Security education and social responsibility

There is a scam that has dwelt amongst us for many years and 2016 marked the second decade of its spread via email. Millions upon millions of online users have encountered it, but despite many being able to recognize it, the reality is that there are still people who are deceived by it. For some it’s down to naivety and ignorance; for others simple curiosity. In the end, they all end up as victims.

In case it’s not clear what I’m referring to, it is the infamous “Nigerian scam” or “419 scam”. This type of fraud can be traced back to the aftermath of the French Revolution and probably goes back even earlier than that, with anonymous letters being sent through the post with vivid descriptions of lucrative treasure on offer for nothing in return.

However, this century-old scam, far from disappearing, has only gained strength with the advance of technology and, over time, has spawned many variants which eventually migrated to email. Scams that offer something for nothing, but turn out to require some form of advance payment – in return for empty promises of a reward – are often referred to as Advance Fee Fraud.

Still, after so many years, we still see messages on social networks and websites with the same type of ploy: “You are visitor number 1,000,000!”; “You won the lottery!”; “You have been selected for a dream holiday trip!”, etc. These are just a few examples of the fraudulent rewards wafted under people’s noses.

“PEOPLE STILL REMAIN VULNERABLE TO PSYCHOLOGICAL MANIPULATION AND SOCIAL ENGINEERING.”

As computer threats have continuously evolved to reach the level of sophistication we see nowadays – targeted attacks, cyberwarfare and APTs – it’s unclear why these types of scams have remained so successful. The simple answer is that people still remain vulnerable to psychological manipulation and social engineering.

The simple answer is that people still remain vulnerable to psychological manipulation and social engineering.

Just five years ago, in our Trends for 2012 report, we talked about the growing trend of malware in mobile devices, spearheaded by threats such as botnets. In more recent years, these risks have continued to spread. We are seeing increases in cyber espionage, targeted attacks and privacy threats.

Previous concerns about the vulnerability of many poorly-secured IoT devices have been realized with them falling victim to attacks. Furthermore, we believe that throughout this year, the number of annual victims of ransomware will continue to rise.

All of these types of threats, which have developed over time, have one thing in common: the point of entry is often the user. Attackers continue to entice victims with deceptive emails and messages on social media, encouraging naïve – and in many cases, irresponsible (albeit unknowingly) – behavior. These threats, including booby-trapped USB devices left in car parks, are all designed to trick victims into compromising the safety of their own systems.

Unfortunately, this reality is set to continue throughout the rest of 2017 and beyond, and attackers will continue to take advantage of it. Despite the potential vulnerabilities in hardware and software that could allow an attacker to take control of a system, the simplest way for cyberattackers to do this is by tricking users.

“WE ARE SEEING INCREASES IN CYBERESPIONAGE, TARGETED ATTACKS AND PRIVACY THREATS.”

Why invest hours in exposing a flaw in a device when a simple email can provide the same type of access to such systems? Similarly, why would thieves make the effort to dig a tunnel to break into a house when they could just ring the doorbell?

Cybercrime: Ruthless and efficient

It seems likely that for the remainder of 2017, we will see different types of malicious code continue to emerge; that ransomware will continue its infamous reign as the fastest growing threat, and that more IoT devices will be targeted for a broader range of cybercriminal activity. Cybercriminals are becoming increasingly ruthless, to the point that even industries such as healthcare are being attacked, and infrastructural components such as ATMs (cash dispensers) are continually targeted by attackers.

Furthermore, in 2016 it became clear that modern cybercriminals come armed not only with different types of malicious software and social engineering techniques, but also with “business plans” for extortion and extracting some sort of payment from their victims.

“CYBERCRIMINALS ARE BECOMING INCREASINGLY RUTHLESS, TO THE POINT THAT EVEN INDUSTRIES SUCH AS HEALTHCARE ARE BEING ATTACKED.”

We have reached the point at which we need to stop talking about security risks in generic terms. It is critical that users, whether corporate or individual, are aware of the types of attacks that can affect them. From email fraud to information theft, all threats must be taken seriously, and it is important to take the necessary measures both in terms of technology and raising awareness, in order to avoid them.

Good education is not age-dependent

Two types of players inhabit the digital world and they can be described as “digital natives” and “digital immigrants”. The former have incorporated the use of technology into most aspects of their lives from an early age. The latter, on the other hand, use technology to carry out many of their daily activities despite having had to adapt and make adjustments in order to do so.

One would hope that the digital natives would be less susceptible to these types of scams. However, last year a study by the BBB Institute showed that young people between age 25 and 34 are more susceptible to scams, whereas other studies show that it’s the youngest users who exhibit the riskiest behavior when it comes to surfing the internet. They might connect to poorly secured Wi-Fi networks, plug in USB devices given to them by others without taking elementary precautions, and make little use of security solutions.

“FROM EMAIL FRAUD TO INFORMATION THEFT, ALL THREATS MUST BE TAKEN SERIOUSLY.”

