[BreachExchange] Why end users should never be held responsible for cyber attacks

Destry Winant destry at riskbasedsecurity.com
Thu Jun 15 01:35:26 EDT 2017


http://www.information-age.com/end-users-never-held-responsible-cyber-attacks-123466771/

Email is ubiquitous, and that leads some to assume that it’s safe.
Nothing could be further from the truth. While your average end-user
might be savvy enough to avoid unsophisticated scams, it remains, by
default, a completely insecure communication channel.

Among cybercriminals, email remains something of a favourite attack
vector. Phishing and spear-phishing attacks target users, with varying
degrees of specificity.

Maybe the criminal receives an ‘out of office’ message from a finance
director and knows they’re on holiday, giving them the perfect excuse
to target a busy treasury department with money transfer requests.
Maybe they collect information from social media profiles, which they
then use to impersonate decision makers.

Email can be dangerous in numerous ways, and the problems it causes
cannot be prevented solely by conditioning users to be cautious. The
belief that education is the key to preventing cyber-attacks has a
certain logic to it. Supposedly, by training employees, you eliminate
any unintentional insider threat. But this unfortunately puts the onus
for IT security on people who aren’t meant to be accountable for it.

User training is user blaming – nonetheless, businesses, government
departments and other organisations continue to place the burden of
responsibility for security on people who are utterly unqualified to
bear it.

Email attacks are a problem that even well-seasoned IT security
experts struggle to keep pace with. Domain impersonation and reply
redirection are techniques that require a user to identify very small
differences in a message or message chain. Something as sophisticated
as the malicious application of Punycode – a special form of encoding
– is extremely difficult to visibly detect.

To put it bluntly and without malice: end-users don’t stand a chance.
They can’t be ‘careful’ when a phishing or malware attack is
near-indistinguishable from a typical email message. They can’t be
trained to keep up with the latest attack vectors. One small mistake –
and experts and end-users alike are capable of them – can allow a
criminal to overtake an entire system.

End user involvement

Security departments should minimise end user involvement from the
equation. Solutions should be put in place to detect and quarantine
threats long before they ever reach a user or email server. Advances
in artificial intelligence and machine learning mean key attack
techniques can be quickly identified and neutralised and malicious
email simply shouldn’t be able to enter an organisation.

The best thing an end-user can learn is a degree of cynicism – this at
least will help them better trust their emails. But they shouldn’t be
relied upon in any way to protect a company’s electronic assets – they
are not the first or last line of defence. If they’re being used as
such then they will ultimately compromise the organisation they work
for. Simply put, they’re there to use the system, not protect it. IT
departments should ensure that they can do so – without having to
worry about security threats.


More information about the BreachExchange mailing list