This article can also be found in the Premium Editorial Download "Information Security magazine: Comprehensive information security programs vital for PCI compliance."
Download it now to read this article plus other related content.
Cat and mouse game. Arms race. Time and again, we use these metaphors to describe the battle against cybercriminals. Of course, there’s no such thing as failsafe security, but the bad guys seem to be getting the upper hand despite all our best efforts. Despite all the firewalls, IDSes, antivirus, SIMs, and authentication requirements, breaches continue at a rapid pace. Notification laws, of course, have brought many breaches to light that would have otherwise gone unreported. Still, the list of compromised companies only seems to grow unabated.
Now, maybe the breached companies had serious lapses in security. Certainly, there were things they could have done better. But, while it might be easy to snicker at RSA getting hit, the truth is that attackers are hard to fend off when they’re going after users. The attack on RSA started with a spear phishing email that targeted a small group of employees (and one was clueless enough to pull it out of a junk folder and open it). Anonymous broke into HBGary Federal with a social engineering scheme that tricked a network admin into giving up access to a website. Publishing giant Conde Nast reportedly was nearly defrauded $8 million by a targeted email.
Last month, in the wake of the Epsilon breach, which some called the biggest ever, we were left with the nerve-wracking specter of a wave of phishing attacks. Security experts warned that criminals could use all the emails stolen from the email marketing company to create targeted, legitimate-looking emails. There are even tools criminals can use to match email addresses with information on social networking sites to create even more convincing emails.
With users as the targets, and spear phishing seemingly becoming the weapon of choice for cybercriminals, experts say companies need to ramp up an aspect of information security that often gets little attention: employee security awareness training. Companies spend so much time locking down their networks that they forget about a glaring vulnerability – the user. Employees continue to fall for even basic threats, says Lance Spitzner, director of SANS Securing the Human Program. For example, he heard of an employee at a company who immediately submitted his resignation upon receiving a phony email about winning the lottery.
To be sure, humans are notoriously hard to secure; it seems like a losing battle to get users to stop clicking on email attachments. But educating users about security requires more than just an occasional lunch-and-learn or requiring them to watch a DVD in between work tasks, experts say. It requires taking the time to continually train employees to be on guard through hands-on demonstrations. “Everyone pukes the phrase, ‘there’s no patch for human stupidity’ but that’s wrong,” says Chris Nickerson, founder and principal consultant at Denver-based Lares Consulting. “The patch is experience.” That means understanding to pay attention to the details of an email – checking the address it’s coming from, its tone, knowing to mouse over links to identify them, and not clicking on anything that’s shady.
Security experts also advocate making security personal by showing employees how easy it is to mine information about them online. Of course, all the training in the world and security-savvy users won’t stop every determined attacker. But, they’ll give you a fighting chance in this continuing battle against cybercrime.
Marcia Savage is editor of Information Security. Send comments on this column to firstname.lastname@example.org
This was first published in May 2011