![The Edge Logo The Edge Logo](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt530eb1f4e672eb44/653a71690e92cc040a3e9d6d/Dark_Reading_Logo_TheEdge_0.png?width=700&auto=webp&quality=80&disable=upscale)
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
8 Things Users Do That Make Security Pros Miserable
When a user interacts with an enterprise system, the result can be productivity or disaster. Here are eight opportunities for the disaster side to win out over the productive.
February 18, 2020
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2af34097a0c4f1d6/64f0d356f1110481a01bf331/602x250_miserable.jpg?width=700&auto=webp&quality=80&disable=upscale)
null
Delaying or Refusing Software Updates
We get it. Software updates are a pain. Who hasn't laughed at the important presenter hit with the automatic application update in the middle of a critical speech? And software updates for critical enterprise software have spawned a market segment of their very own. Still, ignoring updates is a great way to end up as the subject of a news story that others will use as a "teachable moment."
"Most ransomware attacks come from social engineered emails. That threat is followed closely by unpatched software. It's not as sexy as some of the other dangerous actions, but they cause far more damage than any of the stories of fear that are peddled our way and that we are told to fear," says Roger Grimes, data driven defense evangelist at KnowBe4.
One of the great advantages of SaaS is that the provider has the responsibility to keep the application updated and patched. Whether your concerns are about personal productivity applications or enterprise back-end software, a plan and the ability to put that plan into regular action are some of the most important steps a security team can take to keep their organization safe. After all, a patched vulnerability is no better than a zero-day if you haven't applied the update.
(Image: Chris Titze Imaging VIA Adobe Stock)
Using Biometrics as Single-Factor Authentication
Biometric authentication is considered an important part of many multi-factor authentication schemes. Adding a second, biometric factor, to user authentication can make it far more difficult for attackers to use stolen credentials to launch the sort of attack that has created "mega-breaches" in recent years. The problem, some say, is that organizations may see biometrics as such a strong authentication method that they use a biometric factor as the sole factor in user login.
While biometric factors can be strong, they're far from invulnerable. Researchers have demonstrated successful attacks against many biometric factors, from fingerprint scanning to facial recognition.
While there have been a few who use the vulnerability of certain biometrics to call for the systems to be abandoned, most security experts see them as useful factors in a multi-factor authentication scheme -- just not as the only factor in single-factor authentication.
(Image: HQUALITY VIA Adobe Stock)
Clicking Shortened or Mobile URLs
URLs can be very long. That can make them nearly impossible to type and difficult to squeeze into the limits imposed by messaging services. Fortunately for messaging fans, there's no shortage of services that will take a long URL and convert it into something less than a dozen digits long. In a world of SMH- and FTW-filled messages, the shortened URLs are ubiquitous -- and risky.
"The most dangerous interactions are the simple stuff that we all do every day," says Grimes. "It's the mundane little stuff that is the most dangerous most of the time. Same thing with the cybersecurity world. The most dangerous stuff is right in front of us every day," he explains. In the case of the shortened links, the same technology that shrinks them hides the designation for a click, making it impossible for even a cautious user to hover their pointer over a link to see where it leads.
Fortunately, just as there are link shorteners, there are link expanders that can show a user the actual URL that underlies the shortened version. While there are far fewer expanders than shorteners, there are still options for those looking for greater transparency in their links. Security teams can also employ technology to expand the shortened URLs, but in all cases users should be educated to be careful about blindly clicking on short, obfuscated URLs.
(Image: profit_image VIA Adobe Stock)
Clicking Without Discrimination
"Every company will have a curious 'Dave' who will happily click on every email attachment," says Carson. And while curiosity might or might not kill the cat, it can certainly lay waste to a security plan.
Putting all attachments into quarantine requiring extra steps before opening is one tactic for reducing the danger from attachments, as is constant education on the danger of the free-clicking habit. In addition, "Disabling macros in documents is a great step to prevent a wide range of malicious activity from taking place when opening unknown documents. Windows Defender can scan files prior to being opened as well," says Charles Ragland, security engineer at Digital Shadows. But beyond attachments (and more on these, later), there are links, buttons, and icons sprinkled all over the daily computing environment that can bring woe to those who cannot still their right index finger.
"When you install software there will be pop-ups and malicious applications that use pop-ups asking for much more access than they need," says Nachreiner. "Many people just want to run the game or app, and agree to all sorts of access for the code." He advises training users to carefully read the permission that's about to be granted to a game or app, especially when that permission extends to device permissions like microphones, cameras, and GPS chips. A little care can save a lot of trouble when it comes to a user's itchy left-mouse-button finger.
(Image: rolffimages VIA Adobe Stock)
Falling for Phishing Attacks
When Microsoft sends you an email saying your account is locked, it's perfectly reasonable to send them your account credentials so they can unlock your applications, right? And there's nothing suspicious about a trading partner asking for bank details in order to pay their bills. In both cases, there are serious repercussions for falling for a phishing attack whether it's sophisticated or simply tricky.
