IT professionals should stop mocking their users for doing seemingly stupid things like opening phishing emails, according to IBM. These un-patchable people could turn out to be the canary that flags the next Advanced Persistent Threat attack.
The attitude of IT and information security professionals to their users was summed up by the oft-used PowerPoint slide, “There is no patch for stupid”, IBM highlights in its latest X-force security report [PDF], which urged security pros to take a different, more supportive, tack with staff.
While the attitude may accurately reflect the challenges that network defenders face, it could damage their ability to detect a targeted attack.
Acronyms like “PEBKAC” (Problem Exists Between Keyboard and Chair) and “PICNIC” (Problem in Chair, Not in Computer) could lower the security of an organisation by encouraging a culture of shame and secrecy when a person fell for a seemingly simple scam.
“These terms may disregard the sophistication of a number of these attacks and doing an injustice to some of the individuals ensnared. They may even be making the problem worse,” IBM’s security analysts argued in the report.
Giving these perennial human security issues a derogatory name “may put victims on the defensive”.
““They have heard the snide remarks and here (sic) they are or they suspect -- but are not sure -- that something bad might have happened to them. Do they dare tell anyone and risk ridicule for falling for a trap?” ?”
Security professionals needed to acknowledge that some of these attacks were getting better, and most importantly, they needed create an environment that encouraged staff to report anything out of the ordinary.
The human, often viewed as the weakest link in security, was also its greatest strength, according to IBM.
“Everything that we know or do regarding the Internet is impacted as the human element represents the strength in seeing what can be made, as well as the weakest link and easiest point to overcome,” it said.
Two recent high profile Advanced Persistent Threat cases illustrated the diversity of what “the weakest link” could be, and highlight the varying degrees of profiling that goes on before an attack.
While the phishing email that was rigged with an Adobe Flash zero day exploit and fooled RSA staff “do not appear to have been carefully targeted”, those that hit Google earlier were since the attackers had extensively researched the “patient zero” target.
“The original attack was a focused Instant Messaging (IM) attack. The attackers had done a lot of research and compromised a friend’s account. The attack methodology was advanced in its research, even if the malware itself was not. The attackers were very persistent. This fit the entire criterion for an APT.”
More articles from Liam Tung this week are: