Only two weeks ago I wrote on cyber protection from human curiosity (or naïveté), see link. Since then we had a security breach at authorisation token vendor RSA and the breach at mass-mailer Epsilon. The first was not a “sophisticated” attack as was published, but an employee clicking on an Excel attachment in an e-mail sent to employees of RSA under a title like “reorganisation information”. One click was enough to download malicious code into the system of RSA and expose all security measures, to…? Yes, to whom? We do not know, nor what this person or persons will do with the acquired knowledge. The second apparently was a case of unsophisticated levels of security, despite warnings to such. Leaving millions of people’s email addresses, bank and other data in the open. The first phishing attack has been reported.
I dare to conclude here that now spam filters are becoming more sophisticated, criminals exploit the next available vulnerability.
Heightened awareness, more publicity
Fact is that of late security breaches have the interest of governments, with press not staying behind. Is this because governments are showing heightened activity such as national cyber securities? (Let’s leave the argument whether national and cyber security are two combinable concepts lie for now.) Or are more people simply becoming aware of the vulnerabilities that they are confronted with and start to report on them? That we started using an open, generative system that was not meant to bank on, run critical infrastructure on, do maintenance from home on, etc. and are finally owning up to the consequences of this choice?
But are we really? Where is the man in the street in this picture? Is he overly concerned what is happening on the Internet? It does not look like it. At least, e.g. I don’t see long cues at the last bank office in town with people demanding desks to reopen so they can get their money like we used to up till the late eighties. So how come trust in Internet should go down, but actually isn’t? Sorry, I’m not going to answer that, but apparently most people are or feel safe and not under threat.
The human factor
Still, no matter how much money governments, industry and end users pay for security, if security is possible on the Internet as it is, that is, it’s the human factor that really constitutes the greatest risk. Yesterday one of my girlfriend’s sons was watching a You Tube clip with a bunch of friends. Yes, it was extremely funny. “Don’t click here” a flashy button said in the top left corner the whole time the clip played. The first thing he said after the clip finished was: “I’m going to click here” and in the blink of an eye he was at a subscription site of something or other. Luckily he was wise enough not to proceed. The employee of RSA however was not. (S)he jeopardized the whole reputation of this firm with one mouse click. And if someone working there does not have the sense to check on what he or she is clinking on, how can my girlfriend’s son?
Imagining the un-understandable
Perhaps the biggest problem is, that people can not imagine that something which brings them pleasure, ease of use and leisure, is also the biggest threat to their on line and economic safety. That the Internet poses dangers that we can not see, can’t sense, feel, hear, but are very real nonetheless. Making people aware of this is one of the major challenges the world faces. The government campaigns do not seem to do the trick efficiently. People do not seem to overly care either. Is a feeling of an on line, Internet based, community responsibility possible? And where to start? It may be with a targeted training to people working in the most vulnerable places and trickle down from there. A choice must be faced to. Do you go for rules and regulation or do you want to educate people to a level of awareness that raises an on line self-regulatory constraint with them?
How long do you want to wait with acting before you find out the hard way?
Here’s another link on the topic.
Wout de Natris, De Natris Consult
Haarlem, 10 April 2011