Subscribe

Dumb end-users

As many a company has discovered, all the security in the world won't work if your users are giving away the keys to the vault. What's to be done?

Samantha Perry
By Samantha Perry, co-founder of WomeninTechZA
Johannesburg, 20 Sept 2010

The problem with security has always been the end-user, frequently referred to as 'the dumb end-user' by frustrated systems administrators the world over. Any amount of security is only as good as the people who have to log on to the systems, and much debate and effort has gone into finding the balance between security and functionality, ie, secure enough to not pose obvious risks without being so onerous that the system becomes practically worthless.

As the cyber war heats up, the next logical place to start battening down the hatches is on the end-user front.

CA Southern Africa's principal consultant, security, Maiendra Moodley, says the issue still remains the end-user. “We've spent lots of time and effort building more substantial security systems, but it's as if we've built a medieval fort, with strong walls, which is wasted if the door is open and the guard is asleep.”

“Recent reports have shown that over 327 million attempts were made to infect computers in different countries around the world during the first three months of 2010. This is a 26.8% rise on the previous quarter,” says Intel South Africa's enterprise technology specialist Vince Resente.

“According to a recent report by the FBI Internet Crime Complaint Centre, South Africa is now ranked seventh within the top 10 cyber-crime perpetrators list, with its African counterpart Cameroon recently added to the rankings in ninth place. Startling statistics, especially if you consider that having hosted the 2010 Fifa Soccer World Cup, South Africa is fast becoming a hot cyber crime destination, and as Internet penetration in the country becomes more widespread, cyber criminals will become more sophisticated locally, developing viruses and real-time threats to target both enterprises and consumers in a variety of ways,” says Costin Raiu, chief security expert, EEMEA, Global Research & Analytics Team at Kaspersky Lab.

“The Association of Certified Fraud Examiners (USA) 2010 Report to the Nations on Occupational Fraud and Abuse studied 1 843 cases of insider fraud from 106 countries from January 2008 to December 2009. Researchers reckon the typical organisation loses five percent of revenue to insider fraud. Applied to the estimated 2009 Gross World Product, this translates to a potential global insider fraud loss of over $2.9 trillion,” says Mark Eardley, Eardley & Associates. “Almost 90% of insider cases involved billing, fraudulent payments, payroll and expenses. Nearly 25% of the cases cost the employer at least $1 million and frauds spanned a median of 18 months before being detected, indicating that internal controls aren't working.”

Up the ante

Says Moodley: “Increased adoption of cheaper, 'always-on' broadband connections means there are new external risks. These risks are linked to the increasing number of Internet connections and users in the African region and include the region becoming a target for hackers wanting to establish bot and zombie networks of compromised machines that they can control, increased amateur hacker activity, increased activity by professional cyber crime syndicates and increased risk exposure resulting from the adoption of social networking services by users.

It's as if we've built a medieval fort, with strong walls, which is wasted if the door is open and the guard is asleep.

Maiendra Moodley, principal consultant, security, CA

The financial services sector is usually hardest hit when the other side ups the ante.

Says Kris Budnik, partner in Risk Advisory at Deloitte: “Deloitte's 2010 Financial Services Global Security Study found that the security practices of global financial institutions are focusing primarily on identity and access management tools (IAM) and data loss prevention. Accordingly, security budgets have been boosted, with 56% of respondents globally having increased their information security budgets over the past 12 months. Locally, companies have maintained their security budgets despite the pressures presented by the financial crisis, an extremely positive sign. The introduction of King III has also raised awareness around security and privacy,” he adds.

Two-fold problem

The war is being fought on two fronts: intruders trying to breach systems from outside, and those using tactics like social engineering to gain access to systems using stolen credentials.

Says Budnik: “Internal threats are the most difficult to target. How do you fix behaviour and people? Times are tough. Fraud is still at an all-time high on the back of the financial crisis and the pressure individuals are under means they have become far more susceptible to criminals targeting areas we've traditionally been bad at.”

Add to this the really dumb end-users - new home users - and you have a recipe for disaster.

“First-time buyers,” says Resente, “buy the machine, take it home, never install anti-virus, never patch it, go to sites, get infected... Computing is an integral part of our daily lives and with the increase in bandwidth and accessibility, people tend to be more experimental, often not hesitating to download information from various sources and install new and trendy applications onto their PCs.

“This, coupled with the need to become more and more mobile, means the usage of computing devices for personal and business use is becoming blurred, making it hard to secure the company and personal data against viruses and other potential threats,” he says.

