Security Issues That Deserve a Logo, Part 3: Eager Beavers

During the past year, a new trend in security experienced a meteoric rise, with headlines in both the mainstream and tech media, simply because vulnerabilities were marketed with catchy names and logos. In this blog series, I share with you critical security issues that haven’t captured the media’s attention, but that deserve serious discussion. In the last few weeks I’ve discussed Glimpse and Subversion; this week I’d like to introduce Eager Beavers.

Sit around partaking in libations with security people long enough and at some point you can expect to hear someone raise the age-old rant of “My systems would be secure if it wasn’t for the users.” It’s easy to see why: the media is full of stories blaming users for poor passwords, clicking links without rhyme or reason, replying to alleged benefactors of a huge fortune or simply browsing the web and being hit with drive-by malware.

Living in our security echo chamber, it can sometimes feel like our users are sitting there waiting for the next threat to be delivered to their inboxes or browsers - a group of Eager Beavers clicking with innocent abandon.

I remember many years ago when the ILOVEYOU virus hit. At the time, I was an IT Manager for a small security company, managing services for 100+ people. I’d had prior notice from our chosen AV vendor that a malicious love letter was circulating, starting in Asia, making its way westwards across the globe as users logged in and checked emails. I knew this could be a huge problem, so I sent an email to all staff stating, “If you receive an email with the attachment ‘LOVE-LETTER-FOR-YOU.txt.vbs’ do not open!!”

The email I sent was an exercise in futility. Like millions of others before them, probably half of the employees who received the email, clicked the attachment, infected their PCs, causing more emails to be sent to their contacts and furthering the infection. That night the more pints were drunk to aid in forgetting the terrible day, the more descriptive the words became to characterise the eager clickers of the VBS script.

But my animosity towards the user base was misplaced. The unfortunate reality was that the only person who made a big mistake that fateful day was myself. We wouldn’t blame the chickens for being eaten when a fox gets into the henhouse—the responsibility would rest on the farmer's shoulders for not doing more to guard the chickens. I was the farmer, who had totally failed in putting up the right defences to protect my precious brood.

Rather than treating users with disdain for falling victim to a convincing phishing email, ransomware infection or malware, we need to treat each one as a control failure. If we take ransomware as an example, the best defence in reducing the risk of infection is to continuously identify weaknesses on the endpoints that are favoured by exploit kits—Flash or other insecure plugins—and patch or disable as appropriate. Backing up files is a good way to lessen the impact if an exploit kit does manage to break through.

Whilst a group of users eager to click on any link sent to them is worthy of a logo and catchy name, the responsibility to address this particular issue should be less on the shoulders of the clickers and more on the protectors.