Connect with us

Hi, what are you looking for?



User Security is a Responsibility, Not an Excuse

Ask an IT person what the weakest link in their organization’s security is, and you’ll invariably get a witty take on the same derisive answer: “Meatware.” “Our walking, talking vulnerabilities.” “PEBKAC” (problem exists between keyboard and chair).

Ask an IT person what the weakest link in their organization’s security is, and you’ll invariably get a witty take on the same derisive answer: “Meatware.” “Our walking, talking vulnerabilities.” “PEBKAC” (problem exists between keyboard and chair).

In short, they point the finger at users. In part because, for the majority of successful breaches, the common entry point typically is a user. But another reason is that despite all the security tools and policies IT departments have in place, users will always be a wildcard — the one thing they can never fully control.

It’s easy to understand the frustration. Over the past 20 years, the topic of cybersecurity has become a public discussion. Most users have become more exposed and sensitized to the risk, and have some amount of awareness training. Still, the Identity Theft Resource Center describes a 40% rise in breaches in 2016, and the Ponemon Institute and Experian have highlighted continuing organizational concerns around the exploitability of users.  

 Is the appropriate response to blame the victim when increasingly sophisticated attacks and the rise in credential thefts are making any user’s goal of protecting themselves much more difficult? Or should the security community, instead, be providing them with better information and defenses, including a more complete view of the criminal tactics involved? 

In this two part series, I’ll start by detailing some recommendations to create more aware users, who may even become just a little more paranoid about these risks.  In Part 2, I’ll describe new tactics criminals are using to launch newer and more sophisticated link-based attacks against users, and offer further suggestions for how we can help users by equipping them not just with information, but with technology.

Phishing Has Evolved: Helping Users Avoid Socially-Informed Attacks

In its early forms, phishing was used as a means to deliver malicious payloads directly to the desktops users, with the expectation that the unwary would click to open malicious PDFs, images, documents, or disguised executables. The messages were generic and came from dubious sources, so users were taught to ignore attachments from sources they didn’t recognize. As this started to impact phishing success rates, better informed campaigns developed.

Advertisement. Scroll to continue reading.

To improve their chances, attackers have adopted more tactics that make it difficult for victims to differentiate between legitimate and malicious messages. Not only do they hide malicious links in what appears to be safe attachments, they also mine social media profiles and contact lists to make their emails look like they’re coming from someone the victim knows and trusts.

The new methods are working. According to Wombat Security’s State of the Phish report, phishing emails personalized with the recipient’s first name had click rates 19 percent higher than those with no personalization.

Users can’t be expected to keep up to speed with the traps that are being set for them without some help.

To protect themselves, users need to know that these new risks exist, and security professionals should add two talking points to their awareness arsenal:

 1. Never respond to connection requests that arrive in email – When someone attempts to connect, go to the actual site or application and look for the invitation before considering accepting. As an example, it is a very simple matter to create a forged LinkedIn request that looks very much like the real thing, but to use the links to direct victims to malware sites instead, without ever involving the real LinkedIn. 

LinkedIn has a support page that provides some guidance on recognizing a real invitation. I regularly speak to audiences where some large minority hasn’t considered that these kinds of invitations may be illegitimate.

2. Be prudent in your connections – This is both a personal and a community responsibility. Users should not connect to people with whom they have no association or personal contact. Doing so does more than jeopardize their own security, it adds their imprimatur to the authenticity of the connecting individual, who may well be malicious.  

There was an enlightening and well-documented exercise of this delivered by security researcher Thomas Ryan at DefCon USA 2010, titled “Getting in Bed with Robin Sage”. In it, Ryan created a fictitious security analyst who managed to connect to hundreds of individuals, including “executives at government entities such as the NSA, DOD and Military Intelligence groups.” A similar operation, but not officially disclosed or documented, was allegedly conducted by British GCHQ, according to der Spiegel reporting in 2013. Users should also be encouraged to regularly review their existing connections, pruning out any that appear to be fake.

These well-established attacks continue to succeed among our users, for all of the reasons described.  In this first installment we have begun to help the users help themselves. In Part 2, we’ll look at ways that the threats are advancing and technical means through which security teams can support their users and reduce the amount of blame to go around.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...