By David Harley
Journalist Kevin Townsend asked me a few months ago
for commentary on phishing, for an article he was researching. He said:
Phishing really comes down to 2 basic questions:
1.
Can
technology ever solve the problem & what are the best approaches?
2.
Can awareness
training ever solve the problem? How?
If the answer is ‘no’ to both; then should we
concentrate on accepting that it will succeed, and concentrate on discovering
and mitigating the effects of a successful phish?
The question is this: are phishing and other
manifestations of cybercrime purely technological problems? Even if this were
the case, does it follow that they could therefore be solved by technology
alone?
To some extent, the security software industry
relies on the idea that there is always a technological answer to a tech
problem (as, indeed, it has persuaded many of its customers to expect), but
‘always’ is a big word.
In general, when we address an attack vector
technologically, the bad guys start working on finding ways round the
roadblock. That doesn’t mean we shouldn’t look for technical solutions, but it
does mean that we can’t usually find a once-and-for-all-time fix. Sometimes we
eventually abandon an approach altogether; more often we keep recalibrating as
the nature of the threats changes.
It may be broke, but can you fix it?
There’s more to surviving in a threat and
counter-threat ecology than technological thrust and parry, though. To expect
the security industry to fix everything is about as realistic as expecting
medical technology to eradicate disease, or forensic technology to eradicate
crime in the physical world. The online world doesn’t have a single choke point
where a single security solution can be applied and everyone will be protected,
even if such a solution existed.
Perhaps we need a better word than solution. Something
that sounds less like a ‘this is the glorious victory at the end of the war’
and more like ‘this might win us this skirmish.’ To quote myself (in an article for Heimdal Security to which I contributed):
The security industry is pretty good at providing a
wide range of partial solutions to a wide range of technological attacks, but
technology continuously evolves on both sides of the white-hat/black-hat
divide, so – marketing claims notwithstanding – there is never 100 percent
security across the board. Least of all from a single product. In most cases,
organizations and individuals choose what defensive measures they take, and
indeed whether to protect themselves at all.
Unfortunately, those choices will not always be the
choices that security experts would consider to be the best.
Technology versus people
Phishing isn’t (just) a technical problem,
and nor is cybercrime in general. (I’ll mostly be speaking about generic
cybercrime in this article rather than just phishing.) In fact, cybercrime,
like its pre-digital sibling, is primarily a social problem, or rather a
cluster of interconnecting social problems:
·
Criminal
behaviour (online or offline), and the economic, educational and psychological
factors behind it. To quote
myself further: “Society can actually cause deviant behaviour where the individual
must subscribe to more than one code, yet elements of one code are incompatible
with another, leading to an uncomfortable state of cognitive dissonance, which
might lead to ‘irrational or maladaptive behaviour’. In other cases, perhaps
it’s just that in an era where fake news dressed up as satire is the common
currency of the social media, the evolution of technology has far outstripped
the average person’s ability to apply the common precepts of everyday
socialization to the online world.”
·
Victim behaviour,
and similar underlying factors. By which I
don’t just mean victims recklessly failing to take reasonable precautions, but
banks and other institutions contributing to the problem by failing to meet a
sufficient standard of security when communicating legitimately with customers.
Every time a bank sends out an email addressed to ‘Dear valued customer’ or
including a multiply-redirected ‘click here’ link, they make it harder for
potential victims to distinguish between phishing mails and legitimate mails.
If they don’t even know your name, how can you be sure that it’s really your
bank mailing you? If you can’t tell where a link is pointing to, or if it goes
to a site whose name appears unconnected with the bank, how on earth do you
know it’s safe?
·
Legislation
and law enforcement issues. Even where
there is appropriate legislation, the will and the resources aren’t there to
enforce it in a better-than-piecemeal fashion.
Awareness, training, education
“A great deal of work has
been done in raising the general level of security awareness and
self-protection through some form of education”
So can awareness training/education ever solve the
problem? Well, we’ll probably never know for sure. Many times over the years,
I’ve said something like ‘we don’t know whether user education works because
no-one’s ever done it yet.’ That’s a rather glib and simplistic way of putting
it, to be honest, though it will do as a response to the equally glib assertion
that ‘if user education was going to work, it would have worked by now’. A
great deal of work has been done in raising the general level of security
awareness and self-protection through some form of education, and I like to
think I’ve made some contribution myself, as in this paper by Sebastian Bortnik
and myself from 2014: Lemming Aid and Kool Aid: Helping the Community to help itself through
Education. In that paper we asked:
How can we strike a balance when it comes to
teaching of computer hygiene in an increasingly complex threatscape to
audiences with very mixed experience and technical knowledge? Can user-friendly
approaches to security be integrated into a formal, even national defensive
framework?
And we made some suggestions as to how that could
be done.
Education, Education, Education
Since I first drifted into the security field, I’ve
generally seen myself as more of an educator (by intent, anyway) than a
researcher. I realized long ago that there are hordes of people who are much
better than I am at disassembling malware and writing code to detect malicious
activity. I consider it a privilege to be able to work with some of those
people (not only at ESET, but in the security industry as a whole), and I’m
honoured that they put up with me to the extent of reading my blogs and
listening to my presentations.
So while I couldn’t do my job if I didn’t have a
reasonable grasp of malicious technology and the technologies that we have
evolved to address them, my interest and abilities lie less in bits and bytes
than in the psychosocial aspects of criminology and victimology. After all, my
academic background is in social sciences as well as computer science, which is
perhaps why I sometimes see things a little differently to my more technically
gifted peers in the security industry, and have more faith that people who are
not particularly IT-knowledgeable can, to some extent, be educated into being
less vulnerable, certainly to attacks that are at least partially psychological
rather than purely technological. I’m afraid I’m going to quote myself again.
