime.

Notwithstanding the technical sophistication of today’s malware, cybercriminals often try to exploit human weaknesses as a way of spreading their programs. This should come as no surprise. Humans are typically the weakest link in any security system. Securing a house is one example: you can have the finest burglar alarm in the world, but if you don’t set it, then it offers no protection at all. The same is true for online security. Cybercriminals continue to make extensive use of social engineering, i.e. they try and trick people into doing something that undermines their online security.

We see this in the continued success of phishing scams, designed to lure people to a fake web site to disclose their personal information, such as usernames, passwords, PINs and any other information that cybercriminals can use. The classic phishing scam takes the form of a speculative email which is spammed to millions of addresses in the hope that enough people will fall for the scam and click on the link in the email. Such attacks are still conducted on a frequent basis.

However, just like pickpockets, online scammers follow the crowds. Given the ever-increasing number of people who use Facebook, MySpace, LinkedIn, Twitter and other social networking sites, it’s no surprise that cybercriminals are increasingly targeting these services. They may use hacked Facebook accounts to send out messages containing links to malicious programs. Or send out ‘tweets’ containing links, but concealing the real destination by using a URL shortening service. Or they may simply masquerade as a friend stranded in a far-off country who is in desperate need of funds to get home. None of these approaches is specific to social networking: cybercriminals are simply re-applying the scams that have worked for them before.

The popularity of social engineering is also demonstrated by the increase in ‘scareware’ programs. Such scams start with a pop-up message on a web site, which says the computer is infected and you should download a free anti-virus program to remove the malware which has supposedly been found. But when you download and run the program, it tells you that you need the ‘full’ version in order to disinfect your computer – and you have to pay for this. Of course, the cybercriminals potentially win twice with this scam: not only have they taken your money under false pretences, but they also now have your credit card details.

One of the problems with social engineering-based attacks is that they form a moving target: successive scams never look quite the same. This makes it difficult for individuals to know what’s safe and what’s unsafe.

Of course, people aren’t only susceptible due to a lack of awareness. Sometimes the lure of free audio or video content, or naked pictures of the latest celebrity, can entice people into clicking on a link that should simply be ignored. Common sense often suggests that if something seems too good to be true, it probably is. However, the same common sense may not result in the understanding that taking action – in this case, clicking on a link – could be harmful.

Sometimes people cut corners in order to make their lives easier and simply don’t understand the security implications. This is true of passwords, for example. More and more business is being done online: shopping, banking, paying bills, professional networking, etc. It’s not uncommon to have 10, 20 or more online accounts, making it very difficult to remember (or even choose) a unique password for each account. This makes it very tempting to use the same password for each account, or to use something like a child’s name, spouse’s name or place name which has personal significance and is therefore easy to remember. Another common approach is to recycle passwords, perhaps using ‘myname1’, ‘myname2’, ‘myname3’ and so on for successive accounts. Using any of these approaches increases the likelihood of a cybercriminal either guessing the password, or, f one account is compromised, getting easy access to other accounts. However, this risk isn’t obvious to non-technical staff or to members of the general public. And even when they’re made aware of the potential danger, they don’t see a feasible alternative, since they can’t possibly remember 10, 20 or more passwords.

There is a solution to the password problem. Instead of trying to remember individual passwords, start with a fixed component and then apply a simple scrambling formula. Here’s an example: start with the name of the online resource, let’s say ‘mybank’. Then apply the formula:

  1. Capitalize the fourth character.
  2. Move the second last character to the front.
  3. Add a chosen number after the second character.
  4. Add a chosen non-alphanumeric character to the end.

This would give a password of ‘n1mybAk;’. Using this method gives a unique password for each online account by following the same four steps each time.

What should be done?

Technology, of course, is a core part of any solution for dealing with malware. But I believe it would be unwise to ignore the human dimension of security. In the real world, we know that burglar alarms, window locks and security chains on the front door can be effective ways to secure property. But they won’t prevent an unsuspecting victim from jeopardising their security by opening the door to a stranger.

Similarly, a corporate security strategy will be less effective if it doesn’t address the human element. We need to find imaginative ways of ‘patching’ human resources as well as securing digital resources.

This isn’t just a business issue. Most individuals who use the Internet from home face the same issues. So as a society we need to find ways to raise awareness of the risks associated with online activity, and develop effective methods to minimize these risks.

Towards an ‘online common sense’

People are reasonably well-equipped to manage risk in the offline world. For example, we have a range of well-established ‘common sense’ strategies for educating children about the potential dangers of crossing the road: we teach them to use designated crossing points or, where this isn’t possible, to look carefully in both directions before starting to cross the road. There’s also been a generation or more of TV, print and radio advertising designed to educate the public about the dangers of drink-driving or not wearing a seat belt.

