- \n
- Can technology ever solve the problem & what are the best approaches?<\/em><\/li>\n
- Can awareness training ever solve the problem? How?<\/em><\/li>\n<\/ol>\n
If the answer is \u2018no\u2019 to both; then should we concentrate on accepting that it will succeed, and concentrate on discovering and mitigating the effects of a successful phish?<\/em><\/p>\n
The question is this: are phishing and other manifestations of cybercrime purely technological problems? Even if this were the case, does it follow that they could therefore be solved by technology alone?<\/p>\n
To some extent, the security software industry relies on the idea that there is always a technological answer to a tech problem (as, indeed, it has persuaded many of its customers to expect), but \u2018always\u2019 is a big word.<\/p>\n
In general, when we address an attack vector technologically, the bad guys start working on finding ways round the roadblock. That doesn\u2019t mean we shouldn\u2019t look for technical solutions, but it does mean that we can\u2019t usually find a once-and-for-all-time fix. Sometimes we eventually abandon an approach altogether; more often we keep recalibrating as the nature of the threats changes.<\/p>\n
It may be broke, but can you fix it?<\/h2>\n
There\u2019s more to surviving in a threat and counter-threat ecology than technological thrust and parry, though. To expect the security industry to fix everything is about as realistic as expecting medical technology to eradicate disease, or forensic technology to eradicate crime in the physical world. The online world doesn\u2019t have a single choke point where a single security solution can be applied and everyone will be protected, even if such a solution existed.<\/p>\n
Perhaps we need a better word than solution. Something that sounds less like a \u2018this is the glorious victory at the end of the war\u2019 and more like \u2018this might win us this skirmish.\u2019 To quote myself (in an article for Heimdal Security to which I contributed<\/a>):<\/p>\n
The security industry is pretty good at providing a wide range of partial solutions to a wide range of technological attacks, but technology continuously evolves on both sides of the white-hat\/black-hat divide, so \u2013 marketing claims notwithstanding \u2013 there is never 100 percent security across the board. Least of all from a single product. In most cases, organizations and individuals choose what defensive measures they take, and indeed whether to protect themselves at all.<\/em><\/p>\n
Unfortunately, those choices will not always be the choices that security experts would consider to be the best.<\/p>\n
Technology versus people<\/h2>\n
![\"security](\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2017\/08\/tech_human-300x233.jpg\")
<\/a><\/p>\nPhishing isn\u2019t<\/em> (just) a technical problem, and nor is cybercrime in general. (I\u2019ll mostly be speaking about generic cybercrime in this article rather than just phishing.) In fact, cybercrime, like its pre-digital sibling, is primarily a social<\/em> problem, or rather a cluster of interconnecting social problems:<\/p>\n
- \n
- Criminal behaviour (online or offline), and the economic, educational and psychological factors behind it.<\/strong> To quote myself further: \u201cSociety can actually cause deviant behaviour where the individual must subscribe to more than one code, yet elements of one code are incompatible with another, leading to an uncomfortable state of cognitive dissonance, which might lead to \u2018irrational or maladaptive behaviour\u2019. In other cases, perhaps it\u2019s just that in an era where fake news dressed up as satire is the common currency of the social media, the evolution of technology has far outstripped the average person\u2019s ability to apply the common precepts of everyday socialization to the online world.\u201d<\/li>\n
- Victim behaviour, and similar underlying factors.<\/strong> By which I don\u2019t just mean victims recklessly failing to take reasonable precautions, but banks and other institutions contributing to the problem by failing to meet a sufficient standard of security when communicating legitimately with customers. Every time a bank sends out an email addressed to \u2018Dear valued customer\u2019 or including a multiply-redirected \u2018click here\u2019 link, they make it harder for potential victims to distinguish between phishing mails and legitimate mails. If they don\u2019t even know your name, how can you be sure that it\u2019s really your bank mailing you? If you can\u2019t tell where a link is pointing to, or if it goes to a site whose name appears unconnected with the bank, how on earth do you know it\u2019s safe?<\/li>\n
- Legislation and law enforcement issues.<\/strong> Even where there is appropriate legislation, the will and the resources aren\u2019t there to enforce it in a better-than-piecemeal fashion.<\/li>\n<\/ul>\n
Awareness, training, education<\/h2>\n
\u201cA GREAT DEAL OF WORK HAS BEEN DONE IN RAISING THE GENERAL LEVEL OF SECURITY AWARENESS AND SELF-PROTECTION THROUGH SOME FORM OF EDUCATION\u201d<\/span><\/p>\n
So can awareness training\/education ever solve the problem? Well, we\u2019ll probably never know for sure. Many times over the years, I\u2019ve said something like \u2018we don\u2019t know whether user education works because no-one\u2019s ever done it yet.\u2019 That\u2019s a rather glib and simplistic way of putting it, to be honest, though it will do as a response to the equally glib assertion that \u2018if user education was going to work, it would have worked by now\u2019. A great deal of work has been done in raising the general level of security awareness and self-protection through some form of education, and I like to think I\u2019ve made some contribution myself, as in this paper by Sebastian Bortnik and myself from 2014: Lemming Aid and Kool Aid: Helping the Community to help itself through Education<\/a>. In that paper we asked:<\/p>\n
