Is there a patch for stupid?

Are network users causing tons of extra work with their poor web security practices?

I was speaking with the security group of a customer the other day and they were complaining about how 80% of their security incident were because of users doing stupid things on the Internet. They kept pointing to reports highlighting how their users generated so much work for them through malware cleanup and downtime. This conversation got me thinking about what those reports were really showing. Was it the users being stupid or something else?

Ask any really good hacker, “What’s the easiest way to break into a network?” and you’re bound to get some variation of the same response. It’s through people launching applications or clicking on things they shouldn’t. Hacking straight technology is just plain hard work. Finding a 0day exploit that can be weaponized into a privilege escalating attack is like winning at black jack, it’s possible but unlikely. Getting a user to click a link to see a picture of a cat wearing a wet suit? Practically guaranteed! This is why attackers are so busy going after users through browser and email based attacks. It’s just an easy way to compromise a ton of machines very quickly. Attackers are actively targeting our trust of friends on Facebook or Twitter and the assumption that our favorite websites are safe.

As security professionals we scream until our eyes bulge and veins pop out, about the risks of weak web security controls in browsers and on websites. Every day we hear of a new vulnerability in a browser plugin that requires yet another patch while millions of websites are vulnerable to SQL injection and XSS allowing attackers to distribute exploits targeting these vulnerabilities. The evildoers on the Internet know that users don’t read or understand cryptic browser warnings and will happily click away and load their malware. Why are we expecting the average user to know the nuances of these many attack vectors? The biggest problem for organizations trying to keep their assets clean of malware is that the people with the least technical knowledge are being asked to protect themselves on the web.

In my opinion, fixing this issue requires a mixture of user education and security technology to mitigate the impact of targeted attacks against people. Users need to be trained and updated on current attack methods and vulnerabilities so they can better recognize when they are in a dangerous situation. They will never be experts but at least they will better understand the risks. Technical controls also need to be in place that scan web traffic for malicious code and leverage website reputation to block evil websites through filtering. We also need browsers with better sand boxing for plug-ins. Organizations should also conduct network security assessments that don’t just focus on technology weakness, but also incorporate social engineering to gauge user security awareness.

So is it stupid users, or poor security controls that caused the bulk of this customer’s security incidents? Personally, I think its wrong to blame the user for technology and awareness issues. Organizations that don’t factor in the people aspect of security often have stupid reach up and bite them on a regular basis. What are your thoughts?

• Security
• assessment
• auditing
• hacking
• SQL injection
• web attacks
• XSS