Maksim Kabakou - Fotolia
Conventional wisdom is that users are one of the biggest risk factors in cyber security – whether it is the malicious insider who intends to steal or compromise data, or the unwitting email recipient who clicks on a link and triggers a network-wide malware infection.
The reality, however, is more subtle, meaning the control environment cannot simply rely on annual security awareness computer-based training or a policy compliance tick box quiz. Modern targeted threats are often geared towards a specific organisation or even an individual user.
The traditional wisdom of “don’t open suspicious links or attachments” does not prevent a user clicking on an email that has been specifically designed and crafted not to be suspicious.
We have also seen attacks that exploit web pages people are known to browse or access, forums they use and other aspects of what could be described as “normal use of corporate and personal IT systems”.
This extends to the use of cloud based-applications and file storage/sharing systems, travel booking services, tech support and chat applications – not reckless or naive behaviour, just normal. The reliance on users as a defensive line is only a part of the picture that security teams need to paint.
If you assume that some users are going to fall for these scams and that not all systems are going to have patches applied, then there is a need for better controls that can filter this use/exploitation and detect/prevent the inevitable people/process/technology security failures. Otherwise, we leave security teams either inundated trying to check everything that happens or helpless in the face of a constant barrage of security issues and incidents.
Email and web content filtering needs to look beyond filtering malware and black-white listing of sites and become more content and context aware.
Having the ability to unpack and scrutinise content in a sandbox has been around for a while, but there are now moves to couple this with the possibility to open attachments in the cloud rather than locally to prevent the workstation/user being the place where this attack vector emerges.
‘Smarter thinking’ necessary to keep up with attackers
Identity and privilege management are still as vital as ever and still as difficult to get right. Controlling roles and rights with ever-more complex file systems and applications is a massive and constantly evolving job.
In some cases, a move towards newer cloud-based systems and applications does at least give the chance to redraw some of these access rights boundary lines based on data, business and work flows.
Threat intelligence – the collection, generation, sharing and use of information for deception, prevention and investigation – needs to be both extrovert (having access to public, community, government-provided and specific, actionable threat information) and introvert (knowing what the user community, network purposes, server roles, and movements of staff are).
Patching, security configurations and resilience to both known and zero-day threats means having continual visibility of where issues lie, but also a good detective capability.
This means that for unpublicised vulnerabilities, the effects of an attacker making the initial contact, gaining a foothold, moving laterally or exfiltrating information can be detected and contained automatically, at least in part, to cope with the volume of attacks.
In summary, any control should assume that all other controls could fail. In the nightmare scenario where a user does not flag an attachment as suspicious or where the vulnerability is a zero-day exploit and the attacker is stealing information in a way that you do not filter for, you quickly realise that blaming the user is about as useful as claiming that firewalls prevent network-based attacks.
Smarter thinking is needed to keep up with attackers who are often thinking smarter themselves and have extensive ingenuity, resources, patience and knowledge of the target, with none of the constraints of budgets, skills shortages, change control processes and decision-making hierarchies.