Last week I discussed my views on the organizational issues with cyber security and how military and civilian companies don’t always utilize talent the right way, or are afraid to spend the money on the necessary talent to properly secure their networks. This week I am going to discuss what I believe to be one of the most insecure parts of cyber security and that is the user.
In my opinion most users are not being given the proper training to avoid injecting malware onto their systems or having their identities and/or company credentials stolen. Some of the most efficient “hacks” were done by way of social engineering or phishing scams. Social Engineering at its core is just the ability to use information you already have about a person or company to exploit more information out of another person. Phishing scams are also rampant with users having their identities stolen every day by clicking on fake links in e-mails that look like they are sent from companies, banks, or other entities that may be of importance to you.
A perfect example of this was quite a ways back when Paris Hilton had her “Private” images stolen from T-Mobile’s servers. The attack was simply a 15 year old kid who had found his way into a login server requiring administrator credentials. As such he called T-Mobile tech support posed as an admin and told them he forgot his password. As they were uneducated on giving away passwords over the phone or simply did not care they reset said admins password and gave the new one to the hacker. From there he had access to all images on the servers. This is just one of the most well-known forms of social engineering.
Phishing scams can accomplish two things. The first being the injection of malware onto your machine by one opening an e-mail that may have malware in it, and then if you click any of the links within the e-mail the page you visit may also have malware that downloads onto your page. The second thing that a phishing e-mail can accomplish is stealing your identity. Most phishing e-mails come from scammers that have the malicious e-mail replicate an e-mail that may be sent from any number of important sites you visit. These sites can be your bank, Facebook, LinkedIn, twitter, etc. These e-mails usually say we need you to click here to reset your password, or please type in your account number so that we can verify that your account hasn’t been stolen. The problem is that the websites themselves usually look legitimate, with the exception being the link itself. Good scammers will do everything they can to make the website look as real as possible, however you cannot duplicate a domain. As such if you ever want to make sure that you are visiting a valid site, always check the link at the top of your browser and make sure it is where you want to be.
The last thing I want to touch on about the user is that we don’t train them properly. We show them an Acceptable Use Policy, or give them some other guidance as to what not to do, but never train them on why. Most policies these days say you shouldn’t connect USB drives or personal electronic devices, don’t open e-mails from people you don’t know, and don’t abuse the system on the web by looking at inappropriate websites. But, do we ever train the user on why?
It is my belief that an initiative needs put in place to actually have a class for incoming users on why they shouldn’t do these things, and how to protect themselves both at work and at home. As CIOs, CISOs, cyber security specialists, and information technology specialists, we should show them in a closed environment what can happen if you put too much information on Facebook or any other social media site. Show them how to secure it as well. Finally show them what malformed USBs can do with configurations like USB hacksaw. I know that one is old but it can still serve a purpose. Let us the White Hats of the Cyber Realm finally show users why things are the way they are and how we can prevent future disasters from happening.