For most of 2011, the news headlines have been filled with tales of cyberheists and security failures. RSA got hacked, then the PlayStation Network, Citigroup, the US Senate, NATO, and Lockheed Martin. Anonymous and LulzSec have garnered huge amounts of attention for their exploits. And in all likelihood there were hundreds (if not thousands) of less well-known cyberattacks that occurred in the same timeframe but went unnoticed or unreported. IT security seems to be a mess these days, with even the largest and most well-financed corporations and government organizations proven to have security defenses the consistency of half-eaten Swiss cheese.
The nature of security threats has changed over the past few years, with amateur hackers and script kiddies giving way to professionals backed by significant skills and resources. According to Stu Sjouwerman, founder and CEO of security training company KnowBe4 and author of Cyberheist (KnowBe4, 2011), the trend toward more professional cybercriminals won’t be changing anytime soon.
“Some of these cybercriminals are extremely well-funded and they have their own labs filled with test machines, each running the latest version of most antivirus products. They’ll find and exploit zero-day vulnerabilities in software like Adobe Reader, then send phishing test emails through all of this AV software,” says Sjouwerman, who was also one of the founders of security vendor Sunbelt Software. “They’ll find [a phishing email] that works, set up an email server, and send a few million phishing emails to a database of email addresses, then shut the server down within a day.”
The Case for Fixing Operator Error
Sjouwerman told me that many cybercriminals find success within the first 6 to 8 hours of their phishing attacks, as unwitting users click on links designed to deliver a malware payload, such as keyloggers, Trojans, and other types of advanced persistent threats (APTs). Many of these attacks succeed because somebody clicks a link in a phishing email or is visiting a website that they shouldn’t—or because they simply don’t have a clue about basic IT security. We’ve all made mistakes, but I’m sure we all know someone—acquaintances, friends, family, or co-workers—who is constantly struggling with viruses, malware, or other security issues.
Sjouwerman argues that IT security is long overdue for a strategic rethink in order to face the changing nature of security threats. He contends that the days of IT security being satisfied with establishing a firewall, installing antivirus software, and keeping Windows servers patched are long gone.
“Larger organizations frequently train employees about sexual harassment, but sexual harassment still happens in the workplace. The same thing is happening with IT security. Yearly security questionnaires or infrequent company-wide memos only go so far.” What Sjouwerman advocates is a much more aggressive training and education regimen for users at every company, starting with informing users about the threat posed by phishing attempts and how to identify and combat them. “We all need to start taking security more seriously, and that really begins at the individual level,” Sjouwerman says. “Ongoing testing and evaluation of employees by sending fake phishing emails is essential, as the costs of failure have increased dramatically.” Sjouwerman also suggests a sliding scale for employees who continuously fail security tests, with verbal warnings leading to multiple written warnings, followed by eventual termination if an employee continues to fail. Sjouwerman points to banks that have a zero-tolerance policy for employees who flout or ignore security rules and guidelines; failure to comply with corporate security guidelines is met with immediate termination.
What can an IT manager do to keep the bad guys out? Beyond the basics of installing and properly configuring firewalls, installing antivirus/anti-malware software, and making sure server software, web servers, appliances, routers, browsers, and third-party plug-ins are patched and updated, educating and training your users—backed with help from senior management and HR—should do wonders to improve your overall security posture.
Do you have ideas for how to best train and educate end users about IT security basics? Send your advice and suggestions to me via email at email@example.com, and/or follow me on Twitter @jeffjames3.