{"id":6439,"date":"2017-01-30T15:10:21","date_gmt":"2017-01-30T23:10:21","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/30\/news-276\/"},"modified":"2017-01-30T15:10:21","modified_gmt":"2017-01-30T23:10:21","slug":"news-276","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/30\/news-276\/","title":{"rendered":"How do I get my employees to stop clicking on everything?"},"content":{"rendered":"

If you\u2019ve been given responsibility for network security in a non-technical area of the business, there\u2019s one eternal question that has been bedeviling admins for decades. Shelves of words have been spilled on the subject, to limited result.<\/p>\n

How do I get the user to stop clicking everything?<\/h3>\n

Everyone with cybersecurity responsibilities has their own crop of horror stories where an intransigent user has clicked furiously on a Dridex installer, wondering why their \u201cinvoice\u201d won\u2019t load.\u00a0 A user might enable macros to see the \u201cimportant notice\u201d, scratch their head at the display issues, then open the document on another machine because theirs obviously had issues. A more recent corollary is the user who gets an email from the \u201cCEO\u201d, and subsequently starts a wire transfer to a dodgy address in Asia without following up with anyone. These are problems that have been appearing in almost every organization, for years. So what is wrong with these people and how do we fix it?<\/p>\n

Theory 1: The Bad User<\/h3>\n

\"\"<\/p>\n

Lets call this the BOFH theory, as it\u2019s most commonly used by people in security to explain why we shouldn\u2019t have to do anything about phishing, because it\u2019s forever unsolvable. The user, an ignorant, benighted soul, is incapable of looking up from their daily toil to enlighten themselves on security issues. One can never expect a marketing exec to reach our levels of security sophistication, and as such, it\u2019s foolish to attempt to uplift them. This is wrong and counter productive, on several levels.<\/p>\n

First is the Ned Flanders\u2019 Parents Corrollary: \u201cWe\u2019ve tried nothing and we\u2019re all out of answers!\u201d Those of us working these issues on a daily basis rarely, if ever have conversations with business profit centers on their terms.<\/em>\u00a0We have a tendency to shower users with a barrage of horrible outcomes if they click a phish, up to and including compromise of the entire production network.\u00a0 While true-ish, when you take this approach to almost every potential threat, an average user will immediately tune you out as a hysterical Chicken Little. And they\u2019re not necessarily wrong. The most common outcome for a phish derived compromise on a properly configured network is a reimage of the impacted host followed by a SOC investigation and report to the CISO. While irritating and time consuming, it is not a catastrophe. A much more productive approach is to explain to the user the downtime associated with a reimage and the fiscal cost to the business.\u00a0 (Depending on the org, up to 16 lost working hours for the impacted user, and more for the SOC.)<\/p>\n

The kinder, gentler version of the Bad User theory is phishing education. People simply don\u2019t know what a phish looks like and what it can do, and it is incumbent upon us to teach them, and then phishing will be solved forever. There are three problems with this.<\/p>\n

    \n
  1. It assumes that the user never has a good reason to click on a message that appears slightly off.<\/li>\n
  2. It assumes a security savvy user\/admin wouldn\u2019t click on a phish. Various APT groups have enjoyed great success proving otherwise. If you think you are not susceptible to this, it\u2019s you \u2013 you are the security vulnerability.<\/li>\n
  3. Email Fatigue<\/a> erodes your judgement<\/li>\n
  4. Phishing education courses are terrible<\/em>. I mean really, look at this:<\/li>\n<\/ol>\n

    \"\"<\/p>\n

     <\/p>\n

    Theory 2: The Bad Company<\/h3>\n

    \"wikimedia<\/p>\n

    Some folks realize that attributing unwanted user behavior to mass, contagious, intractable idiocy is counter-productive, usually wrong, and poisons relationships between security and the rest of the company. These people\u00a0will tell you it is not the user\u2019s fault for clicking, per se, it is the company\u2019s fault for incentivizing bad actions. This is closer to true, as organizational incentives do strongly predict individual outcomes, but can still be problematic.<\/p>\n

    On the true side, some companies like to deluge employees with emails that look like phishes. It’s not uncommon for users to receive corporate emails full of HTML, an urgent call to action, followed by a link to an internet network resource. If this sounds familiar to you, it’s not really a mystery why your users would click on a phish.<\/p>\n

    On the \u201cYes, but\u201d side, phishes have more than one lure. For every phish that looks like a legitimate request to update your corporate phonebook entry, there\u2019s one where the \u2018CEO\u2019 is asking the user to Western Union money to Vietnam, or offer a \u2018corporate discount\u2019 after filling out a survey. The issue here is less learned email helplessness, and more a security culture that doesn\u2019t treat users as partners. A healthy SOC does not scold users for misbehavior, it enlists users as foot soldiers to ferret out malicious indicators that would otherwise go under the weather. There is precious little that makes a non-technical user more proud than to be able to present a new threat to the professionals for disposition. Give your users reasons to have pride in themselves and they will jump at the chance to be helpful.<\/p>\n

    Theory 3: Driving a nail with a platypus<\/h3>\n

    Why is phishing an intractable problem? Because…<\/p>\n

    Organizational issues require organizational solutions<\/h3>\n

    There is no patch, update, conversion, or SIEM that will in the slightest bit impact human behavior, but that doesn\u2019t seem to stop folks from trying. Users click phishes and will continue to do so because they are incentivized to view clicking as a rational act. \u00a0Some questions to ask before looking to a technical solution for phishing:<\/p>\n

      \n
    1. Does the business pass around document files for frequent, multiuser revisions? Consider a cloud based document editing solution, or even version control software<\/a>. No one can click on the malicious attachment that isn’t being sent.<\/li>\n
    2. How closely do your intra-company communications resemble phishes? What is the penalty suffered by ignoring them? A chat between security and company communications can go a long way towards teaching better email hygiene.<\/li>\n
    3. Are you afraid of your\u00a0CEO? Business Email Compromise<\/a>\u00a0is a very lucrative scam that relies on recipients of the phish being too intimidated to question an email from someone they believe to be their boss.<\/li>\n<\/ol>\n

      The common thread to these possible solutions is that they are cheap or free, and you can already implement those that rely on internal resources. Before you spend money engineering a non-engineering problem, it might be more productive to put the platypus down and ask “Why wouldn’t someone click that?”.<\/p>\n

      https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"\n\n\n
      <\/a><\/td>\n<\/tr>\n
      If you\u2019ve been given responsibility for network security in a non-technical area of the business, there\u2019s one eternal question that has been bedeviling. How do you get your employees to stop clicking on everything?<\/p>\n

      Categories: <\/p>\n