How can we strike a balance when it comes to teaching of computer hygiene in an increasingly complex threatscape to audiences with very mixed experience and technical knowledge? Can user-friendly approaches to security be integrated into a formal, even national defensive framework?<\/em><\/p>\n
And we made some suggestions as to how that could be done.<\/p>\n
Education, Education, Education<\/h2>\n
![\"class](\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2017\/08\/education_security-300x200.jpg\")
<\/a><\/p>\nSince I first drifted into the security field, I\u2019ve generally seen myself as more of an educator (by intent, anyway) than a researcher. I realized long ago that there are hordes of people who are much better than I am at disassembling malware and writing code to detect malicious activity. I consider it a privilege to be able to work with some of those people (not only at ESET, but in the security industry as a whole), and I\u2019m honoured that they put up with me to the extent of reading my blogs and listening to my presentations.<\/p>\n
So while I couldn\u2019t do my job if I didn\u2019t have a reasonable grasp of malicious technology and the technologies that we have evolved to address them, my interest and abilities lie less in bits and bytes than in the psychosocial aspects of criminology and victimology. After all, my academic background is in social sciences as well as computer science, which is perhaps why I sometimes see things a little differently to my more technically gifted peers in the security industry, and have more faith that people who are not particularly IT-knowledgeable can, to some extent, be educated into being less vulnerable, certainly to attacks that are at least partially psychological rather than purely technological. I\u2019m afraid I\u2019m going to quote myself again<\/a>.<\/p>\n
Very, very often\u2026 a threat is less dependent on the effectiveness of its technology than it is on how effectively it manipulates the psychology of the victim.<\/em><\/strong><\/p>\n
Psychological manipulation of the intended victim is a core component of what we often call social engineering. Susceptibility to social engineering<\/strong> can sometimes be reduced by technical measures \u2013 the textual analysis of email messages with the aim of detecting text that is characteristic of a certain type of criminally-motivated communication, for example. However, educationalists favour a complementary, longer-term approach that involves making individuals more difficult to manipulate. <\/em><\/p>\n
Threat Recognition<\/h2>\n
One step towards achieving this is through relatively simplistic training in threat recognition: for example, the \u2018phishing quizzes\u2019 that Andrew Lee and I looked at in 2007 in a paper for Virus Bulletin (Phish Phodder: is User Education Helping or Hindering?<\/a>). But the KISS principle<\/a> is not always enough. What works in engineering design doesn\u2019t always work in education. There\u2019s a perpetual tension between keeping communication within the bounds of an audience\u2019s understanding yet accurate and comprehensive enough to go beyond soundbites. (The Eleventh Law of Data Smog<\/a>: \u2018Beware stories that dissolve all complexity.\u2019)<\/p>\n
Even a poorly designed quiz raises awareness of the problem, but may be worse than useless if it reinforces wrong assumptions on the part of the quiz participant. Some quizzes seem to promote a service: \u2018Discrimination is too difficult for your tiny brain; buy our product, or even use our free toolbar\/site verification service\/whatever\u2019. That\u2019s not wrong in itself; a vendor is in the business of selling products or services. If the product or service in question is free, it seems even more churlish to criticize, but there is a problem in that this message fosters dependence, not awareness; worse, that dependence is on a technical solution that is likely to rely on detecting specific instances of malice, rather than a generic class of detection.<\/em><\/p>\n
Clearly, there are other limitations in the effectiveness of a paternalistic \u2018Gods and ants\u2019 approach. By showing potential victims a few example threats, it may sometimes be that they\u2019ll be able to extrapolate from those when faced with different examples in the same class. But not often enough. Yet, however desirable it might be in theory to provide everyone with the analytical skills of an effective security expert, that clearly isn\u2019t a realistic possibility in the workplace, let alone at home.<\/p>\n
Not all advice is good advice<\/h2>\n
![\"security](\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2017\/08\/advice_book-300x200.jpg\")
<\/a><\/p>\nThe implementation of a scheme that stands half a chance of educating everyone<\/em> who needs educating would require resources, understanding and coordination that make it highly improbable that such an implementation will be achieved in our lifetime, or that of our children. And not all advice is good advice.<\/a><\/p>\n
