With a click, employees invite a vampire into the network
Even with the best security, a careless insider can always let Dracula in
- By William Jackson
- May 16, 2011
It is common knowledge in the realm of undead fiction that a vampire cannot enter a home until he has been invited in. But there seldom is a shortage of gullible victims in books and movies to open the doors and windows.
Hackers and online thieves operate much the same way. Despite what often seems to be their almost supernatural powers, they typically are invited by insiders into the systems that they violate. Then they feed off your digital blood.
A rash of disturbing breaches this year, from RSA and the Energy Department labs to the Sony PlayStation Network, illustrate how powerless security can be in the face of someone who opens an e-mail, clicks on a link or downloads an attachment.
Oak Ridge lab shuts down e-mail, Internet after cyberattack
Hackers gain access to RSA's SecurID security tokens
Segmenting networks, increasing access controls and restricting user privileges are a headache for administrators and add to the overhead of managing a network, but they are necessary to limit the damage an intruder can do once invited inside.
The online Privacy Rights Clearinghouse reports that, so far this year, about 12.5 million personal records have been breached through hacking or some unknown means. The bulk of them — about 12 million unencrypted credit card numbers — were in the PlayStation breach exposed in April. The total does not include the other 65 million records believed to have been exposed in the Sony breach.
So far, Sony has not said specifically how the breach occurred, except to describe it as sophisticated. But breaches earlier this year of the RSA SecurID token and at Oak Ridge National Laboratory show that spear phishing attacks continue to be successful.
Why do these attacks succeed in a time when everyone who is online ought to know better? Maybe we just don’t believe it will happen to us. As Professor Abraham van Helsing explained in Bram Stoker’s “Dracula”: “In this enlightened age when men believe not even what they see, the doubting of wise men would be his greatest strength.”
Getting people to believe is possible, but not necessarily easy. The firm PhishMe, which does phishing awareness training, helps enterprises test awareness by sending phony phishing e-mails — a sort of phish-phishing. On a first run of the test, an average of 58 percent of recipients fall for the attack, said company CEO Rohyt Belani. “It explains why spear phishing is so popular. It works.”
By a fourth round of testing, the success rate typically comes down to the single digits. “We are never going to bring it down to zero,” Belani said. “But it is an improvement.”
Filters can help prevent successful phishing attacks by identifying and blocking e-mail messages. But they are imperfect, and that stubborn, remaining single-digit percentage of users can thwart even good technology. It is rumored that the RSA breach occurred when an employee retrieved an e-mail from the phishing filter, opened it and clicked on a link.
Even a good combination of technology and awareness training leaves a residual threat that is difficult to deal with, because once bad guys get a foot in the door, they often can get access to an array of resources that have nothing to do with the original breach.
Restricting access is a pain, but it might well be necessary to mitigate the residual threat. All the garlic in the world will not do you any good if someone insists on opening the door.
William Jackson is freelance writer and the author of the CyberEye blog.