SUNNYVALE, CA—A leading Internet security provider recently released a report revealing how attackers exploit end-users’ human flaws to undermine even the most secure cyber security systems.
Among other things, the report notes how today’s APT-attacks are socially-engineered, sophisticated, and focused campaigns that prey on end-users’ curiosity. One particularly efficient means of attack is Longline Phishing, in which attackers employ spear-phishing techniques and mass-customization to generate thousands of individualized, infected emails that largely go undetected by traditional security software.
Human behavior with respect to how end-users treat malicious emails is therefore important, for it reveals another side of cyber security other than system design.
“The Human Factor” presents a number of findings that could help shape the future of security on the web. These include:
– 10% of users who receive an email containing a malicious link will click. This percentage decreases to 1% in relation to “best-of-breed” companies that train their employees and create generally effective security systems.
– An overwhelming majority of people click on malicious links from their PCs and not from their mobile phones.
– Despite traditional recommendations that training repeat clickers of malicious links will diminish the number of intrusions, one-time clickers are responsible for as much as 40% of online security breaches.
– Nearly seven percent of users click on malicious links nearly a month after having received an infected email.
The report also found that emails posing as LinkedIn invitations are clicked on twice as much as any other template, including Order Confirmations and financial transactions. This might help to explain other attacks such as last year’s campaign in which fake profiles displaying pictures of beautiful women attracted thousands of LinkedIn connections, mainly men, via the promise of jobs.
For more information on recent LinkedIn phishing scams, please click here.
In response to the findings presented above, Proofpoint recommends solutions that are similar to its Targeted Attack Protection software. This product uses big data analysis and cloud architecture coupled with a “full lifecycle approach” to identify malicious emails, monitor their transmittal, and track how users engage with these emails.
But whether one purchases software from Proofpoint is not the point. What is important about “The Human Factor” is that it reflects a greater reevaluation of the cyber security community: end-users are human and make mistakes, which subsequently requires that security companies accept that breaches will occur.
That is not to undermine system security. However, as users can and do negate secure system design by clicking on malicious links, security providers should create software that focuses on surveillance, particularly on analyzing historical email traffic and, when identified, malicious emails that may have gotten through security systems.
In today’s cybersecurity environment, training and system design must therefore be combined to account for the shortcomings of each and to respond to the increasingly diverse and sophisticated array of cyber threats facing system analysts.
David Bisson |
Bio: David is currently a senior at Bard College, where he is studying Political Studies and writing his senior thesis on cyberwar and cross-domain escalation. He also works at the Hannah Arendt Center for Politics and Humanities at Bard College as an Outreach intern. Post-graduation, David would like to leverage his extensive journalism experience as well as his interest in computer coding and social media to pursue a career in cyber security, both its practice and policy.