CYBEREYE

The weak link in security: People

The human user is the first line of cybersecurity defense but also a persistent weakness

One of the holiday season’s top cybersecurity stories was the phony White House Christmas e-card that was opened by a number of U.S., state and foreign government workers. It installed malicious executable code to search the victim’s PC for documents and send them off to a server in Belarus.

It’s easy for those of us who never would fall for such a ploy to say, “What were you thinking? You should never open up suspicious attachments, and you should delete all electronic greeting cards without opening them.”

That’s my advice, at least. And, as far as it goes, it’s good advice.

“You should delete them,” agreed Anup Ghosh, founder and chief scientist at Invincea, a company that provides desktop browser security. “You can’t tell where it is coming from.”


Related coverage:

Phony White House e-card the work of spies?


But people send electronic greeting cards because they are convenient, and people open them because they are human, whether they know better or not. Like all successful social engineering tricks, “they appeal to the user’s desires, fears or sense of humor,” Ghosh said. “The curiosity factor overwhelms any voice in your head saying, ‘Maybe this isn’t legit.’”

For that reason, a security policy that relies on human judgment is a bad policy, Ghosh said. “Just saying no is part of the problem.”

Ghosh has a corporate interest in this issue: His company sells a virtual, isolated browser environment that detects threats and disposes of them by getting rid of the environment. It’s a disposable browser that you don’t have to worry about infecting.

Hallmark, another party with an interest in the phishing issue, also preaches safety over abstinence.

“While phony e-cards are one way this stuff gets delivered, it's actually an issue that affects any brand that is trusted by the public, which means that never opening a link to anything may not be the most practical solution,” said Hallmark spokeswoman Linda Odell. “At Hallmark, we address the issue on three levels: technical, legal and consumer awareness.”

Hallmark goes after phishers that exploit its brand and shuts them down as quickly as possible. But those bad actors change names, addresses and servers fast and frequently, so the company’s primary defense is to educate consumers about the safeguards of a genuine Hallmark e-card. Legitimate card notifications do not contain attachments and should always include the name of someone you know as the sender, along with a confirmation number. To retrieve a legitimate card, recipients should manually type www.hallmark.com/getecard into a browser and enter the e-mail address and confirmation number.

That's all well and good, but what does all that effort get you? An e-greeting card. I don’t want to sound like a curmudgeon, but an e-card from someone who doesn’t think enough of you to buy a paper card and a stamp and address an envelope isn’t that great a loss. On the one hand, you might miss an amusing song and dance (if you are easily amused). On the other hand, even with safeguards, you could open yourself up to an infection that could compromise security and lead to an embarrassing paragraph about you in the morning news.

I agree that an effective security policy requires technology to protect users and enforce good practices, as well as establish prohibitions, and that a policy that relies only on saying no is not a good idea.

But saying no is a good starting point. And for those of you who opened phony greeting cards over the holidays: What were you thinking? You should delete those things.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Mon, Jan 10, 2011 Robert

The user problem can be mitigated by education. For instance, you can download a zipped attachment, unzip it (don't click to execute), and upload the unzipped file to an online virus scanning service, such as Jotti or Virus Total. You can also manually scan the file with most of the antivirus programs that are installed on desktop computers if they do not recoginze an infection when you download the zipped file. Of course education takes some time/resources, and most businesses don't want to bother with that--prefering for the employees to educate themselves!

Mon, Jan 10, 2011 Jeffrey A. Williams

The weak link in all of IT is the human factor. This has been a well known fact for several decades now, but is often times nor reidily recognized. What amazes me is regarding the ecard incident with the White House is that they decided to use an ecard service from Belirus instead of say an American service like Halmark Cards.

Mon, Jan 10, 2011 Gordon Dean Washington DC

I'm a pretty savvy user, and I tend to look over the details of an attachment before opening it, and I know what to look for in an e-card. Overall I found this an antiquated and unhelpful commentary. Perhaps "just don't" is a useful policy for Grandma, or a boss two years from retirement. But William Jackson's advice seems otherwise much like a codger in 1909 saying that the best way to deal with the problems with those newfangled gasoline auto-mobiles is to get a horse. Thanks. I haven't sent a paper greeting card in five years, and find it vaguely irritating when my friends do. Another piece of paper to track...thrilling. My friends communicate almost exclusively electronically, and in five years, sending a "Greeting Card" by mail is going to be about as relevant or appreciated as a Western Union Telegram in my childhood, when long-distance had made the telegram a purely symbolic gesture. Hallmark's attempt to create an informed and savvy public is far more relevant and helpful to modern users than Mr. Jackson's curmudgeonly advice. Three rules of thumb for identifying spoofs would have been a better use of bandwidth than this outmoded rant...

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above