One of the greatest dangers of mass credential theft is that the information in the database can be used for a highly targeted spear-phishing campaign. And regular events, like the U.S. tax season, can provide attackers with legitimate-looking content to wrap around those credentials. While technology, in the form of email filters and quarantine services, can help, the basic defense against phishing is straightforward.
"This may sound cynical, but having been in the cybersecurity space for the last eight years and seeing all of the new creative methods and opportunities for data theft, my advice is to slow down, and trust nothing," says Josh Bohls, founder of Inkscreen. He adds, "Not everybody can be an expert in identifying dangerous interactions, but if you slow down and become aware of the environment you might prevent a regrettable decision."
(Image: faithie VIA Adobe Stock)
Connecting to Unsecured Public WiFi
In 2020 there's no mystery left to the question of whether connecting to an unsecured public WiFi hotspot is a bad thing. It is a very bad thing. That doesn't keep lots of employees from enjoying their double-shot latte with a side of data theft. The real question is where on the hierarchy of threats you place this free service. For Ragland, it's a limited threat.
"The advent of TLS, and the push for all traffic to use it, not just sensitive data, has effectively mitigated SSL stripping," he says. "This prevents attackers from reading or modifying data in transit. Many sites also now use HSTS (HTTP Strict Transport Security) so no HTTP connections can be permitted."
Still, says Nachreiner, employees need to pay attention to unsecured WiFi and use best practices for their connections. "There are six very common attacks that public WiFi is subject to, and Evil twin, rogue clients, and rogue access points are all there before authentication even happens," he explains. And the advent of easy-to-download hacking kits takes away the technology barriers to launching such attacks. "Today, a trained monkey could do an evil twin attack at a Starbucks," Nachreiner says.
Preventing problems from unsecured WiFi takes many forms, from providing mobile employees with wireless hotspots, to requiring VPN use by policy, to making sure that every enterprise website is protected through encryption. Put them all together, and the interaction becomes less dangerous -- assuming you can convince employees to use the technology.
(Image: Suwanmalee VIA Adobe Stock)
Opening Unusual or Unexpected Attachments
Would you eagerly open a sealed package handed to you by a stranger on the sidewalk? Few people would, but far too many will happily click on a file promising an adorable kitten, humorous marsupial, critical invoice, or important spreadsheet just because the email message or filename tell them to. And all you have to do to see the consequences is search the news for the latest devastating ransomware attack.
"The most dangerous thing we can do is get socially engineered in email. It hasn't changed in 30 years and it's worked very well," says Grimes. While some of those social engineering attacks involve convincing a user to hand over information, many of them just ask the user to click on a file -- a file that contains an executable that can bring an organization to its knees.
Education, email filters, and security systems that limit the websites and files that can be opened all help in reducing the impact of the unexpected attachment. In addition, Carson says, "It is important to limit the potential impact by applying methods such as the principle of least-privilege which limits the impact on clicking malicious email attachments."
The most important advice, though, may be to tell users to simply take a breath. "Before you tap that link, download an app, plug into a charging station, use a shared USB drive, or connect to a free wifi, take a moment to consider the action and look for potential clues that this is a safe or unsafe choice," advises Bohls.
(Image: Sangoiri VIA Adobe Stock)
Password/Authentication Misuse
Passwords are both the foundation of user authentication in modern computer systems and one of the primary vulnerabilities in those same systems. Each year, various organizations produce lists of the worst passwords and each year see many of the same passwords showing up that were on the previous year's list. This is where many breaches start, because, "If you get authentication wrong, or aren't strongly able to assure identity, the rest of your problems will just get worse," Nachreiner says.
Part of the problem is a key limitation in every system: the human brain. Most people are able to remember character strings of limited complexity, and a limited number of those. The latter factor leads to a problem that Nachreiner says may be worse than using a weak password: re-using passwords.
"Everyone is guilty of password reuse at some point, but best practice is to use a password manager," says Ragland. "Memorize a sufficiently long passphrase to access the password manager, and then let the application generate secure passwords and store them for you."
As for improving the strength of passwords, most authentication systems now include the ability to require passwords of particular length and complexity. In addition, passwords can be compared to those on the NIST Bad Password List to determine whether they're bad in a common way. Curious about a specific password? There's a place to compare it to the list in an interactive fashion on that page.
Related Content:
• How Cybersecurity's Metrics of Misery Fail to Describe Cybercrime Pain
• 5 Pieces of GDPR Advice for Teams Without Privacy Compliance Staff
• 'Motivating People Who Want the Struggle': Expert Advice on InfoSec Leadership
• 10 Security 'Chestnuts' We Should Roast Over the Open Fire
(Image: motortion VIA Adobe Stock)
null
null
-
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024