15 years of InfoSec and people are still the issue
I took the decision to move out of Information Security a few months ago, having become a little jaded with the same themes, the same problems, and the same old vendors re-labelling old technologies as the new panacea. It caused me to reflect and then go back to a blog post I’d started 6 months ago.
Events such as the Experian hack, the suggestion that millennials are free and easy with their online habits, and more recently Dridex help to keep Cyber-Security in the public eye (and the addition of “Cyber” is intentional, as it would seem it isn’t enough to just say “Information Security” these days!). Yet despite all of this publicity, despite all of the “new” solutions, people are the problem. And even worse, there still isn’t enough board participation – according to the latest report from Stewart Room’s team at PWC (click on explore the data, then the leadership tab!)
Ah…users. They were just as feckless back when I was an IT practitioner (88-96) as they are now – possibly a little more these days. Controversial statement maybe, but you only have to be a Facebook or LinkedIn user to nod your head in agreement, given the howling things people do (or don’t do) online. I did make a comment on this before in my blog post “Beyond the looking glass”, although a item shared by one of my contacts shared seemed to fly in the face of this – suggesting that 83% of 18-34 year olds are concerned with online privacy, along with 8 out of 10 people surveyed overall.
I had been meaning to write something along these lines for a while, and it was seeing Graham Clulely’s recent video that prompted me to get around to it. In his video, he is appealing to all users to take some responsibility – which whilst I wholeheartedly agree, I wonder if it will ever change. Just recently at IP Expo, I was chatting with a couple of InfoSec professionals, who were bemoaning a recent incident whereby users had opened one of the recent phishing emails that had “your invoice” attached. Like them, I could not understand why someone would want to open an email from a person I did not know – especially if my day job has nothing to do with receiving invoices. But for whatever reason, the end user opened it, and the rest was history…..
As Graham points out in his video, Dridex wasn’t exploiting any vulnerability “per se” – apart from the “pink interface”. So in other words, all of those very clever anti-malware/APT protection/“emperor’s new clothes” solutions have zero effect on stopping it. In fact, having worked around this space for a few years, the newer methods of pushing out malware are that sophisticated that each piece of malware is made unique for every email (bang goes your traditional and heuristic AV!), it is often intelligent enough to detect counter-measures (they detect IP addresses of the security vendors – and can recognise machine based VM’s used in sandboxing) so bang go the shiny new APT solutions – ultimately you are chasing a diminishing return. Arguably, the only effective way to (try and) stop this is to implement an application whitelisting approach such as AppSense or Avecto – although this presents other challenges, such as making sure patched versions of “allowed” applications are maintained to avoid false positives.
So, what has 15 years in InfoSec taught me? That the AV vendors from years gone by have done a great job in maintaining their revenues, yet offering little innovation, while everyone focuses too much on the tools to protect the infrastructure – instead of focusing on the “tools” using the infrastructure. All of the risk assessments, the “best of breed” products, the “cyber” solutions are nothing without a well thought out awareness campaign that actually resonates with users and makes them think about what they’re doing.
The question is, will it ever change?…..