I recently ramped up my spam filters for my email client. Since I work in IT security, it’s pretty important that I don’t become the point of origin for any malware snaking its way through the organizations for which I work. “Inadvertently infected clients with the malicious software I was supposed to protect them against” doesn’t play well on a résumé.
It only takes one slip of the finger —or, if we’re being honest with ourselves, the slightest pique of our curiosities — and Pandora’s box of security threats is thrust open.
Security professionals know this. It’s become almost an adage in our field: users are the most vulnerable point of entry to a system. Here are some truths: 1. The human element is the weakest security vector; 2. There’s only so much we as security professionals can do about it; and 3. Black hat hackers are acutely aware of truths 1 and 2.
Reports indicate that it only took one email to compromise the entire DNC system. Unsecure servers didn’t expose sensitive government data —a person clicking a link did. We can write programs and execute code to prevent our servers and systems from falling prey to attacks, but we cannot program our employees.
After reprogramming my email security filters, I knew that some “legitimate” emails had fallen through the cracks and been identified as insidious or junk. So I proceeded to do something I rarely do: I cracked open the spam folder and started to trawl through it by hand.
What I found was equal parts laughable, expected, and disturbing. While we are constantly improving and training our systems to identify and quarantine threats, the threats are getting better at targeting and tricking us. In part 2, I’ll examine how we get tricked.
The metaphor of the Trojan Horse has never been more apt. Security professionals are the elite Trojan warriors armed to the teeth, fortifying our city against the invading Greek troops. We fend off siege after siege only to be undone by one foot soldier opening the gates for a seemingly innocuous offering to Athena.
All of this serves to underscore the importance of training our workforce. We can have the best security professionals putting up the best firewalls and conducting all of the penetration tests to find all the holes in the system itself, but if your average employee doesn’t know not to click on that suspicious link, Troy might still burn.