“Fake anti-virus programs, among other scams, also continue to be developed and have flooded the Internet. The creators of such malware use a variety of techniques in order to trick users, such as copying the interfaces of popular security solutions. Unfortunately, often it is new users who become the victims of these scams as they are not aware of the dangers,” he says.

Teach them

There is a strong need for education - and not the 'brain-dump security policy into new employees' heads on day one during initiation' approach favoured by most corporates.

Says Moodley: “Who is responsible for protecting end-users? This is shared across the framework - it can't just be business or government or simply education.”

Often it's new users who become the victims of these scams as they're not aware of the dangers.

Vince Resente, enterprise technology specialist, Intel

Says Tareque Choudhury, head of Security Practice and Professional Services Middle East and Africa - BT Global Services: “Within the general public, it is the responsibility of the local government to protect end-users. Countries with a high rate of Internet users have set up a type of CERT (Computer Emergency Response Team), whose primary role is to monitor the cyber activity for threats and any trends associated with it. It is within this type of organisation that educating the public falls. In the corporate environment, education falls within the information security team. Their responsibility is to set up awareness programmes to ensure that security is a core part of their IT training. The information security team should work closely with human resources so that security is a core part of HR processes with regards to employee induction, ongoing training and employee exits.”

Which is fine inside a company, but what about home users?

“The challenge of modern security is that social networks encourage a level of over-sharing that many of the traditional security measures are just not strong enough to counter,” says Mimecast chief security officer Dr James Blake. “The most global example of this was when Sarah Palin's Yahoo account got hacked because a hacker had guessed her date of birth and high school. With simple password protection questions like 'mother's maiden name' and 'first dog', the answers to which can be gleaned from the sort of information shared on social networking sites, it can be quite easy for hackers to slip through the password net and gain access to personal and professional e-mail accounts or profiles.

“It is only through increasing human beings' awareness of how to protect information and how to spot a phishing, hacking or scamming ploy that individuals and companies will be protected. I think that the people of Africa have a lot to learn, but I don't think that they have any more to learn than the average American or Jamaican or Italian, but it's best they start learning now,” he says.

“What we have to realise is that if we are providing online services to clients, we have to educate them,” comments Moodley. “At the end of the day, if a client loses money from a bank, whether it's a physical hold-up or an online phish, the client still believes the company they are dealing with has an obligation to them, rightly or wrongly.

“So if you want to protect your value stream and keep your customers, you need to educate them. When you go to an ATM, the bank has got signs up because it wants people to use the channel and to keep them protected. It's cheaper for the bank. If the bank didn't put up signs and make people aware, they wouldn't use ATMs, they would go to a branch.

“So if you want them to use online versus the branch, you need to secure the channel for the customer, educate them as to risks, tell them that they need patches and how to install them. “It needs to be that level of education because if you want a channel to become valid and be used, you need to instil confidence,” he states.

Complicated systems

Budnik also raises the education issue.

“I think we don't do enough in terms of educating and training people and this is why the end-user threat can become significant,” he says.

The problem, he says, is that the challenge of being able to control an environment when it is getting increasingly complex is almost insurmountable. The way information is shared, stored and leaked across an organisation and how it is used across lines of business, is incredibly complex, and it is not possible to totally protect it unless we go to consolidation and simplification initiatives to make the environment less complicated.”

“Security has evolved dramatically in the last five years,” says Clive Brindley, HP SA solutions architect, HP Software and Solutions. “If you look at where we've come from as an industry, we've had strong technology for years - firewalls, intrusion prevention and so on that can do fancy things. The biggest vulnerability is in the application space and that impacts social media.

Countries with a high rate of Internet users have set up a type of CERT (Computer Emergency Response Team).

Tareque Choudhury, head of Security Practice and Professional Services MEA, BT Global Services

“SOA, Web 2.0, mash-ups and the applications level is where complexity is, and 65% to 70% of exploits exist at the applications level. Facebook, Twitter, MySpace have all been hacked because the applications are so complex and interlinked that it is very difficult for IT organisations to manage. The huge focus on applications by the industry is what has resulted.”

Developers don't necessarily understand security, which is another challenge, Brindley notes.

Concludes Moodley: “If you don't drive education, even from a school point of view in terms of teaching people about IT, you are losing an opportunity. It's like teaching them to drive; you need to teach people to drive safely and not drink and drive, etc. It calls for far more inclusive partnership.”

Share