Many of you may remember the U.S. version of the television game show, “The Weakest Link” which aired in the early 2000s (those of you in other geographies, especially the U.K. may still be watching current versions). The show’s host, Anne Robinson, was famous for her catchphrase, “You ARE the weakest link. Goodbye.” At this point, the contestant in question was whisked away from the stage in inglorious fashion.
If you are (and since you are reading a blog online, I assume you are) a computer end-user, you are the weakest link. Any number of articles and reports about information security point to the individual end-user as being the weakest link in IT security. An article in the Economist as far back as 2002 sums it up, “Amateurs hack systems, professionals hack people.”
Kevin Mitnick, at one time the world’s most notorious hacker now turned consultant and author, said in the year 2000:
When I would try to get into these systems, the first line of attack would be what I call a social engineering attack, which really means trying to manipulate somebody over the phone through deception. I was so successful in that line of attack that I rarely had to go towards a technical attack. The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, and it's money wasted, because none of these measures address the weakest link in the security chain.
Has much really changed over time? Perhaps not. Today’s exploits – blended threats, spam attacks, malicious web sites, botnets and Advanced Persistent Threats (APT) commonly begin by exploiting the end-user using simple social engineering techniques. Most commonly, these exploits rely on an emotional reaction in the end-user to initiate the attack.
When debonair agent James Bond needed access to a secret facility or a bomb-diffusing code, he started by wooing the gorgeous Bond girl, taking advantage of her emotions to gain access.
The same is true of today’s exploits – scare the end-user or lure them with a phony story so that they click a link, launch an executable, or divulge some private information. No matter how much security awareness training they’ve been given, users will all too often still fall for the attack. Security awareness training is still important, but is not a panacea for preventing attacks. Even trained security professionals have occasionally succumbed to these tactics.
Unfortunately, there is no such thing as a human firewall that will help prevent this leakage. The best answer most organizations consider is having a strong security awareness program, (Security awareness is a type of program that companies run, so it needs to stand on its own) and training program. But to avoid accidental infection or data leakage, organizations need to go beyond training and implement automatic controls to thwart the actions of end-users. These include data loss prevention systems, email filtering and Web filtering technologies. By automatically blocking the ability for spam and malicious software to enter an organization and stopping the egress of sensitive data automatically, the end-user’s faulty decision making is taken out of the equation.
Technical solutions are still not perfect, as Mitnick points out, but they will reduce organizations’ exposure to malicious software, botnets and data loss. Be careful what you open. Be careful what you click on. Remember the only safe place to update software is the vendor’s web site. Don’t make yourself the weakest link. Goodbye.
