Complacency: the 8th Deadly Sin of IT Security (Part 1)

by [Published on 4 Sept. 2013 / Last Updated on 7 Oct. 2013]

In this article, I'm going to talk about how complacency manifests itself in IT security, discuss some examples of threats that IT pros overlook or downplay, and offer some advice on how to walk the fine line between complacency and paranoia.

If you would like to read the other parts in this article series please go to:

Introduction

Many of my readers know that, prior to a career change to IT fifteen years ago, I was a police officer and police academy instructor/trainer. In that past life, one of the most important courses I taught to new recruits was officer safety. For rookie cops, inexperience and lack of knowledge are the biggest obstacles to staying safe on the streets. But I also warned them that as they matured in the job, complacency would become the biggest personal threat to their safety.

Over the years, I’ve found that many of the same broad concepts I learned and later taught in law enforcement also apply to IT security. Only the details are different. Seasoned IT pros, like “old timers” on the police force, make mistakes because they’re too experienced; they’ve seen and done too much, and that causes them to take a lot for granted. Familiarity breeds not contempt but comfort. Because you’ve seen a particular threat many times, and handled it without a problem, you think it’s no longer a threat – or you forget that it’s a big threat to other, less experienced people.

In police work, complacency can get you killed. In IT security, the consequences aren’t quite that drastic, but it can cost your company money and can even be deadly to your career. In this article, I'm going to talk about how complacency manifests itself in IT security, discuss some examples of threats that IT pros overlook or downplay, and offer some advice on how to walk the fine line between complacency and paranoia.

Gone phishing

The idea for this article started to take shape as I noticed that I’ve been receiving a large number of spam email messages recently of the “phishing” variety. Something would appear in my mailbox that looked a lot like my regular Verizon statement or a Facebook notification or a payment confirmation from NewEgg or Amazon. Sometimes it was a perfect emulation but most of the time there was something just a little “off” that tipped me to the fact that it was a fake.

I don’t worry too much about these because I follow best “online officer safety” practices. That is, if I get a Verizon statement via email and want to look at it, I open my browser and go to the Verizon site by typing in the URL I know to be correct, or using the shortcut to that site that I previously created. What I don’t do is click the link in an email message.

Now, if I get an email message saying that the balance due on my Verizon account this month is $2626.97, as I did a couple of weeks ago (see Figure 1), I know something is up. And a quick hover over the link, supposedly to the Verizon site, confirms that. It links not to verizonwireless.com but to an IP address that, with a little web research, shows to be the same one used for a malicious LinkedIn invitation.

Image
Figure 1

You’ll note that Outlook recognized this particular email as a potential phishing message. It doesn’t always, though. Another that I received around the same time posed as a reservation confirmation from American Airlines. Now it happens that I do use AA and had made reservations recently, but not from Columbia to DFW, and not for someone named Elena Tkachuk, as the message in Figure 2 indicates.

Once again, all it takes is hovering over the link to determine that this isn’t a legit AA message, since the URL the link goes to doesn’t match the URL in the text to which it’s linked.

Image
Figure 2

The fact that it was sent to shinder@tacteam.net, an email address that I never use for making airline reservations, was also a red flag before I ever checked out the link.

Of course, we know that some phishers are a little more sophisticated than this. They’ll put the real domain of the company they’re impersonating into their phishing message, as with this $3659 “invoice” I got from LexisNexis (a service that I haven’t, in fact, used since the 1990s). They do have an office in Philadelphia, although this P.O. box isn’t one of the addresses listed on their web site. It might be the real mailing address, though, since this message isn’t depending on anyone clicking the links; it delivers its malicious payload by getting you to open the .zip file that’s attached.

Image
Figure 3

Of course, I have no intention of doing that. If I did have an account with LexisNexis now, I’d check my account status by going to their web site directly. However, since some companies really do send invoices as email attachments, I can see how this one might fool some people – except that this phisher messed up by sending the message to a whole slew of email addresses in the shinder.net domain, most of which don’t exist, and not even bothering to obscure the cc: list, as you can see at the top of the message. As we used to say in law enforcement, “criminals don’t become criminals because they’re smart” and that often (but not always) goes for online criminals, too.

