Unwitting accomplices and complicit security teams
Overcoming America's lost decade of IT security
The running joke for years among security professionals has been that if you want to eliminate risk, or truly secure the network, just get rid of the users.
Obviously, this tongue-in-cheek statement belies an axiom of business – our users drive the success of the enterprise. However, the statement reflects acknowledgement of a very complex reality – our users are simultaneously our first line of defense and our weakest link – and more often the latter.
Unfortunately, our adversaries are aware of this and have become experts at exploiting user behavior and psychology for their gain. The absolute dependence on the internet has enabled new avenues for cyberespionage into business networks and critical infrastructures.
Gone are the days of full frontal assaults against networks. Cyber miscreants have figured out there is no sense in spending the energy trying to break through firewalls when you can simply ask any one of the thousands of users connected to the internet to invite you in.
Users have become unwitting accomplices to cyber adversaries – helping establish beachheads from which further internal attacks can be launched. The security mechanisms used in the enterprise today were designed at a time to address a threat that tried to break through perimeters. Just as castles and moats have become quaint relics of the past, so too have today's enterprise security tools. And security teams that rely solely on these tools, while pointing the blame at users, are equally complicit in allowing cyber adversaries to gain unfettered access to their networks.
Cyber miscreants count on the naivety and psychology of the user and prey on them by using a combination of techniques.
Sometimes they play to fear, such as the use of rogue anti-virus exploits, while other times they play to desire, such as promising lurid pictures and videos through links. Advanced search engine optimization (SEO) techniques are routinely employed by malware writers to place malicious links at the top of search engine results. Users are easily duped by these techniques.
It is not their fault. They trust Google and the internet. Training is not an answer to this problem. The attacks are simply too sophisticated to train users out of this box. Rather, technology that protects users from infecting their machines even when they are making poor decisions is essential. In other words, technologies that allow users to make mistakes and “undo” them are necessary.
Users are lowering the drawbridge without realizing the risk they introduce. This is what should be keeping you up at night. You literally have thousands of people inviting in cyber adversaries. What is worse is the fact that our security teams have refused to get out of the blame game. We need to stop blaming users for making poor security decisions. Instead, we need to arm the enterprise with tools that do not depend on users making good security decisions in order to protect against these threats.
Security professionals look condescendingly at users that click on links from “friends” in online social networks or open infected PDF documents that purport to come from high-level executives, as if the users should know better. Depending on users to make good security decisions is not a security strategy. It is a pipe dream.
A lot has been made over the past year about advanced persistent threats (APTs), and while we most definitely need to keep our eyes on the rapid evolution of the threat landscape, we also need to recognize that we are being attacked from all angles, by a diverse set of adversaries utilizing a combination of techniques.
Exploits today do not rely solely on sexy zero-day vulnerabilities or unpatched vulnerabilities in Internet Explorer. Many are fairly run-of-the-mill in terms of sophistication and simply entice users through desire, fear, or sheer boredom to click on links and dialog boxes to run malicious code.
Fundamentally, we all know what to do: Stop trusting the user. They aren't security professionals and, despite attempts at training them, they never will be. Take security decisions out of their hands…make their mistakes irrelevant to your overall security footing. But how?
Advances in virtualization and behavioral-based detection offer the solution. It is possible to completely isolate the desktop from the web browsing experience and protect against application-level exploits such as those in Adobe Reader.
Is virtualization the security panacea? No, but it is a big step forward. Won't the bad guys, then, turn their sights to breaking out of the virtualized environment? Sure, but if we move the problem from attacking the large attack surface of browsers and operating system software to trying to find vulnerabilities in hypervisors, then we've succeeded.
We've increased the cost to the attacker dramatically and significantly reduced the number of players on the exploit side. Right now, our adversaries have us beat.