back to article Forget security training, it's never going to solve Layer 8 (aka people)

Research by German academics has shown there's very little that can be done to prevent people spreading malware by clicking on dodgy links in messages, particularly where Facebook is involved. In a presentation at Black Hat 2016 in Las Vegas today, Zinaida Benenson, leader of the Human Factors in Security and Privacy Group at …

  1. Dadmin
    Happy

    Thank you!

    "While a quarter of the people clicked in the phishing email, only 15.5 per cent admitted doing so, and of the Facebook testees, only 18 per cent reported clicking."

    That is the number of psychopaths in the test, and in general, if the sample had a nice spread. I like to keep the stats of how many unreasonable idiots I'll be running into, on avarage. This jives with my other stat: 25% of people are too stupid to communicate with. And of those, 15%-18% are completely insane.

    *makes notes*

    1. a_yank_lurker

      Re: Thank you!

      I suspect some of the underreporting is due to people not really paying close attention and when asked actually do not remember the specific incident.

    2. netminder

      its 27%!

      Not 25%, 27% and it has been documented already

      http://rationalwiki.org/wiki/Crazification_factor

  2. Anonymous Coward
    Anonymous Coward

    "The most important thing companies can do is to stop sending legitimate emails that look phishy. Also, expect mistakes – people will make them and there is nothing we can do about it."

    But that assumes any of those are possible. You can't make legitimate emails not look phishy because one of the goals of phishy emails is to MAKE them look legitimate. IOW, legitimate email is the GOAL of phishy email, so it's unavoidable. As for mistakes, ONE mistake in the wrong place in the wrong time and it's Game Over, period. That's why the James Bond Mode (also known as "eternal vigilance"): because the bad guys only have to be lucky ONCE, and mitigation may well not be an option if the infiltrator is well-prepared. Remember, in a siege, the attacker always has the long-term edge, and once he's in, good luck getting him back out.

    If you say James Bond Mode is unhealthy and ultimately unproductive, then you're proposing a no-win situation. If Layer 8 is indefensible, and Layer 8 can defeat all the other layers, then security (especially against a well-resourced or well-knowledged adversary) simply is not possible. It's not a matter of IF but WHEN your company vitals get stolen and exploited and YOU getting destroyed as a result.

    1. Mike 16

      Making legit look phishy

      ---

      You can't make legitimate emails not look phishy because one of the goals of phishy emails is to MAKE them look legitimate.

      ---

      True, but one can "raise the bar" for "not looking phishy" a LOT better than the average bank, credit-card company, etc, who routinely send "important message from your bank" messages from some third-party domain with no apparent relationship to the parent, and a big "CLICK HERE" that sends you to yet another dodgy-looking domain. Oh, and a "no-reply@itsaltmines.ru" in the REPLY-TO header.

      Yes, I know the really cool phishers will eventually start relying more on MITM on publicWiFi etc. but in the mean time it would still be nice to make them work a little harder, by not forcing legit customers to interact with real companies via very shady means.

      And I'd like to reserve a special place in hell for financial firms that send HTML email "best when viewed with" some crusty browser, or want me to enable java applets.

      1. Charles 9

        Re: Making legit look phishy

        But what's to stop a phisher from duplicating EVERY SINGLE THING the legit e-mail can throw, only to use legit-looking (maybe even Unicode) domain names so that you can't tell the two apart even with a poring of the source? That's how good phishers are getting: the point where the besieger's advantage is becoming harder for the besieged to counter.

        1. Allan George Dyer

          Re: Making legit look phishy

          @Charles 9 - but there's a limited number of look-alive Unicode domain names, and they can be permanently banned after misuse. Even better, for CC TLDs, only allow characters from the official languages in the country and prevent the misuse before it happens.

          The criminals will always go for the low-hanging fruit, that's a good reason to improve the stature of the tree.

        2. Doctor Syntax Silver badge

          Re: Making legit look phishy

          "But what's to stop a phisher from duplicating EVERY SINGLE THING the legit e-mail can throw"

          As Mike said, have the legit e-mailers send harmless mail. Then the phishers can duplicate this to their hearts' content - they'll be sending harmless mail.

          1. Sir Runcible Spoon
            Paris Hilton

            Logic Fail in Article

            "trying to train staff not to click on suspect links,<snip> such training mean that some legitimate emails go unanswered "

            I don't understand why not clicking on links (or attachments) means the inability to respond to an email. Perhaps I'm missing something there.

