Each and every day we learn from the news about more or less sophisticated technical hacks that enable minor or major data breaches. In the best cases responsible disclosure models are applied to avoid these hacks to be in the wild at all.
Most of the known issues are fixed within a more (e.g. Firefox) or less (e.g. Apple) reasonable timeframe and patched throughout many of the relevant installations. Several are not (and I am looking at you, Android).
But weaknesses and threats are not necessarily connected to e.g. sophisticated buffer overflow / malign code executions attacks in the first place. Many issues and problems, in both personal and corporate deployment scenarios result from individual wrongdoing. Many of us can be considered to be digital natives.
So we should expect them and us to behave and act as responsible digital citizens, when it comes to security, data protection and maintaining personal privacy. The truth is: they are not and this is an ongoing challenge. A few examples:
- It seems unbelievable but spam mails and their attachments (and users still clicking on them), drive by downloads and phishing attacks by mail, skype or messenger apps are still among the top 5 cyber security threats in 2015.
- One of the most recognised data breaches of the recent weeks did not require a sophisticated attack vector. It was the disclosure of sensitive medical data by sending a mass mail with all recipient addresses in the to: rather than the bcc: Whether this was done by accident or because of lack of experience/expertise with the mail protocol, this could surely have been avoided. Through education, through diligence and maybe through some intelligent checking in the mail client (More than 10 to:-recipients? Let’s better reconfirm the user, if this really is what is wanted.). Have you never sent a quick mail to the wrong recipient, because the type-ahead functionality of your mail client picked another recipient than expected and you didn’t check? Had some embarrassing moments because of texting or chatting with the wrong recipient?
- Again and again weak, reused or default passwords together with the unwillingness to activate multifactor authentication are continuing to be major threats. And if one thinks he or she is safe, checking whether your account has already been compromised might be salutary.
- Let’s be honest: We all know those “power users”, who have loads of tools installed to “unlock the hidden powers” of their systems. Those self-appointed experts who manipulate registry entries and read every tech magazine or blog to change their systems default behaviour. Who run untrusted software and cut and paste code from geek sites to the command line or the terminal. And readily run arbitrary code with admin/root access, because otherwise this great new tweak doesn’t work.
- On the other side there are those who still run outdated und unpatched systems like XP for various but definitely no good reasons.
- The currently discussed issues regarding devices running older Android versions which suffer from the Stagefright vulnerability is a very real problem for many users. Apart from some patching initiatives and a few devices still maintained, there is a large fraction of Android devices left with no options to upgrade or patch the system. Continuing to use them puts all personal and additionally stored data at risk and every user is responsible for that.
- Talking about responsibility: some systems do come with an appropriate security concept and with highly reliable mechanisms for protecting the users privacy and security. Undermining these mechanisms by jailbreaking/rooting these devices to gain more “freedom” from the vendor and of course especially the freedom to run pirated software from some shady “app store” for free has just recently again been proven to be not the cleverest idea.
The saying goes: “There is no patch for human stupidity”. But the issue is not stupidity but the lack of expertise. Both digital natives and the elder ones (a.k.a. the digital immigrants) tend to be over-challenged with the technologies available through their computers and mobile devices.
Users need to be educated and made aware of risks and threats. On the enterprise level the only possible “patch” for this issue is guidance through appropriate, complete and actionable policies and, as a result, constant and well-executed training. This is one of the essential responsibilities of a CISO. Appropriate educational programs for corporate users will likely be more successful if they cover aspects of both their daily business duties and their personal privacy and security. With both aspects constantly converging in a world of BYOD (Bring your own device) this is of increasing importance anyway.
Education and awareness are equally important on a personal and private life level, but there won’t be a regular training program. So it is up to the individual, i.e. us. If you know better (and you do), first check your own behaviour and your systems, and improve them to an adequate level. Then tell your friends and family and demonstrate it through your daily behaviour. Try to educate, they might listen. And if you are in the right position (and many of us are), try to influence your team, your colleagues, your organisation.
While we are at it: If you are a developer of operating systems, apps or websites: Proper security and privacy guidance built-into your code, true end-to-end encryption, the use of open and rock-solid standards, clever sandboxing and instant security patches whenever required will be getting more and more important and recognised.
A good reputation in that respect might soon distinguish you from your competitors.
Matthias Reinwarth, Senior Analyst at KuppingerCole focusing on Identity and Access Management, governance and compliance.