Let’s face it, users should never be the last line of defense in cybersecurity

[steven36]

It’s been obvious for a while now that the security industry is turning in circles. Users have walked a very insecure tightrope for decades, clicking on links, opening attachments, and downloading unchecked files without a safety net in place.

 

 

I always find it sad when organizations are surprised that the bad guys found a way to trick an employee into clicking something malicious even though that employee has successfully completed a security awareness seminar.

 

In a survey last year, my team and I found that 99 percent of CISOs see users as the last line of defense against the bad guys. My question is, “is this remotely fair to end users?” The fact is, no matter how much training is offered to organizations, there will always be someone who clicks on something bad and it just seems naïve to think that this will ever change.

One bad apple spoils the bunch

According to the SANS Institute, 75 percent of attacks on endpoints initially enter organizations via email attachments; and another 46 percent of attacks were executed by users clicking web links in emails. The common school of thought is that companies can educate and train employees to be aware of the risks and therefore the company will be protected against email-based attacks.

 

Many agree that this logic makes sense, but the fact still remains – it only takes one person to be tricked and trigger a breach. In a report from Verizon in 2017, they found that 30 percent of phishing messages get opened by targeted users, with 12 percent clicking on malicious items multiple times.

 

And success breeds sophistication with hackers unveiling a wide range of tactics to try and fool employees into making that single mistake – whether it’s through spear-phishing with a CEO’s email address, or leveraging infected USB drives, insecure hotspots, man-in-the-middle attacks, or polymorphic malware. The odds are undeniably stacked against the user.

Human behavior = Security vulnerabilities

So, let’s admit that the idea of making employees responsible for security simply isn’t practical. Even after all the training and education, human beings will make mistakes and expose the company to risk. Even the most security-conscious employees get tired, overworked, busy or distracted.

 

Employees across the business are being asked to assess risk vs reward every time they visit a webpage or open an email attachment – something they likely do dozens, if not hundreds, of times a day. In some cases, their behavior is just habit, and sometimes they decide the reward of that activity is more important than the risk.

 

To counter human behavior, many businesses are turning to technology to prohibit users, but this often causes more problems than it solves. For example, many companies restricted social media websites following the 2012 LinkedIn breach, as they see these sites as vulnerable points of entry for an attacker.

 

But, often these sites are a critical path for departments like marketing, sales, or HR, who are then unable to carry out essential tasks as a result of limited or zero access. Employees still need to do their jobs, and this puts them at odds with prohibitive security practices.

Click with confidence

Modern threats need modern solutions. Let’s stop putting the responsibility and blame on end users, who should never have had to shoulder the burden in the first place. Most of the IT security industry is focused on stopping the symptoms, rather than creating a cure.

 

Alternative approaches help minimize cybersecurity risks more effectively, and in a scalable manner, which are far less restrictive on the business and its employees. In fact, a new approach to security can become a competitive advantage because your users can get back to work and stop being afraid.

 

Imagine, instead of wasting time trying to stop users clicking on potentially harmful links or trying to detect malware before it has a chance to launch, you let it execute. Here’s the catch: it’s executing in its own completely secure virtual environment. This ensures that each user task is contained within its own fully isolated and disposable virtual machine.

 

As a result, any malicious activities are trapped within that virtual machine, posing no risk to the rest of the machine or the network. If a user discovers a malicious email or document, they can simply close the window or browser tab, and the threat disappears forever.

 

The logic is simple: if a user is opening a downloaded document, working with an application or clicking on a web page because they need to get their work done, then why not isolate those high-risk activities in a completely isolated, controlled environment? This gives CISOs the ability to trust end users because the safety net they need is in place. They can click with confidence.

We’re only human

As the ‘80s band, Human League, sang, “we’re only human…born to make mistakes.” Cybersecurity obviously needs to improve, and there are smarter ways to deliver protection and take the human aspect out of the equation. I mean, seriously, enough is enough.  

 

Application isolation offers a profound solution. Today’s patient-zero, detect-to-protect approach still allows for vulnerabilities. Just to be clear, cybercriminals still haven’t been locked out. They are still having tremendous success. As long as exploiting end users remains profitable, hackers will continue seeking to pound away at earnest employees, who are only human.

 

Today the hackers are winning, but it doesn’t have to be that way. While organizations waste time and money educating employees, trying to break habits that are based on human nature, the bad guys keep getting through. Businesses that are using application isolation are finding they no longer pin their hopes on solutions that work only after a breach has been detected.

 

This allows end users to click with confidence, can restore productivity, and even allow for innovation because end user prohibition is no longer a security strategy. Instead, employees can focus on getting work done without worry.

 

Source

[straycat19]

Any organization that still allows emails into the system with links or attachments deserves everything they get.  Organizations with good security started stripping these items from emails over 10 years ago.  In some cases emails are even removed from the system and a system email sent to the user that gives the name of the sender, subject, and a notice that if the recipient believes it is a valid email they are to contact a system administrator.  The system administrator can make the email readable on a special system they use for just that purpose so the recipient can go to the IT office and read it.

[steven36]

21 minutes ago, straycat19 said:

Any organization that still allows emails into the system with links or attachments deserves everything they get.  Organizations with good security started stripping these items from emails over 10 years ago.  In some cases emails are even removed from the system and a system email sent to the user that gives the name of the sender, subject, and a notice that if the recipient believes it is a valid email they are to contact a system administrator.  The system administrator can make the email readable on a special system they use for just that purpose so the recipient can go to the IT office and read it.

Some peoples jobs are checking emails ,  Sometimes i think your just a nutbag, you act like what you do , or make like you do even reflects on what any one else does when it dont. While somethings you say may or may not be a good idea , the fact remains 99% of the masses don't do it or  it would not be in the news every single day that another security breech has happen to some big business. you live in own little  world it seems that no one else lives in? Even it happens to the Government of the USA ..they have NSA  and the DOJ to protect them  witch just make me think your a nutbag.  You  act you know more than anybody or anything.

 

I don't dont a lot of things  other people do, but I dont expect the masses not to do them, because they always will  and that's reality

[dMog]

bottom line.... users fail to understand THEY  are the first line of defense.....

[steven36]

23 minutes ago, dMog said:

bottom line.... users fail to understand THEY  are the first line of defense.....

I know people on who been on the internet longer than me and they always catching something , It's time to come up with a cure instead of selling oil snake  products and ideas. Removing emails from employees  is not a cure. if everywhere did that they  would not even be no email companies . People would still only use the ones that come with there internet at home. the reason people use email companies is so they can  check them were ever they go, people even work at home  , when there in there car or go out of town. there is no way now days, you can run a company without emails in the office

 

.  People of a non technical  nature will never become technical enough to understand . Go read Bleeping Computers  ransomware help community and see for yourself . companies fail to understand that people are  only human and will always make mistakes . And anyone says they never messed up at work doing something is a lair.

[dMog]

true enough...but also... how many times do the same three people click on a dodgy link from someone they do know and infect a nationwide email for their company...or just their own personal email and infect their computer...some of this is far from rocket science...

[steven36]

4 hours ago, dMog said:

true enough...but also... how many times do the same three people click on a dodgy link from someone they do know and infect a nationwide email for their company...or just their own personal email and infect their computer...some of this is far from rocket science...

 It happens a lot just like when ban members  come back on this site with other names who got banned for using other names  trolling  post  with thank yous i guess people are just blind but I'm not stupid i dont be talking to them and they cheer lead on who ever I'm talking too.   .