Assume users will do the wrong thing when it comes to security, expert advises

Security-conscious organisations should assume their users are likely to make mistakes that compromise institutional security – even if they’ve been trained not to – a Palo Alto Networks security executive has warned.

Noting that advanced persistent threats (APTs) had been continually tweaked and refined for insidious behaviour over the years, Kelly Brazil, the security vendor’s APAC director of systems engineering, warned that their ability to play on human nature made them all but impossible to avoid.

“The problem has been around for a while and it’s not really something we can train people out of,” he told attendees at a breakfast seminar in Melbourne this week.

“They’ll have their devices out at a bar, get something new on their phones, and they click on it. You’re not going to be able to train your way out of these types of situations, and you’ve got to assume that people are going to click on these things.”

In the context of that dynamic, he said, companies aiming to protect their networks from APTs should take alternative approaches to ensuring information security that focus on malware behaviour rather than signature matching or even staff-based heuristics.

This includes the increasingly common approach of monitoring traffic coming out of the network, looking for traffic running over nonstandard ports: “these protocols have been around since the dawn of the Internet and they have not really been well protected using the methods today,” Brazil said.

Another telltale sign of malware activity is the repeated transmission of data to unusual host addresses – which may indicate malware sending information back to a command-and-control node.

Such border protection has become necessary because much of the malware currently doing the rounds immediately goes dormant for several days after infecting a system – rendering it invisible to conventional signature-based scanning techniques.

“You have to control the cyberthreat lifecycle, and it’s far beyond the payload,” Brazil said. “There’s a lot more going on with these attacks than just malware, which is what some people talk about when they talk about APTs.”

“There are a lot of parts of the attack that can be customised and manipulated in the payloads,” he continued. “It’s just so easy to get around existing URL filtering, firewalls, and intrusion prevention systems: services like Tor and Hamachi not only route you through existing security but anonymise you too. We need security that understands these at a basic level, and knows how to deal with them.”

Palo Alto Networks recently gave its flagship WildFire scanning platform the ability to scan APK files, which contain applications for Android-based smartphones and tablets. Android, which has emerged as a massively popular target for malware authors – in Russia and elsewhere – has gained a reputation as being a particularly vulnerable platform for attacks through mobile ad networks.

Although many operating systems and security tools incorporate features that can protect against some common APT behaviours, Brazil warned that they often slow down or inconvenience users – and are therefore often left disabled despite the instructions of corporate security managers.

Such human tendencies run contrary to the tenets of good security protection but they’re hard to avoid, Brazil said, arguing that closing this gap requires a technological defence that can function despite the apathy of users. It also helps to use ‘next-generation’ security tools that speak the language of today’s Internet – allowing tight control over, for example, Facebook access.

“You have to understand ‘known’ and ‘unknown’ threats to be effective anymore. Just handling known threats isn’t going to get you where you want to be. But with the new way of looking at security, all of a sudden these common-sense things you want to do, become very easy.”

Join the CSO newsletter!

Error: Please check your email address.

More about APACAPTFacebookPalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place