There is no technical solution to a behavioural problem.
In light of relentless data breaches is endpoint protection software still fit for purpose? People naturally behave in insecure ways, and addressing this through education and awareness is a key challenge for the cybersecurity industry. Focusing solely on technological measures to defeat cyber-criminals will always be a losing battle, so instead of trying to resolve the symptoms, we must address the root cause.
Early social engineering tactics, such as the “Nigerian Prince needs your help” 419 scam, involved little technology. The cyber-criminals would send vast numbers of spam emails and simply wait for a victim to respond. The remainder of the scam would be executed via emails, phone calls or in person; it relied on the greed or gullibility of the victim to ensure they continued co-operating with the criminals.
Over time the cyber-criminal’s tactics have evolved and become more sophisticated, using complex social engineering techniques and malware. Nevertheless, the root cause remains the same. The victim must actively participate in the initiation of the scam, by opening an attachment, clicking on a link, or responding to an email. Our collective obedience in the face of perceived authority, desire to help others, willingness to get our jobs done in a high intensity business environment and natural curiosity simply work against us.
However, we shouldn’t throw our hands in the air, accept the inevitable and give up just. There are simple but effective approaches to reducing the risk, and it starts with education. Within the anti-phishing and secure email platform space, vendors are now offering training and awareness technologies with their security solutions. Instead of simply blocking attacks and quarantining emails, they give the user the opportunity to open the email, click on the malicious link to provide their real username and password to a fake website, or perform an otherwise insecure action – after the threat has already been quietly neutered. These platforms then direct the user to an educational system that explains why the email was malicious and what the user should have done instead.
These very effective systems are mainly confined to email and web security services. Extending these systems to endpoint security platforms is considerably more complex and somewhat impractical, especially in the context of unknown threats.
Modern anti-virus packages are extremely efficient. Based on AVTest results, the market leaders boast a 99.9% or higher detection rate for common malware. So, assuming the user doesn’t simply ignore the warnings and allows malware to launch, a decent up-to-date anti-virus package will protect against the vast majority of threats. That just leaves the difficult 0.1% to deal with – the zero-day threat.
Zero-day malware is unknown to traditional anti-virus products that use ‘known bad’ signatures to detect and identify malicious code. If these zero-day threats are unknown and undetectable, how can they be defeated? In theoretical terms, there is an easy solution: whitelisting. Instead of taking the normal anti-malware approach of allowing all software to run and trying to detect which may be malicious, whitelisting defines a specific set of ‘known good’ applications. This whitelisted software is allowed to run unimpeded, and everything else is blocked.
This is a strong way to prevent malicious software from executing, but for many it’s impractical, expensive, time consuming and inflexible. The level of effort combined with the impact it has on organisations’ ways of working is something many aren’t willing or able to undertake.
So what is the solution?
Bluntly, there isn’t one panacea. Applications, operating systems and hardware will continue to become more complex, the Internet of Things will continue to expand and provide new routes for attackers to exploit, and with greater complexity comes greater opportunity for vulnerability. People will always slip and behave in insecure ways, regardless of vigilance. We can produce the usual list of ‘best practices’:
- back up your data
- don’t re-use passwords
- ensure your anti-virus, email software, web browser and other security technologies are up to date
But these are messages people have heard many times before, and they mostly address the symptoms, not the root cause.
The key is to reduce that root cause risk as much as possible, and this brings us back to behaviour. Technology and the internet is a fact of life and the majority of people are well aware that ‘cybercrime exists’: it’s a mainstream media story with incidents reported on a near-daily basis. However, it’s a minority of people who can reliably spot a carefully crafted phishing email, or a spoof website designed to steal usernames and passwords, and that’s one of the big reasons why cyber-criminals continue to succeed in their malicious endeavours.
This is why education and awareness are key. People must accept that although they are not expected to be technology experts, they have a personal responsibility to educate themselves on spotting issues and safely using the technology they work with every day – just as they may not be mechanics, but they still know how to own and operate a vehicle safely. Experience has shown that companies with the greatest success against cybersecurity threats usually run security awareness programs for their staff, which inevitably go hand in hand with a carefully thought out cybersecurity strategy.
As stated within Objective 4 of the UK Government’s cybersecurity strategy:
“Raise awareness amongst the public and businesses of the threat and the actions they can take to protect themselves.” Just like sex, drugs & rock ‘n’ roll – we have to adapt our own behaviour to get all of the benefits and minimize the chance of short, medium or long-term damage.
Author: Ian Kayne, Cybersecurity Practice Lead. Article published in Infosecurity Magazine.