The human factor: Why a new approach is needed to eliminate cyber security's weakest link
Cyber security teams are losing the fight against cyber crime and the user education approach has failed, according to an industry expert.
Protecting a business against cyber attacks is no easy task. CISOs and their teams must stay on top of the latest vulnerabilities, properly train users on best practices and vigilantly monitor their networks to detect intruders and keep their organisations secure.
The software most firms use does not help, either. According to Ian Pratt, co-founder and president of Bromium, there is so much software on a modern PC that was written at a time when “security was not the priority” that most systems are “very vulnerable”.
To combat this threat, companies began dividing their machines into two or more “virtual environments” – one for business use and one for personal use. But even this did not provide adequate protection against many cyber criminals’ attacks.
“People were doing perfectly reasonable things in the business environment and getting compromised,” Pratt explains, noting that often infections are not a result of the risky behaviours that security training is designed to discourage.
He also argues that there is a fundamental flaw in the way the industry approaches the problem, “inching along trying to detect yesterday’s threat”.
“The way the industry works, the way they provide protection, is by detection,” he says. “The trouble is that we have known since the work of one of my esteemed colleagues, Alan Turing, that that is impossible… It creates an arms race between the attackers and the defenders, and the attackers have an advantage. They only need to be successful once.
“There is a horrible state in the industry where any type of attacker prepared to invest some effort can really compromise any system.”
It is no wonder, then, that according to Bromium’s research, 60 per cent of CIOs feel they are losing the fight against cyber crime. 85 per cent said that end users are the weakest link in their security, ignoring or forgetting their training and procedures. Pratt argues that this indicates that a new approach is needed to combat cyber threats.
“Education can only get you so far,” he says. “Anyone who relies on education and hopes users are always going to do the right thing will be disappointed. Sometimes it is users doing something silly, but a lot of these attacks are quite sophisticated and would fool anyone.”
He compares cyber security education efforts to the longstanding war on drugs, which has attempted to deter users without really tackling the root cause of the problem.
“Trying to blame the user is counterproductive,” Pratt says. “Going after the user, billions of dollars have been spent doing that for many years now and it has not achieved anything…
“Whenever I read about CISOs blaming users for clicking on things, I think it is naive to think that they are not going to use the machines at lunchtime or whenever for personal use, and it is not really those activities that lead to a machine being compromised.”
The solution, he argues, is virtualisation – a means of “virtual airgap separation” that Pratt says is “an incredibly powerful tool” enabled by developments in modern computer hardware.
“Every document you open and everything you do has its own virtual computer,” Pratt explains. “In that case you do not have to worry about malware. That particular virtual machine is going to get compromised but there is nothing on that machine for the attacker to steal and there is nowhere for them to go.”
This type of solution could take some of the sting out of ineffective education. If a user opens a malicious email attachment containing ransomware, for example, the virtual machine used to open the document is infected, but there is nothing else on that system to encrypt. The user can simply close the window and continue working on other, clean virtual machines.
It also means that zero-day vulnerabilities could be less dangerous. A flawed web browser, for example, would run in its own environment, meaning that even if it was exploited there would be nothing for the attackers to access. Pratt argues that this approach is the one that will have a huge impact on modern approaches to cyber security.
“What we are doing means you do not have to worry about the security of the applications or the operating system,” he says. “Our goal is to make it orders of magnitude harder to compromise a machine… going back to the old days when they could not do it 10,000 miles away. Right now it is so easy to steal intellectual property, but it does not have to be like that.”