Originally Posted on January 31, 2014:
In the ever-changing world of complex IT security, nothing really changes. That seems like a paradoxical statement. There are always new, complex, brilliantly constructed attacks against computer systems. Almost every company and individual on the planet has a backlog of patches to be applied to their computers, from the operating systems to their browsers of choice to the applications that fuel our businesses, with most involving new compromises or vulnerabilities that have been discovered or exploited. Like I said, it is ever-changing and complex in the world of IT security. But like I said, nothing ever really changes. Let me explain.
Let’s start by deconstructing what we know about the Target breach. It is the most prevalent example on everyone’s mind at the moment. We have all heard the stories of the complexity of new memory-targeting point-of-sale customized malware that scrapes card numbers from memory in flight during the nanoseconds when the data is unprotected by strong encryption. We have also heard about creative exfiltration techniques involving compromised data center resources and network port manipulation. Questions are flying around the industry surrounding well known network and computer management software and whether or not a previously unknown vulnerability was exploited to gain entry to the CDE (cardholder data environment). Yet, with all of this speculation – with all of the complexity of the attack being bantered around in the press, the truth of the matter is this attack began like almost every other one that preceded it. Someone was socially engineered.
When it comes to the specifics of the Target breach, the best money is on a spear phishing attack against a vendor of Target’s, which would have exposed privileged user credentials to get the party started for the perpetrators. So, with everything going with this breach and all of the scary tech being discussed, it all really comes down to an email and a careless user. Nothing really changes.
So how should the IT security community be responding to this fact? Based on the number of cold calls and mass market emails in my inbox, software and appliance vendors have a solution to fix this problem. That solution ranges from better logging to stronger A/V to whitelisting to network monitoring to hardware-based encryption. Don’t get me wrong. These are all great technologies and have a place in a strong, multi-layered approach to IT security. But don’t lose sight of that initial email that started this ball rolling. Don’t let that email fall off your remediation plan. In fact, in my humble opinion, you need to move it to the top of the list.
End user awareness training is one of those areas in which most everyone sees value, but very few take seriously. It’s tough to plan and implement and it often falls well outside of the comfort zone of most IT professionals. It also often lacks those hardened, quantitative metrics to which IT personnel love to cling. At the end of the day, it involves working with people, and people are hard. Computers are easy. Wombat and Phishme and others are starting to make progress in the tools/services space to address this problem, but they face an uphill battle. Those line items are often the first to get cut when security budgets get tight. “There is always next year” becomes the battle cry.
I think it is time to stand up and fight the good fight. We are a community of professionals willing to work together to make things better and therefore safer. We have to learn to focus on the right fruit to harvest because, unfortunately, it is not always going to be the low hanging variety. Send out some educational emails. Teach a seminar or lunch and learn. Set up a table in the cafeteria. Do whatever it takes. In a complex, ever-changing world of IT Security, we cannot let ourselves be defeated by a well-placed email.