The key to cyber-security for businesses today is end-user education – security technology by itself is not enough. That was the message delivered recently by three Cisco security experts in a rapid-fire hour presentation of highlights of the [2009 Annual Security Report] published earlier this month as a free PDF.
While not denigrating the present state of data security technology — the three speakers are after all involved with Cisco's own expanding security product suite — their clear message was that the focus of the international gangs that dominate online crime is conning end-users to invite them in past all the defenses IT can devise rather than trying to overpower those defenses. Indeed, while they did not say this, one reason the bad guys are taking this approach probably is the success of IT at multiple levels in closing the technology doors on malware. It is just much easier to con people online rather than to batter at the security walls.
In a world in which the Zeus exploit alone has stolen millions of dollars from banks, governments, and private companies in the last year, what that means, they emphasized throughout the presentation, is that educating your end-users is just as important as building a strong technical security architecture. The three presenters:
- Patrick Peterson, Cisco fellow and chief security researcher,
- Fred Kost, director, security solutions marketing, and,
- Scott Olechowski, security research manager,
showed they meant exactly that by the things they chose to highlight in their packed hour, using a combination of humor, sometimes shocking statistics, and case history.
The body of the presentation included the Cisco Cybercrime Showcase Awards, a takeoff on the Oscars including gold colored trophy cups. Unfortunately none of the winners turned up to accept their prizes, which while not unexpected was a little disappointing since the first two would have resulted in immediate criminal arrests.
The Most Audacious Criminal Operation award went to the Zeus exploit, which they estimated garnered tens of millions of dollars in 2009. While Zeus is a very sophisticated exploit and does have a technological component, it depends on a carefully developed variant on a common Internet e-mail con to capture its victims. The largest difference between it and more familiar Internet exploits is that while they are broadcast to large numbers of individuals in the hopes of finding a few victims, the Zeus gang carefully researches each of their potential victims and uses personal information to make their cons more believable. But at heart Zeus gains its initial access to a user's computer by tricking the user, in this case with an official-looking fake email from the IRS threatening action over underpaid taxes. Then it takes over the user's browser and asks for extra identification each time the user logs into a secure Web site. And finally, it turns the user's computer into a bot to transfer funds out of organizational or personal accounts.
The amazing thing about this exploit, say the Cisco experts, is that despite the publicity Zeus has gotten over the year, they have talked with bankers who simply do not believe they could be taken in by it, even though their computers are already infected with the Zeus malware. The coming year will certainly see a continuation of Zeus and most likely several “sons of Zeus” as other cyber-gangs imitate success.
They also awarded a “Most Notable Criminal Innovation” trophy to Koobface, a software package that automates the creation of exploits on popular social networking sites. The purpose of these is to gain control of legitimate user accounts. This is a risk to businesses that are increasingly using social networking systems such as LinkedIn, Facebook, and Twitter as safer channels than simple public e-mail for communicating with business partners and prospects and for recruitment and similar activities. These exploits run on the social networking system's environment and so completely bypass IT security defenses.
To hammer home the message, they awarded the Cybercrime Hero of the Year award to “Washington Post” Columnist Brian Krebs, who has worked continuously to educate readers to the latest Internet security cons in his “Security Fix” column.
Action Item: IT security specialists need to work with HR and other appropriate people within and without their organization to develop and execute a strong educational program reaching all end-users in their organization. This program needs to drive home the message that security is important and that users need to be alert constantly to the possibilities of online fraud and other dangers. Just a single effort is not enough; users need to be reminded constantly through multiple channels including presentations, individual consultations for key potential targets such as the CFO, poster or coffee cup campaigns and similar strategies. Users should be encouraged to report anything that seems even slightly suspicious either through the company IT help desk or through a special “red phone” hot line that IT sets up. It is particularly important to reach remote employees and part-time and freelance workers who operate completely over the Internet. And it is important also to reach all members of the IT staff with the message that nobody is immune to attack and that even the experts have been fooled.