Of course, the ‘common sense’ advice we give to children and the government warnings about safe driving can’t guarantee safety. But they provide information which helps to minimize risk. Today, driving under the influence of alcohol is considered socially unacceptable, and there are far fewer drink-related incidents on the road than there were forty years ago.

Unfortunately, there’s no parallel online common sense. This isn’t surprising. In comparison to the generations of car drivers, and the many more generations of people crossing the road, the Internet is very new. People are only just beginning to realise how the Internet can enhance their lives: sadly, many are blissfully unaware of the potential dangers.

Society faces something of a paradox here. Children learn many common sense strategies for staying safe in the offline world from their parents. But today’s parents are often ill-equipped to educate their children about online safety, since they are unfamiliar with this ‘new’ technology. Conversely, children are able to use the technology, but typically know little about potential online threats.

However, it’s essential that we collectively develop such an online common sense. If we do, today’s children will be much better equipped to safeguard their own children.

The importance of staff education

First, it’s important not to confuse education with training. It would be unrealistic to try and train people to be computer security experts. Rather, we should raise awareness about potential online threats and the steps people can take to protect themselves.

For businesses and other organizations, staff education should be one of the core building blocks of an effective security strategy. Employees need to be told, in simple, straightforward language, the nature of the threat. They need to understand what protection measures the organisation has deployed, and why, and how these may affect them in carrying out their duties. A security strategy is far more likely to be effective if staff understand and support it. It’s also essential to create a culture of openness: staff should be encouraged to report suspicious activity, rather than hiding it for fear of facing disciplinary action. If employees feel threatened, or are made to feel stupid, they will almost certainly be less co-operative.

Like any aspect of security, it’s not enough simply to write a policy, get staff to sign it and then do nothing further. An effective security policy should evolve together with the changing threat landscape, and must be regularly reviewed. It’s also essential to remember that people learn in different ways: some respond best to verbal input, some to written or illustrative material. So it’s best to use a range of strategies to reinforce the security messages you want staff to understand. These include presentations as part of a staff induction program, poster campaigns, security awareness quizzes, cartoons, a ‘tip of the day’ shown when staff log onto the corporate network, and more.

It’s also important not to see security information and training just as an IT issue. Rather it should be seen within an overall HR context that includes health and safety at work, appropriate staff behaviour, etc. To be effective, a security education program must have buy-in from HR, the training department and any other relevant parties.

Beyond the workplace

There’s an overlap between work and home. The people who use computers as a business resource at work also use them to shop, bank or socialise from home. Using computers for non-work purposes can integrated into a staff security awareness program: showing employees how to protect their own computers, secure their routers etc. will help create interest and support for the security training program overall. It also ensures that staff – who increasingly may be working from home – are not exposing business resources to unnecessary risks.

Of course, there are people who don’t use a computer at work (or who have retired), but use a computer at home. It’s essential, therefore, that security education is taken beyond the workplace and into everyday life.

There are already a range of public resources providing advice on Internet security. These include Get Safe Online, identitytheft.org.uk and Bank Safe Online. Additionally, security vendors typically provide a guide to staying safe online, like our own Guide to stopping cybercrime. They all provide sound guidance on how to minimise the risk of falling victim to cybercriminals. However, they all assume that the reader is already online.

I believe it’s also important to try and find offline ways to transmit the same messages, including using TV ads like those used in the past to encourage the use of car seat-belts or discourage drink-driving. Given the success of such adverts in the past, I think that similar campaigns addressing cybercrime and cyber security could also be effective. For example, in the UK in 2005, the Capital One Group ran a series of TV ads which featured a well-known impressionist named Alistair McGowan. The adverts were designed to promote the company’s ID theft assistance service but at the same time highlighted the importance of shredding personal information before disposing of it.

Future prospects

Cybercrime is here to stay: it is both a product of the Internet age and part of the overall crime landscape. So it would be unrealistic, I believe, to think in terms of ‘winning the war’. Rather, it’s about finding ways to mitigate the risk.

Legislation and law enforcement initiatives are designed to maximise the risk experienced by cybercriminals. The purpose of technology and education is to minimise the risk to society. Since many of today’s cyber attacks target human fallibility, it’s essential to find ways to patch these human vulnerabilities just as we strive to secure computing devices. Security education is similar to housework – it can’t be seen simply as a one-off task, but needs to be carried out on a regular basis to ensure good results and a clean, safe, environment.

Patching human vulnerabilities

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox