Introduction: End user
When weighing up the biggest security hazards to an organisation, it may come as a surprise to discover that the end user within the organisation is often the first to compromise security. Through no fault of their own, and mainly due to a lack of awareness, employees frequently open the virtual gates to attackers. So we consider end user education is very much important.
‘The most effective way the CIO can deliver practical and memorable education is to make it real’ With the rise in cybercrime as well as the increase in the consumerisation of IT and BYOD, it is more important than ever to fully educate employees about security attacks and protection. Although BYOD has given them an increased level of flexibility, it has also given the end user even more potential to cause security breaches. Threat actors actively target end-users as a primary route to compromise.
Some criminals may be targeting the end-user directly, for example to conduct financial fraud, others will be leveraging the user to gain access to the organisations IT infrastructure. It is important to note that threat actors can target end users on their home networks and mobile devices, who will then unwittingly bring the “infection” inside the organisation. Increasingly these days, the criminals use a technique called spear phishing; an attacker sends a highly targeted email, often with personal contextual details that fools the user into clicking a link and, unknown to them, downloading malware.
Once this has been downloaded, it provides access to the end users device which is used as a launch point to harvest network information and expand control inside the network. Due to the detrimental ramifications, it is vital that end users have a full understanding of the most common ways for threat actors to target them.
This includes educating employees that they will be targeted, encouraging them to be vigilant at all times, teaching employees what qualifies as sensitive data, how to identify and avoid threats, acceptable use policies and security policies.
1. Awareness programs.
I’ve found that these programs include some basic training combined with ongoing awareness campaigns. Oh, and successful awareness campaigns combine education, communications, cheerleading, entertainment, and perhaps even some incentives.
So cybersecurity messages and posters may be combined with a funny video featuring the CEO getting scammed by emails from the Central Bank of Nigeria. CISOs say keep all communications high-level and clear to avoid alienating employees with constant geek-speak.
The CISO may be responsible for cybersecurity, but he or she should not be the face of end-user awareness programs. Rather, the CEO and business managers must take the lead here. The goal? Communicate to the troops that online behavior is as important as any other work-related task, such as arriving on time, treating others with respect, and meeting deadlines. In other words, business leaders must strive to make cybersecurity awareness and good online behavior part of the corporate culture.
3. Notifying end users of policy violations.
Some security tools frustrate employees by blocking their actions without further explanation. In many cases, this is frustrating to employees who may not understand why they were prevented from doing their jobs. Rather than blindly enforcing policies, progressive companies also use electronic notifications to educate employees as to why their actions were blocked in the first place.
For example, an employee may not realize that the file they were trying to email contained healthcare records or other regulated data. CISOs tell me that providing this kind of simple explanation can actually decrease the volume of policy violations by up to 90%.
4. Proactive spear phishing.
This tactic involves sending bogus but authentic-looking emails to internal employees to see if they actively click on links, install software, or open attachments. On average, somewhere between one-third and half of employees will do so. Rather than compromise internal employee systems however, organizations use this as a “teachable moment” by sending the employee a notification of what just happened and reminding them about good online hygiene. While success metrics are hard to come by, anecdotal evidence seems to indicate that internal spear phishing can lead to improvements in user education and behavior.
5. End-user feedback. If employees are expected to become good cybersecurity citizens, then the security team should keep them up to date on how they are doing. Measureable improvements should come with some type of “that-a-boy” message from the CEO or token reward from the company.
End User Threats
Malicious code within ads or third party apps, posts containing links to malicious sites and sharing of sensitive information or derogatory comments will continue to pose real risks in 2013 – ranging from exposing proprietary information to damaging the corporate brand and even inviting lawsuits. Online work and personal identities are merging as employees increasingly use social media platforms like Twitter, LinkedIn and Facebook to communicate with customers, partners and friends. As people become more willing to share personal information online, they assume a dangerous level of trust for new “friends” and “followers,” and open the door for new creative variations of old social engineering attacks.
1. Text messaging:
A report from the Pew Internet and American Life Project claims that 73 percent of adults with a mobile phone use text messaging – sending and receiving an average of 41.5 messages per day. And most are not likely to think twice about the security implications of clicking on a link in a text. This leaves an open door for attackers to spread malware, phishing scams and other threats among mobile device users. SMS phishing, aka ‘smishing’ attacks, will continue to gain momentum in 2013 because unlike major web browsers that have phishing protection built in to alert the user to suspicious sites, mobile phones aren’t equipped to help users avoid malicious text messages.
2. App downloads:
BYOD programs make it tough for IT departments to control the security of end-user devices. It is often difficult for employees to understand why they can’t download their favorite apps (like Angry Birds) to their personally owned devices – even when those devices contain sensitive corporate data and business applications. At the same time, malicious and high-risk apps are becoming more sophisticated. The number of dangerous Android apps is expected to hit 350,000 by the end of 2012 and one million by the same time next year.
Spear phishing attacks against the White House and South Carolina Department of Revenue made headlines in 2012. While spear phishing is on the rise, Wombat Security Technologies’ research shows that relatively simple phishing emails are still hooking up to 60 percent of employees. Unlike mass phishing emails, the success of spear phishing depends on three things: (1) the apparent source must appear to be a known and trusted individual, (2) there is information within the message that supports its validity, and (3) the request seems to have a logical basis. Social networking is making the gathering of the data necessary to craft convincing spear phishing emails easier for cyber criminals. Trend Micro reports that 91 percent of recent advanced persistent threat (APT) attacks involved spear phishing tactics to dupe the victim into opening a malicious file or Website.
4. Cloud services:
The use of consumer-grade cloud applications (e.g., Dropbox and web-based email applications) for business purposes is gaining popularity among employees who naively choose convenience over security. Many end-users don’t understand what corporate information is and why it needs to stay within corporate resources. Cloud services bring with them security risks, such as data compromise and loss, and uptime reliability that most end-users don’t understand or consider in their rush to adopt the most convenient and easily accessible solution. As data becomes widely distributed across cloud services that are unknown to the IT department, the risk of exposure increases exponentially.
With the disappearance of the network perimeter, so goes the ability of IT to enforce password best practices. After years of password breaches and warnings about weak passwords, a large percentage of people are still choosing words like “welcome” or personal information, such as a birthday, for passwords. This ultimately places company data and networks at risk. In a single instance this year, Yahoo confirmed 450,000 passwords were breached. As more resources sit outside the control of a centralized IT department, enforcement of strong password management controls will become an even bigger challenge in 2013.
6. Lost devices:
A recent Cisco study claims that nine percent of employees have reported a lost or stolen device, and of those workers, 26 percent have lost the technology more than once within a year’s time. As mobile devices proliferate in the workforce, the ramifications of a lost or stolen device are huge. Personally owned mobile devices are more difficult to remotely wipe when lost or misplaced since they are not under IT’s direct control. This can expose corporate data to loss and may result in the breach of sensitive data, potentially triggering state, provincial or national data breach notification requirements.
© 2017 – 2018, Techrunnr. All rights reserved.