Very, very often… a threat is less dependent on the
effectiveness of its technology than it is on how effectively it manipulates
the psychology of the victim.
Psychological manipulation of the intended victim
is a core component of what we often call social engineering. Susceptibility
to social engineering can sometimes be reduced by technical measures –
the textual analysis of email messages with the aim of detecting text that is
characteristic of a certain type of criminally-motivated communication, for example.
However, educationalists favour a complementary, longer-term approach that
involves making individuals more difficult to manipulate.
Threat Recognition
One step towards achieving this is through
relatively simplistic training in threat recognition: for example, the
‘phishing quizzes’ that Andrew Lee and I looked at in 2007 in a paper for Virus
Bulletin (Phish Phodder: is User Education Helping or Hindering?). But
the KISS principle is not always enough. What works in engineering
design doesn’t always work in education. There’s a perpetual tension between
keeping communication within the bounds of an audience’s understanding yet
accurate and comprehensive enough to go beyond soundbites. (The Eleventh Law of
Data Smog:
‘Beware stories that dissolve all complexity.’)
Even a poorly designed quiz raises awareness of the
problem, but may be worse than useless if it reinforces wrong assumptions on
the part of the quiz participant. Some quizzes seem to promote a service:
‘Discrimination is too difficult for your tiny brain; buy our product, or even
use our free toolbar/site verification service/whatever’. That’s not wrong in
itself; a vendor is in the business of selling products or services. If the
product or service in question is free, it seems even more churlish to
criticize, but there is a problem in that this message fosters dependence, not
awareness; worse, that dependence is on a technical solution that is likely to
rely on detecting specific instances of malice, rather than a generic class of
detection.
Clearly, there are other limitations in the
effectiveness of a paternalistic ‘Gods and ants’ approach. By showing potential
victims a few example threats, it may sometimes be that they’ll be able to
extrapolate from those when faced with different examples in the same class.
But not often enough. Yet, however desirable it might be in theory to provide
everyone with the analytical skills of an effective security expert, that
clearly isn’t a realistic possibility in the workplace, let alone at home.
Not all advice is good advice
The implementation of a scheme that stands half a
chance of educating everyone who needs educating would require
resources, understanding and coordination that make it highly improbable that
such an implementation will be achieved in our lifetime, or that of our
children. And not all advice is good advice.
There’s certainly plenty of free information
available, from many sources: the media, security vendors, government agencies,
law enforcement, and more-or less altruistically-minded individuals offering
advice, product reviews and so on. Unfortunately, the quality of these
resources is even more variable, and they’re aimed at the sector of the
community that may be least able to discriminate between good and bad advice. Especially
advice that is in some sense competitive with other sources of advice.
People Patching
But I’m not very hopeful that education could ever
change human nature so dramatically that X would never dream of scamming Y,
even if Y was naïve enough to fall for a scam anyway. Until education does
achieve the impossible, scammers will continue to scam, and in a technological
age they’ll use technology to achieve their crooked aims; laws and law
enforcement will have only partial success; and victims will behave in the ways
that cause them to become victims. However, education and training can help everyone living in the digital to behave less
like victims.
User education is also an essential part of
sociological evolution. The threats we face on the internet are not new in
concept: only in technological implementation. Social engineering attacks have
been around since well before Helen of Troy. However, the economy of scale in
the execution of such attacks was so relatively small that widespread education
in recognition of the techniques used was not deemed necessary. The story of
the Trojan horse has been taught for centuries as history and as a metaphor, but
not seen as an illustration of one of the integral risks of everyday life. The
Internet has resulted in an exponential increase in the use of social
engineering attacks to the point where knowledge of how these attacks are
perpetrated is a required life skill in contemporary society.
(That’s from a paper by myself and Randy Abrams: People Patching: Is User Education Of Any Use At All?)
Defense and self-defense
While the proper use of multi-layered defensive
technology goes a long way towards protecting people without requiring them to
be security experts, technology can be deployed more effectively to supplement
and implement the education of those who use it, as discussed long ago by Jeff
Debrosse and myself in the paper Malice Through the Looking Glass: Behaviour Analysis for the Next Decade.
After much research, it has become clear that
taking game theory to the next level – determining the most likely action that
a user will take in a given situation, enabling the reinforcement of ‘safe’
decisions and the sanctioning (or at least monitoring) of ‘unsafe’ decisions –
can make for a much more secure computing environment for the end-user because
their security software would be able to more accurately determine the outcome
of their actions.
These measures can help institutions to move away
from grooming potential victims into accepting phishing messages uncritically
by improving their own messages, as well as continually working towards
improving their own security and that of their customers.
Teach your children well
Here is an extract from another article – Internet Safety
for Kids: 17 Cyber Safety Experts Share Tips for Keeping Children Safe Online
– to which I contributed, having been asked for ‘The most important internet
safety tip I can share with parents’. As you’ll have gathered from the title,
the focus of Erin Raub, who compiled that article, was on advice to parents.
However, it doesn’t take a long acquaintance with Facebook and other social
media sites to realize that many, many adults have never been educated in terms
of critical thinking and healthy scepticism, and they too need help in order ‘to teach
them to trust their own judgement rather than rely entirely on
technical solutions and conflicting ‘official’ information resources …[and]
direct them towards strategies for developing sound analysis and judgement—what
educationalists call critical thinking. But it’s too critical a task to leave
to educationalists…’
It’s important for everyone to recognize how unsafe
the internet is, not only as a vector for direct attacks, but also as a source
of information. So we shouldn’t abandon security education for adults or for children, and we should continue to use and improve
technology so that it becomes harder for the bad guys to misuse. We
should, of course, acknowledge that phishing and other elements of cybercrime
will continue to find victims, and do whatever we can to minimize the impact on
victims before as well as after the fact.