The weak link in security: People
The human user is the first line of cybersecurity defense but also a persistent weakness
- By William Jackson
- Jan 07, 2011
One of the holiday season’s top cybersecurity stories was the phony White House Christmas e-card that was opened by a number of U.S., state and foreign government workers. It installed malicious executable code to search the victim’s PC for documents and send them off to a server in Belarus.
It’s easy for those of us who never would fall for such a ploy to say, “What were you thinking? You should never open up suspicious attachments, and you should delete all electronic greeting cards without opening them.”
That’s my advice, at least. And, as far as it goes, it’s good advice.
“You should delete them,” agreed Anup Ghosh, founder and chief scientist at Invincea, a company that provides desktop browser security. “You can’t tell where it is coming from.”
Phony White House e-card the work of spies?
But people send electronic greeting cards because they are convenient, and people open them because they are human, whether they know better or not. Like all successful social engineering tricks, “they appeal to the user’s desires, fears or sense of humor,” Ghosh said. “The curiosity factor overwhelms any voice in your head saying, ‘Maybe this isn’t legit.’”
For that reason, a security policy that relies on human judgment is a bad policy, Ghosh said. “Just saying no is part of the problem.”
Ghosh has a corporate interest in this issue: His company sells a virtual, isolated browser environment that detects threats and disposes of them by getting rid of the environment. It’s a disposable browser that you don’t have to worry about infecting.
Hallmark, another party with an interest in the phishing issue, also preaches safety over abstinence.
“While phony e-cards are one way this stuff gets delivered, it's actually an issue that affects any brand that is trusted by the public, which means that never opening a link to anything may not be the most practical solution,” said Hallmark spokeswoman Linda Odell. “At Hallmark, we address the issue on three levels: technical, legal and consumer awareness.”
Hallmark goes after phishers that exploit its brand and shuts them down as quickly as possible. But those bad actors change names, addresses and servers fast and frequently, so the company’s primary defense is to educate consumers about the safeguards of a genuine Hallmark e-card. Legitimate card notifications do not contain attachments and should always include the name of someone you know as the sender, along with a confirmation number. To retrieve a legitimate card, recipients should manually type www.hallmark.com/getecard into a browser and enter the e-mail address and confirmation number.
That's all well and good, but what does all that effort get you? An e-greeting card. I don’t want to sound like a curmudgeon, but an e-card from someone who doesn’t think enough of you to buy a paper card and a stamp and address an envelope isn’t that great a loss. On the one hand, you might miss an amusing song and dance (if you are easily amused). On the other hand, even with safeguards, you could open yourself up to an infection that could compromise security and lead to an embarrassing paragraph about you in the morning news.
I agree that an effective security policy requires technology to protect users and enforce good practices, as well as establish prohibitions, and that a policy that relies only on saying no is not a good idea.
But saying no is a good starting point. And for those of you who opened phony greeting cards over the holidays: What were you thinking? You should delete those things.