IBM: Don’t bully the ‘idiots’ who fall for phishing

Big Blue gives IT pros a lesson in psychology.

IT professionals should stop mocking their users for doing seemingly stupid things like opening phishing emails, according to IBM. These un-patchable people could turn out to be the canary that flags the next Advanced Persistent Threat attack.

The attitude of IT and information security professionals to their users was summed up by the oft-used PowerPoint slide, “There is no patch for stupid”, IBM highlights in its latest X-force security report [PDF], which urged security pros to take a different, more supportive, tack with staff. 

While the attitude may accurately reflect the challenges that network defenders face, it could damage their ability to detect a targeted attack.

Acronyms like “PEBKAC” (Problem Exists Between Keyboard and Chair) and “PICNIC” (Problem in Chair, Not in Computer) could lower the security of an organisation by encouraging a culture of shame and secrecy when a person fell for a seemingly simple scam.

“These terms may disregard the sophistication of a number of these attacks and doing an injustice to some of the individuals ensnared. They may even be making the problem worse,” IBM’s security analysts argued in the report.

Giving these perennial human security issues a derogatory name “may put victims on the defensive”.

““They have heard the snide remarks and here (sic) they are or they suspect -- but are not sure -- that something bad might have happened to them. Do they dare tell anyone and risk ridicule for falling for a trap?” ?”

Security professionals needed to acknowledge that some of these attacks were getting better, and most importantly, they needed create an environment that encouraged staff to report anything out of the ordinary.

The human, often viewed as the weakest link in security, was also its greatest strength, according to IBM.

“Everything that we know or do regarding the Internet is impacted as the human element represents the strength in seeing what can be made, as well as the weakest link and easiest point to overcome,” it said.

Two recent high profile Advanced Persistent Threat cases illustrated the diversity of what “the weakest link” could be, and highlight the varying degrees of profiling that goes on before an attack.

While the phishing email that was rigged with an Adobe Flash zero day exploit and fooled RSA staff “do not appear to have been carefully targeted”, those that hit Google earlier were since the attackers had extensively researched the “patient zero” target.

“The original attack was a focused Instant Messaging (IM) attack. The attackers had done a lot of research and compromised a friend’s account. The attack methodology was advanced in its research, even if the malware itself was not. The attackers were very persistent. This fit the entire criterion for an APT.”   


More articles from Liam Tung this week are:

Anatomy of a cunning APT: the SK Communications breach

Microsoft spikes third botnet and Mac fake AV host

Smartphone users think security is ‘too expensive’


New Slideshow:

Take the encryption quiz today..



Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags phishingIBMrsanetwork defendersadvanced persistent threats (APTs)x-force security reportInstant Messaging (IM) attackAdobe flash . zero day exploit

More about Adobe SystemsAPTBig BlueetworkGoogleIBM AustraliaIBM AustraliaMicrosoftNICRSASK

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts