Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/9/2017
04:00 PM
Tom Pendergast
Tom Pendergast
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Signs You, Your Users, Tech Peers & C-Suite All Have 'Security Fatigue'

If security fatigue is the disease we've all got, the question is how do we get over it?

There’s been a lot of talk about security fatigue lately, in the press and in my office. It’s a term that people get right away, and it feels like one of the classic social phenomena of our era, like multitasking or that phantom buzz in your pocket.

If security fatigue is the disease we’ve all got (even security pros!), the question is how do we get over it? To help answer that question, let’s take a look at four signs that identify the symptoms, along with recommendations that will put you and your users on the road to recovery.

Sign 1: You Reuse Passwords
Symptom: You want that 10% off coupon for creating an account on a new website—so you use your email address and that one password you use for all those "minor" accounts you’ve created.

What’s the Worst That Could Happen? At the least, hacking that single password might give criminals access to your personal card data. That’s a pain, but most credit card purchases are protected. But if the same hacker starts trying that password on other accounts, and those accounts include more personal information or are used for work credentials, and you could quickly move from identify theft to a data breach. Ouch!

Cure: The best cure is a password manager, which is the easiest way to create unique, lengthy, and difficult-to-crack passwords for every login. Sadly, most people aren’t ready to take this strong medicine. So they fall back on a variety of other schemes to introduce some level of complexity to their password. There are a million of these schemes, and combine them with multi-factor authentication you just may be okay. But you can’t be sure. So use a password manager!

Sign 2: You Forget to Connect to VPN
Symptom: You’re doing some work from home, and you just jump right in and go—completely ignoring the step of setting up a VPN connection. You’re just catching up on e-mail after all.

What’s the Worst That Could Happen? If your home WiFi is password-protected, and you’re just sending email, the risk is pretty low. But let’s say you connect to an insecure website and it tries to download malware—you’re exposed. And you’re not always on password-protected networks or just doing email, right? The truth is, if you’re connecting to the Web or sending sensitive documents, you’re exposed without VPN.

Cure: It’s not establishing a VPN connection that’s hard. The hard part is remembering. It’s a matter of making it a habit, like snapping on your seat belt. I’ve put a reminder on my startup screen that I see every time I log in, and it really helps. We all have the capacity to trigger electronic reminders these days, so set one up for VPN usage today.

Sign 3: You Click on an Email Link — Even Though You’re not Sure
Symptom: It’s been a long day, but you’re determined to churn through a few emails before you bail out. Hmm, you think, you wouldn’t mind winning a new Amazon Alexa offered in one email, so you click the enter automatically link

What’s the Worst That Could Happen? There’s a brief pause as you go to the innocuous-looking site. That pause, unfortunately, indicates the site is downloading a nasty piece of ransomware that will infect your network and bring work to a grinding halt. Cybercriminals have so many different ways to hook you, but they all begin by you visiting a site or downloading a file (or plugging in a USB drive), because you didn’t take that extra second to make sure you were taking the safest action.

Cure: Phishing sucks! It’s the most common form of cybercriminal attacks on employees, and it can be VERY difficult if not impossible to detect. But you can resist phishing with a few simple tricks. First, turn your baloney detector on high and quickly delete anything that sounds too good to be true or comes out of left field. Second, recognize that you should never act on emails when you’re in a hurry (unless it’s to delete them). Third, if you get a lot of commercial email (I sure do), use rules to move it all to a folder, and then take a little time a few times each week to go through and identify the stuff you want to act on—deleting everything else. Remember, you’re in control of your actions when it comes to your email, so make it a personal challenge to never get caught.

Sign 4: You Don’t Report Something that Seems Off
Symptom: Stopping in the kitchen for a cup of coffee, you notice a folder on the counter, with a sticky that says "Vendor Contracts, First Quarter." The person who left it will probably be right back, you reason, so you fill your cup and get off to that meeting.

What’s the Worst That Could Happen? Remember that stranger you let in the door earlier? She could find a gold mine in that folder. Or the disgruntled employee who came in as you headed out. Perhaps he could use what’s in that folder to embarrass the company. The truth is, unreported suspicions can blossom into leaks of proprietary information or malware infections all too easily.

Cure: Reporting suspicious incidents or observations is inconvenient! But so is stopping at red lights, washing your hands before you eat, and a whole lot of other things that we go ahead and do because we care about our fellow man and want to make the world a decent place to live. So report suspicious behavior.

Do you note the similarities in all the cures to security fatigue? They all come back to the need to adopt a new mental model about security and to develop new habits that support that mental model. If you care about protecting yourself and your company from cybercrime, developing those new habits will not be hard. First care, then act. It’s that easy.

Related Content:

 

Tom Pendergast is MediaPRO's Chief Learning Officer. He believes that every person cares about protecting data, they just don't know it yet. That's why he's constantly trying to devise new and easy ways to help awareness program managers educate their employees. Whether it's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/18/2017 | 2:14:52 PM
Re: QED
@TomP: Indeed.  Or, put another way, "Share this on Facebook and Twitter!"  :)
tompendergast
50%
50%
tompendergast,
User Rank: Author
2/13/2017 | 1:02:04 PM
Re: QED
I'd like to think so, but even those who don't have it can help recognize the signs and move others to improve.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
2/13/2017 | 9:24:49 AM
QED
I tend to think that by the very fact of people being even every-now-and-then readers of this site, they don't have security fatigue...yet.  ;)
macker490
100%
0%
macker490,
User Rank: Ninja
2/10/2017 | 7:20:30 AM
all of us suffer
i think we are all suffering.   we are burned-out trying to fix a problem we can do little about.

two things are needed

1. secure operating software

2. effective message authentication

these requirements can only be provided from the OEM development shops.   Until these shops are properly motivated to do things the right way burn-out will continue to get worse -- every year -- as it has recently.

if you total up the cost for all the band-aids, and staff hours required to administer same -- and then add to that the intangible cost of frustration and worry you'd come up with a pretty big number

it means nothing though as the elements responsible for the problem do not carry the cost of its consequences.

at some point, as a society, we will be forced to re-think this -- or make rather far reaching changes in the way we connect electronic equipment. 
CaitlinT801
100%
0%
CaitlinT801,
User Rank: Apprentice
2/10/2017 | 6:46:28 AM
VPN as a protection
Whatever the signs are, it's good to use precautions such as using a VPN. I have been using PureVPN for ultimate privacy and protection and it works good.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...