The Uphill Struggle To Security Awareness

john pescatore sans institute security

Things have changed in the last ten years, says the SANS Institute’s John Pescatore, but users still need careful watching

Both cyber-security awareness and the security threat landscape itself have changed over the past decade, but some of the basics about how individuals and enterprises can stay secure have not. October 2013 marks the 10th annual National Cyber Security Awareness Month in the US, which is all about helping educate users and enterprises on how best to secure themselves against online threats.

John Pescatore, director of the SANS Institute, a research and education organisation, has seen security threats come and go across his 30 year career in the IT security market, which includes time spent as a Gartner analyst. The simple reality of cyber-security in 2013 is that software continues to have lots of vulnerabilities, and people continue to have lots of vulnerabilities, Pescatore told eWEEK.

Changing behaviour

“Each year, we try and change some behavior on the user side, and each year attacks are becoming much more targeted and clever,” Pescatore said.

While vulnerabilities persist, there are a number of key areas for cyber-security awareness on which Pescatore wants to shed light.

The rise in the use of social media in recent years has made it a fertile ground for attackers to farm for data that can lead to effective social engineering attacks. In a social engineering attack, the attacker uses information that appears to be legitimate in a bid to deceive the user into giving up a piece of information or clicking on a malicious link. Pescatore advises that users need to be conscious and aware of the information they give out on Twitter and Facebook as it could be used for malicious intents.

Stealing passwords is also becoming increasingly common, but there is a defense for that, too. As a best practice, Pescatore recommends that users make full use of two-factor authentication systems to protect themselves. With two-factor authentication, instead of just having a single username/password combination, a second password that is randomly generated is required for access. Twitter, Google, LinkedIn, PayPal and Facebook are among the many online services that offer two-factor authentication options for users.

Malicious links

Ten years ago, IT security professionals warned users not to click on suspicious links. It’s a warning that is still unheeded by many, which begs the question—can IT security vendors protect users against malicious links?

Operating systems on the mobile devices that people use every day in 2013 are in fact doing a reasonable job of protecting users against malicious links, Pescatore said. “It really just is mostly still Microsoft Windows where we have this problem,” he added.

On Windows, the user expectation has long been that when you click on something, it is automatically executed, which is not how most mobile operating systems now work, Pescatore explained.

“For people reading their email on an iPhone/iPad, they’re actually pretty safe,” he said.

Software engineering is an oxymoron

Another sad truth about the state of IT security in 2013 is that many of the same classes of flaws that existed in 2003 are still popular and are regularly exploited. The root cause of that might well have to do with flaws in how software is developed.

“Software engineering is an oxymoron,” Pescatore said. “Software development is not an engineering discipline.”

In contrast to a traditional engineering discipline—where, for example, a precise calculation can be made to determine the load a bridge can handle—Pescatore said the same precision for security doesn’t exist in software development. The issue today is not about being able to entirely eliminate classes of software vulnerabilities; rather, it’s about being able to shield people from flaws effectively, he added.

One of the effective shield approaches that Pescatore advocates is the use of Web Application Firewall (WAF) technology. With a WAF, rules can be written that prevent Web application exploitation. There are also cloud-based services, including ones from Akamai, Incapsula and CloudFlare, among others that provide WAF as a service.

When it comes to deciding where to invest resources to build security awareness, Pescatore has a very specific ratio.

“If you have a dollar to spend on awareness training, spend 90 cents of it training your system administrators to set up systems correctly,” Pescatore said. “Then, with the remaining 10 cents from the dollar, figure out what you can do for the end user.”

Warnings are not enough

System administrators are high-value targets and are the gatekeepers of enterprise IT, Pescatore said, adding that when it comes to the end users, transferring responsibility to the user by some form of security awareness isn’t going to solve the problem.

“We have had awareness programs about viruses for 25 years now, what magically now will cause someone to change their behavior?” Pescatore said. “Safety programs can never just rely on warning the user, they have to put protections in place.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

What do you know about Internet security? Find out with our quiz!

Originally published on eWeek.