Okay, so I get a lot of this phishing spam. No big deal. You probably get things like this all the time, too, and never get taken in by them. But what we have a tendency to forget it that just because we know 1) how to recognize a potential phishing message and 2) not to click on email links and attachments even when the message does appear to be real, that doesn’t apply to most of the computer users we support.

The “ID-ten-T” factor

We all know the old joke: 90 percent of computer problems are caused by “ID-ten-T errors” (ID10T). IT pros are quick to make fun of the lack of technical skills and naivety of users, but at the same time we often act as if we expect them to follow the same best practices we do and are surprised when they don’t. Training is important, but we can’t just assume that because the company has provided security awareness training, that means we don’t have to worry about users doing the very things that the training warns them about. It’s not that our users are malevolent; it’s that technology and security are not their primary skill sets. They forget. They get busy and pressed for time. They do things the “easy” way, and it’s easier to click a link in email than to type in a URL yourself.

Impact of mobile technology

It’s also important to remember that while mobile technology has made it more convenient for our users to get their work done, and has made it more convenient for us to manage the network remotely, it has also increased the exposure to security threats in several important ways. We’re dealing with a plethora of different device types, operating systems and applications, with new ones coming out on what seems like a daily basis.

Even the ergonomics of mobile devices can impact security. Going back to those phishing messages we discussed earlier, mobile users are more likely to be handling their mail while involved in something else, or “in between” other activities (such as while standing in the checkout line in a store, waiting to be seated at a restaurant, or even while driving). This means they’re in more of a hurry and that makes it less likely they’ll spot potential threats. Even if their attention isn’t divided, people who are reading email on a tiny screen are less likely to spot the signals that indicate fake messages. Tiny virtual keyboards are difficult to type on, making it more tempting to just click that link in the message rather than typing the URL in yourself.

Mobile devices are also more likely to be connected to wi-fi networks, and despite what they’ve been told, users may sometimes connect to networks that aren’t secure. That puts the device at risk for malware infestations and attacks, and if you’ve become complacent and haven’t taken the proper steps to manage those mobile devices, it also puts your corporate network at risk the next time that device connects to it.

Impact of BYOD

We have to change our mindsets from the days when mobile devices were issued by, belonged to and were completely controlled by the IT department. We also need to realize that the Bring Your Own Device trend has subtly changed the dynamics of the IT-user relationship and this has impacted security. When employees are paying for their own laptops, tablets and smart phones, they believe they have more “rights” to do what they want with them, and thus are more likely to engage in risky behavior (downloading and installing more programs, visiting more non-work-related web sites, not always following the same rules that they follow when using company-owned computers).

BYOD saves the company money, but there’s a tradeoff. The device is no longer dedicated to business use only. You can’t realistically prohibit personal use, such as accessing personal email accounts or social networks or non-business web sites. That introduces new threat vectors. For example, a user who’s used to getting Facebook notifications might not think twice before clicking the link in the email shown below – which would take him not to Facebook but to a Russian web site.

Image
Figure 4

Even an experienced user who generally follows good security practices can be taken in by this one, because the user has received so many email notifications from Facebook in the past. IT people aren’t the only ones who grow complacent.

Summary

Even with aggressive security awareness training, can we expect users to become as diligent as we are in ferreting out phishing attempts? Probably not. That means it’s up to us to protect our networks – and those users – from the consequences of their actions. But unrealistic expectations about our users is only one of the ways in which IT professionals become complacent. In Part 2, we’ll talk about other manifestations of complacency that you might recognize in your fellow admins or even in yourself. Then in Part 3, we’ll wrap it up with guidelines on how to take a balanced approach to counteract complacency, without going so far in the other direction that you create an untenable workload for yourself and stifle the ability of users to get their work done.

If you would like to read the other parts in this article series please go to:

Featured Links