The Weakest Link
By Mitchell Taylor, CIO/Director of IT & Security, CalSheets LLC
You may remember a game show called The Weakest Link. It involved a group of nine contestants working as a team to try and win money. Each member of the group had to answer questions, and the goal was to put a chain of correct answers together without breaking the “link” by answering incorrectly. The potential winnings would increase for each correct answer, as the group tried to advance to the next round. However, if a contestant gave an incorrect answer or took too long to answer, the chain was broken and the group had to start over in building up their chain of winnings. A central element of the game occurred at the end of each round, when the group of contestants would vote for who they thought was “the weakest link”. The contestant with the most votes was eliminated.
"The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing"
Have you ever sat and pondered which of your users would be voted as the weakest link? Love them or hate them, in the world of IT, users are our customers. We have much to gain by helping them become better and more aware of their online surroundings. But we can also learn a great deal from past failures to help us deal with today’s advanced threats. We can no longer stick our head in the sand and hope that our users will make wise choices. We must prepare them for battle in a connected world.
Several years ago, police departments began reporting an increase in the number of drivers being carjacked. It seems that as newer cars became more secure and harder to steal, thieves found it easier to carjack someone at a stop light than to break into a car that is locked up tight. They had found the new weakest link – the driver. It is often easier to get a driver to give up the car at gunpoint than to pick the lock and hot-wire the car, which creates some very dangerous situations for drivers today.
In the IT realm, we have a similar situation going on. As the use of next-gen firewalls, anti-malware utilities, encryption techniques, dual factor authentication (DFA) and other such mechanisms has risen, traditional means of infiltrating a computer system have become less and less effective. Hence, recent attacks have focused more on targeting the users themselves. The end-user has become the new weakest link.
We see this in the rise of ransomware, most of which begins as a spear-phishing attack to attempt to get a user with valuable credentials to click on an infected link. Adam Kujawa, Head of Intelligence at Malwarebytes, puts it this way: “If any attack in the history of malware proves that you need protection in place before an attack happens, encrypting ransomware is it. It’s too late once you get infected. Game over.” An ounce of prevention truly is worth more than a pound of cure. Your users are on the front lines, and can be either a great defense against this sort of attack, or a huge liability.
The Secretary of Homeland Security, Jeh Johnson, put it this way; “The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing.” This merely confirms what we already know, that although attacks against our firewalls and other systems can and do occur, the larger threat today is of a compromised user who has legitimate authority to operate on the network behind these defenses. If a hacker can take over a legitimate user’s credentials, they can then gain access to resources inside the perimeter. Given this potential payoff, it’s no wonder that spear-phishing attacks are on the rise.
As an IT Leader in a world filled with threats, how can you help your users avoid becoming the weakest link? You’ve no doubt heard this basic advice before, so I want to phrase it in a way that is easy to remember. We all know that we need to patch our computer systems, but you can also PATCH the end-user by raising their understanding of the following best practices:
Passwords: Use strong passwords and never share them with others.
Authorization: Never give out information to anyone without prior authorization.
Training: Hold training sessions on identifying phishing and spear-phishing attacks.
Clicking: Never click on links in an email, even if it appears to come from a legitimate source.
Hacking: Always be on the lookout for anything suspicious, and report it immediately.
Raising user awareness in these areas will play a critical role in helping your users to do their job without becoming the next victim. The better your users are in adhering to these principles, the better prepared they will be for the next attack. Let me expound a little more on each area.
Passwords – Teach your users how to create strong, yet easy to remember passwords using phrases instead of words, or leveraging a secure and encrypted password storage manager on their phone. Remind them to never share their password with others, even people that they know and work with.
Authorization – Remind your users that they are not authorized to give out any information about your company unless specifically authorized for a certain purpose. This includes the whereabouts of company staff, office locations, computing resources, etc. Social engineering thrives off of people sharing information unnecessarily.
Training – Hold regular training sessions with your users to touch on security concepts that are relevant and timely. Raise awareness to recent phishing schemes and security breaches. This can be a good time to walk through how a particular breech occurred so the user will be able to spot that technique should it be employed against your company.
Clicking – Remind your users that one click is all it takes for their system and your network to become compromised. Show them how convincing some of these schemes are, and reiterate best-practices. This is also a good time to go over your company’s policies regarding Acceptable Use of IT assets.
Hacking – Encourage your users to be on the lookout for other dangers, and employ their help in identifying any weaknesses in your people or processes. This is a good time to run some spear-phishing war games of your own, just to see how your users perform. You might even consider turning it into a game, where users can put their cyber security skills into action and compete for prizes. You might be surprised at what they come up with!
The next time you patch your software systems, remember to PATCH your end-users as well. By raising user awareness and engaging them as part of your defensive strategy, you too can help ensure that your IT organization does not become “the weakest link."