On the other hand, while digital immigrants can often be more cautious when it comes to using technology, we find that they too can often be the victims of attacks or engage in unsafe behavior. Generally, this is due to a lack of knowledge of the security characteristics of devices, or a lack of information regarding the scope of computer threats and the care that they should take to help avoid them.

In short, when it comes to protection, age does not matter. The need for all users to be aware of the many threats, the ways in which they operate, and the best options for protecting their devices, are all issues on which users should be focused in order to stay safe.

The current paradox: The more we know, the less safe we feel

There is no doubt that today, almost four years after the Snowden revelations, people continue to feel their personal data is increasingly at risk. The paradox is that in reality, there is more information about what is happening with their data than ever before.

“A CHALLENGE WE FACE IS THE NEED TO EDUCATE OURSELVES ABOUT ONLINE PROTECTION.”

The feeling of being monitored is a big concern for many users and recognition of the reality of global surveillance is one of the most important lessons to be learned from the Snowden revelations. If someone is authorized to act covertly and is given a large enough budget, it cannot be assumed – regardless of their personality – that they will do so properly, ethically and without negative repercussions.

Having said that, neither should we give way to out-and-out paranoia or stop connecting to the internet altogether. An important challenge we face is the need to educate ourselves about online protection, what types of information to publish, and which measures will ensure that information remains safe and private.

Small changes can make a big difference

At ESET we firmly believe that security is not only a matter of technological solutions, but we also need to help each other when it comes to protection. While ongoing efforts to build awareness around computer security exist in many areas of our modern lives, many computer users still do not have sufficient training on this topic. In addition, while many recognize the threats to their computers, they do not have the same awareness when it comes to their mobile devices and even less with regard to their IoT devices.

In 2013, it was estimated that the ratio between the number of mobile devices with a security solution installed and the number of global connections from mobile devices was 4.8%, and by 2018 it is estimated that this ratio could reach 15%. Although this represents a tripling in five years, it means fewer than one in six smartphones and tablets is running security software.

“IT IS VITAL TO BE AWARE OF SECURITY AT ALL TIMES FROM PERSONAL DEVICES WITH A WI-FI CONNECTION, TO CRITICAL INFRASTRUCTURE.”

In the coming years, we will see threats continue to spread to all types of devices that are connected to the internet, and which handle sensitive data. Therefore, it is vital to be aware of security at all times and in all contexts, from personal devices with a Wi-Fi connection to critical infrastructure that is connected and remotely controlled via the internet.

Technology’s rapid advance equips cybercriminals with increasing number of tools they can use for cyberattacks, and this won’t stop if users are not educated about them. We cannot allow its increasing sophistication to enable it to turn against us.

password

Going forward, means of protection must keep pace with the realities of cybercrime. This is why education is vital. If users come to recognize that using passwords as the sole means of online access presents a security risk to their personal data, then they can also recognize that using two-factor authentication, which adds a significant extra layer of security, will tilt the odds back in their favor.

The challenge, in addition to enabling them to recognize the threats, is to arm them with security tools that help them keep their information safe and secure. In the absence of such tools, the continued growth of threats and attacks is all but guaranteed.

Likewise, the best way to guarantee the confidentiality of information is to make use of encryption technologies for all forms of communication. As for ransomware, the best way to protect yourself from permanent loss of personal information is ensuring proper – including offline – backups are in place for the most sensitive or important data.

However, the adoption of these technologies starts by acknowledging the threats, which can only happen if there is a base of users who are educated and able to determine what they should be protecting themselves from, and thus the best way to protect themselves.

Education makes a big difference

For all of us working in the world of information security, no maxim has proven truer than that which says the weakest link in the chain is the end user.

“THE FOCUS OF THE IMMEDIATE FUTURE SHOULD BE ON BUILDING AWARENESS AMONG USERS OF BASIC INTERNET SECURITY MEASURES.”

We have been warned since at least 2015 that there is an increasing volume of information available to defend ourselves, but the number of people who are skilled enough to perform the tasks necessary for that defense is dangerously low.

We must, therefore, see education as the fundamental factor that makes the difference. Given that training new professionals to work in information security will not happen immediately, the focus of the immediate future should be on building awareness among users of basic internet security measures.

So, the big challenge for those of us who are responsible for security is to turn ourselves into the first line of defense of information.

Educating users about current threats and how they spread can make all the difference in reducing the impact of cybercrime in the future. We should not forget that security is the responsibility of everyone and not exclusive to those of us working in IT.

These days, information is equally critical whether handled by a reporter or by an executive; and even more sensitive for healthcare professionals and the medical records they handle on a daily basis. Active participation by governments and companies to protect this information is necessary.

We have reached a point where education on security issues must be handled in a formal manner, and companies should not simply relegate these issues to be covered as a one-off when inducting new employees. It must be a continuous and ongoing effort. End users must feel they are a part of the entire security chain and must understand firstly that that these threats do exist, and secondly, that the necessary mechanisms to use technology securely also exist.

This article is an adapted version of the corresponding section from ESET’s 2017 trends paper, Security Held Ransom.

by Camilo Gutiérrez Amaya, ESET We Live Security


One thought on “Security education and social responsibility

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s