Growing up, my mum always got me to wash my hands after going to the toilet, or having been outside playing—and of course before I sat down to eat dinner. Why did she do this? In fact why do all good parents do this? Of course, it’s to help minimise the risk of ingesting some ‘bug’ and becoming sick.
Sometimes it was a pain and an inconvenience, but I did it. I still got sick, but I don’t recall ever being ‘that’ sick as a kid. Now as a dad, I find myself repeating the same things to my children. Just like educating children about personal hygiene, we in the IT security profession have (for years) tried to educate the user about computer security hygiene.
‘Don’t log into your PC as admin’, for example (or root for Unix/Linux people); ‘don’t install or run applications from untrusted sources’; ‘keep your system patched’; ‘run antivirus and keep it up-to-date’; and so on. If this was a scene in a movie it would involve 30 people are all talking to you at once—complete confusion.
But how have we fared in educating the end-user populace? I think it's fair to say poorly—especially given the key infiltration vector for many security breaches is by social engineering. By targeting the user, many attackers (cyber criminals, hacktvists, and Advanced Persistent Threats) have successfully achieved their objective—infiltrate the target so as to complete their mission; such as stealing credit cards, gaining access to publicly sensitive information or accessing corporate plans and intellectual property.
Spear phish the user! According to the recent Mandiant report on the Chinese PLA cyber unit 61398 (a.k.a APT1), ’spear phishing’ was their most common attack method. Why? Because it was simple, and had a great return on investment. Whilst social engineering is not new, the ability for attackers to gather quality intel about their targets without leaving the safety of their chairs is new. How much of your life do you share on Facebook, Twitter, Linkedin, and Google+? I know I share a lot…maybe too much.
So it comes as no surprise that when a victim receives a very believable email from a colleague, discussing the latest budget numbers or presentation that they open up the attachment or click a link.
Goodbye to antivirus? So where is the latest and greatest security technologies helping prevent such an attack? In the recent New York Times attack by APT1, Mandiant uncovered 45 pieces of malware on New York Times’ computer systems, of which only one piece was detected by the antivirus software used by the New York Times. Does this mean that there is an over reliance on antivirus software—like antibiotics in the world of medicine? Most certainly yes, but it is not the failing of antivirus that is the problem here, but rather the observance of good solid security hygiene.
Just like the old saying “an ounce of prevention is worth a pound of cure”, some basic security fundamentals and hygiene would have gone a long way to containing such attacks. Unfortunately, there’s no silver bullet cure. And equally unfortunately, most users soon become tired and look for shortcuts or become sloppy.
What is the solution? Easy. You need to do everything right. Your cyber adversary only needs to get it right once!
Daunting yes, but you can minimise the chances of being a victim by:
1. Check the privacy of your social networking sites (https://mypermissions.com) 2. Practice good browsing, learn how to browse the internet safely 3. Don’t use administrative rights to perform normal daily activities 4. Do use security software 5. Keep your system and software patched and up-to-date 6. Do not click random links 7. Beware of email and attachments from unknown people 8. Do not download unfamiliar software off the Internet 9. Log out of or lock your computer 10. Frequently back up important documents and files (often overlooked – but has saved my bacon a few times) 11. Wash your hands before eating No surprises there!