Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

User Security is a Responsibility, Not an Excuse, Part 2

It’s no big secret the majority of security incidents companies grapple with are a result of human error. Maybe a user opens the wrong email attachment. Or maybe they visit the wrong website or plug in the wrong USB drive. People are people. They’re going to make mistakes.

It’s no big secret the majority of security incidents companies grapple with are a result of human error. Maybe a user opens the wrong email attachment. Or maybe they visit the wrong website or plug in the wrong USB drive. People are people. They’re going to make mistakes. Cyber criminals know this and actively prey on user error as the path of least resistance inside any network they’re targeting.

In the first post in this two-part series, I offered recommendations to make users more aware of the threats they’re most likely to be exposed to, ways to increase their awareness and lower their risk. In this post, I’d like to cover why awareness alone isn’t enough.

The idea that educated users should be able to identify all attempts to fool them makes the flawed assumption that all attacks have clear tells that they can pick up on. That line of thinking tragically underestimates the creativity and complexity of today’s advanced attacks. Not only are there numerous ways of tricking the most paranoid users into opening malicious attachments or clicking on links, there are also ways of infecting them that require no clicking or interaction at all.

Counterfeit emails and websites have gotten far more personal and convincing

Gone are the days when the only malicious emails in a user’s inbox were poorly constructed spam messages, in marginal English, from fake Nigerian princes. Today’s most advanced phishing attacks leverage information from social media accounts, company websites, and previously compromised inboxes. As a result, well-crafted phishing emails appear to come from a contact you know and may even include a file attachment shared between the two of you sometime in the recent past. In the attack, however, this version of the attachment will result in  infection and an additional compromised account to exploit. (For a specific example, read this blog post from Wordfence.)

Getting locked out of critical files and systems is increasingly likely following a successful phishing attack, but as prominent as ransomware has become, there are other types of infections that are equally damaging but far more stealthy.

With ransomware, a user typically knows within minutes that they’ve been infected, because suddenly they have fullscreen ransom demand or an inoperative system. Other attacks are intended to be more insidious, like banking trojan infections, which can go unnoticed until a victim’s financial accounts have been drained dry.

In those scenarios, the malicious code waits silently on a user’s machine until he or she visits a banking website, at which point one of two credential-stealing attacks unfolds:

Advertisement. Scroll to continue reading.

1. The trojan redirects the user to a realistic counterfeit version of the banking website to capture their credentials. At the same time, the trojan automatically enters the credentials into the intended, legitimate, website, triggering any SMS or other two-factor authentication code that it also captures via the fake website.

2. The trojan injects malicious code directly into the legitimate banking website as it loads, adding additional fields to existing forms or creating new pop-ups specifically designed to mimic the bank’s design and brand.

In either of these scenarios, it is is a mistake to assume the user can recognize something isn’t right. In these scenarios, who could? They need help from tools that can identify the presence of banking trojans and other malware on their systems, and benefit most from blocking their installation in the first place.

The latest wave of ransomware attacks have not relied on users at all

While phishing and other attacks that rely on tricking users still pose a significant risk, some of the most prominent and widespread recent infection scenarios haven’t involved users at all. Take the WannaCry and NotPetya outbreaks, for example. Following initial infections, both exploited vulnerable, unpatched, remote systems to spread the infection, while NotPetya also abused otherwise legitimate system tools like PsExec and WMIC to move laterally across compromised networks.  

These are complex developments in attack vectors, and simply blaming the user for providing an easy access point isn’t credible anymore. Knowing that raising user awareness of security issues and training them to identify and report attempted attacks is one crucial brick in the wall of security, companies also need to dedicate themselves to protecting users and eliminating the blind spots caused by unpatched systems and a lack of strong endpoint protection.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.