There\u2019s certainly plenty of free information available, from many sources: the media, security vendors, government agencies, law enforcement, and more-or less altruistically-minded individuals offering advice, product reviews and so on. Unfortunately, the quality of these resources is even more variable, and they\u2019re aimed at the sector of the community that may be least able to discriminate between good and bad advice. Especially advice that is in some sense competitive with other sources of advice. <\/em><\/p>\n
People Patching<\/h2>\n
But I\u2019m not very hopeful that education could ever change human nature so dramatically that X would never dream of scamming Y, even if Y was na\u00efve enough to fall for a scam anyway. Until education does<\/em> achieve the impossible, scammers will continue to scam, and in a technological age they\u2019ll use technology to achieve their crooked aims; laws and law enforcement will have only partial success; and victims will behave in the ways that cause them to become victims. However, education and training can help everyone<\/a> living in the digital to behave less<\/em> like victims.<\/p>\n
User education is also an essential part of sociological evolution. The threats we face on the internet are not new in concept: only in technological implementation. Social engineering attacks have been around since well before Helen of Troy. However, the economy of scale in the execution of such attacks was so relatively small that widespread education in recognition of the techniques used was not deemed necessary. The story of the Trojan horse has been taught for centuries as history and as a metaphor, but not seen as an illustration of one of the integral risks of everyday life. The Internet has resulted in an exponential increase in the use of social engineering attacks to the point where knowledge of how these attacks are perpetrated is a required life skill in contemporary society. <\/em><\/p>\n
(That\u2019s from a paper by myself and Randy Abrams: People Patching: Is User Education Of Any Use At All?<\/a>)<\/p>\n
Defense and self-defense<\/h2>\n
While the proper use of multi-layered defensive technology goes a long way towards protecting people without requiring them to be security experts, technology can be deployed more effectively to supplement and implement the education of those who use it, as discussed long ago by Jeff Debrosse and myself in the paper Malice Through the Looking Glass: Behaviour Analysis for the Next Decade<\/a>.<\/p>\n
After much research, it has become clear that taking game theory to the next level \u2013 determining the most likely action that a user will take in a given situation, enabling the reinforcement of \u2018safe\u2019 decisions and the sanctioning (or at least monitoring) of \u2018unsafe\u2019 decisions \u2013 can make for a much more secure computing environment for the end-user because their security software would be able to more accurately determine the outcome of their actions.<\/em><\/p>\n
These measures can help institutions to move away from grooming potential victims into accepting phishing messages uncritically by improving their own messages, as well as continually working towards improving their own security and that of their customers.<\/p>\n
Teach your children well<\/h2>\n
Here is an extract from another article \u2013 Internet Safety for Kids: 17 Cyber Safety Experts Share Tips for Keeping Children Safe Online<\/a> \u2013 to which I contributed, having been asked for \u2018The most important internet safety tip I can share with parents\u2019. As you\u2019ll have gathered from the title, the focus of Erin Raub, who compiled that article, was on advice to parents. However, it doesn\u2019t take a long acquaintance with Facebook and other social media sites to realize that many, many adults have never been educated in terms of critical thinking and healthy scepticism, and they too need help in order \u2018to teach them to trust their own judgement<\/strong> rather than rely entirely on technical solutions and conflicting \u2018official\u2019 information resources \u2026[and] direct them towards strategies for developing sound analysis and judgement\u2014what educationalists call critical thinking. But it\u2019s too critical a task to leave to educationalists\u2026\u2019<\/em><\/p>\n
It\u2019s important for everyone to recognize how unsafe the internet is, not only as a vector for direct attacks, but also as a source of information. So we shouldn\u2019t<\/em> abandon security education for adults or for children<\/a>, and we should continue to use and improve technology so that it becomes harder for the bad guys to mis<\/em>use. We should, of course, acknowledge that phishing and other elements of cybercrime will continue to find victims, and do whatever we can to minimize the impact on victims before as well as after the fact.<\/p>\n
- Victim behaviour, and similar underlying factors.<\/strong> By which I don\u2019t just mean victims recklessly failing to take reasonable precautions, but banks and other institutions contributing to the problem by failing to meet a sufficient standard of security when communicating legitimately with customers. Every time a bank sends out an email addressed to \u2018Dear valued customer\u2019 or including a multiply-redirected \u2018click here\u2019 link, they make it harder for potential victims to distinguish between phishing mails and legitimate mails. If they don\u2019t even know your name, how can you be sure that it\u2019s really your bank mailing you? If you can\u2019t tell where a link is pointing to, or if it goes to a site whose name appears unconnected with the bank, how on earth do you know it\u2019s safe?<\/li>\n
- Can awareness training ever solve the problem? How?<\/em><\/li>\n<\/ol>\n