Security Experts:

Connect with us

Hi, what are you looking for?



User Security is a Responsibility, Not an Excuse, Part 2

It’s no big secret the majority of security incidents companies grapple with are a result of human error. Maybe a user opens the wrong email attachment. Or maybe they visit the wrong website or plug in the wrong USB drive. People are people. They’re going to make mistakes.

It’s no big secret the majority of security incidents companies grapple with are a result of human error. Maybe a user opens the wrong email attachment. Or maybe they visit the wrong website or plug in the wrong USB drive. People are people. They’re going to make mistakes. Cyber criminals know this and actively prey on user error as the path of least resistance inside any network they’re targeting.

In the first post in this two-part series, I offered recommendations to make users more aware of the threats they’re most likely to be exposed to, ways to increase their awareness and lower their risk. In this post, I’d like to cover why awareness alone isn’t enough.

The idea that educated users should be able to identify all attempts to fool them makes the flawed assumption that all attacks have clear tells that they can pick up on. That line of thinking tragically underestimates the creativity and complexity of today’s advanced attacks. Not only are there numerous ways of tricking the most paranoid users into opening malicious attachments or clicking on links, there are also ways of infecting them that require no clicking or interaction at all.

Counterfeit emails and websites have gotten far more personal and convincing

Gone are the days when the only malicious emails in a user’s inbox were poorly constructed spam messages, in marginal English, from fake Nigerian princes. Today’s most advanced phishing attacks leverage information from social media accounts, company websites, and previously compromised inboxes. As a result, well-crafted phishing emails appear to come from a contact you know and may even include a file attachment shared between the two of you sometime in the recent past. In the attack, however, this version of the attachment will result in  infection and an additional compromised account to exploit. (For a specific example, read this blog post from Wordfence.)

Getting locked out of critical files and systems is increasingly likely following a successful phishing attack, but as prominent as ransomware has become, there are other types of infections that are equally damaging but far more stealthy.

With ransomware, a user typically knows within minutes that they’ve been infected, because suddenly they have fullscreen ransom demand or an inoperative system. Other attacks are intended to be more insidious, like banking trojan infections, which can go unnoticed until a victim’s financial accounts have been drained dry.

In those scenarios, the malicious code waits silently on a user’s machine until he or she visits a banking website, at which point one of two credential-stealing attacks unfolds:

1. The trojan redirects the user to a realistic counterfeit version of the banking website to capture their credentials. At the same time, the trojan automatically enters the credentials into the intended, legitimate, website, triggering any SMS or other two-factor authentication code that it also captures via the fake website.

2. The trojan injects malicious code directly into the legitimate banking website as it loads, adding additional fields to existing forms or creating new pop-ups specifically designed to mimic the bank’s design and brand.

In either of these scenarios, it is is a mistake to assume the user can recognize something isn’t right. In these scenarios, who could? They need help from tools that can identify the presence of banking trojans and other malware on their systems, and benefit most from blocking their installation in the first place.

The latest wave of ransomware attacks have not relied on users at all

While phishing and other attacks that rely on tricking users still pose a significant risk, some of the most prominent and widespread recent infection scenarios haven’t involved users at all. Take the WannaCry and NotPetya outbreaks, for example. Following initial infections, both exploited vulnerable, unpatched, remote systems to spread the infection, while NotPetya also abused otherwise legitimate system tools like PsExec and WMIC to move laterally across compromised networks.  

These are complex developments in attack vectors, and simply blaming the user for providing an easy access point isn’t credible anymore. Knowing that raising user awareness of security issues and training them to identify and report attempted attacks is one crucial brick in the wall of security, companies also need to dedicate themselves to protecting users and eliminating the blind spots caused by unpatched systems and a lack of strong endpoint protection.

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.