            My mail settings are such that it doesn't show embedded pictures and any email links are simply copied rather than clicked on (links are disabled too).

            None of which prevents me from responding to the original email or using an email address from the content, so what am I missing here?

            1. VinceH

              Re: Logic Fail in Article

              I'm reading "answered" as "dealt with" - I get much mail that I don't need to answer, but do need to act upon, and that usually involves the contents of an attachment.

              Those attachments come from different sources and are usually PDF files, but occasionally they are Word files, and on rare occasions I've received Excel files.

              I use Sumatra for PDFs and OpenOffice for Word/Excel, so I feel much safer about opening them than I would if I used Adobe Reader or Microsoft Office - but thinking about it, these attachments often go to someone else first and he forwards them to me, and he almost certainly uses those. I should have a word next time I speak to him, to check and, if so, see if I can begin the process of weaning him off them.

          2. Charles 9

            Re: Making legit look phishy

            "As Mike said, have the legit e-mailers send harmless mail. Then the phishers can duplicate this to their hearts' content - they'll be sending harmless mail."

            No, the problem is that they can make a harmless-looking e-mail harmful no matter what you try to do. Remember, you can't fix stupid. Even without direct links, you can make a stupid user copy and paste, even hand-type if need be, and use a similar domain the malcontents bought first or hijacked (so no unicode involved and it can't be removed because it was bought from a crooked vendor who can bribe or is immune to the authorities).

      2. Anonymous Coward
        Anonymous Coward

        Re: Making legit look phishy

        And we get back to greed. Those third-party domain are the usual marketing company who puts trackers on every damned bit of a message to extract as much information from you as they could so they can "profile and resell you". So every damned link and image is infested like in a phishing email, actually some phishing email are less infested (not less dangerous).

        Greed for money, greed for sex (or just images of it...)... that's what you can't defeat because too many people are simply greedy. Let's not call it "curiosity". Healthy curiosity is good. It improves mankind. Greed is not.

        But, oh well, it's what makes click baits on most sites work, including those of old and renowned newspapers who fell to the dark side...

      3. Doctor Syntax Silver badge

        @Mike 16:Re: Making legit look phishy

        TL;DR

        Get rid of marketing departments.

    2. amanfromMars 1 Silver badge

      The Game Name is Bond Mode, James Bond Mode, ....

      .... and its AIT* Nodes are Virtually Secured with SMARTR Access Protocols

      If you say James Bond Mode is unhealthy and ultimately unproductive, then you're proposing a no-win situation. If Layer 8 is indefensible, and Layer 8 can defeat all the other layers, then security (especially against a well-resourced or well-knowledged adversary) simply is not possible. It's not a matter of IF but WHEN your company vitals get stolen and exploited and YOU getting destroyed as a result. ... Anonymous Coward

      Yes, .... precisely, AC. And to deny it and peddle a protection is a fraud perpetrated with blind ignorance being the only mitigating circumstance to explain guilt ?

      And a titanic industry has built itself up upon such a folly and all for the lolly.

      * Advanced IntelAIgent Territory

    3. Anonymous Coward
      Anonymous Coward

      Sec?

      Given your propensity for using CAPS and belief in the inevitablele I can assume you work in security and compliance?

      1. amanfromMars 1 Silver badge

        Re: Sec?

        Assume absolutely nothing. It is infinitely safer

    4. SkippyBing

      'As for mistakes, ONE mistake in the wrong place in the wrong time and it's Game Over, period.'

      If you've found a way to stop humans making any mistakes then you have the potential to be a very rich man. The best estimate I've had from Human Factors practitioners is that the average person gets 20% of their decisions wrong, generally it's the small low level stuff but occasionally it's something big like not pulling into the road in front of a truck.

    5. P. Lee
      Trollface

      >As for mistakes, ONE mistake in the wrong place in the wrong time and it's Game Over, period.

      And since I'm using a company laptop, try measuring my care level....

      1. Charles 9

        "And since I'm using a company laptop, try measuring my care level...."

        Pretty high, I would say, since they may eventually trace the zero point back to you, you get sacked, maybe charged with criminal negligence resulting in gross damages...

  3. JassMan
    Trollface

    Initially I was surprised at how low the figures were.

    25 per cent of testees clicked on the email link and 43.5 per cent did the same for the Facebook message.

    Then I realised the test was on students. I bet if they did the same test on Joe Public the clickees would have been much higher. The gullibility of the man in the street never ceases to amaze me.

    1. Oengus

      Re: Initially I was surprised at how low the figures were.

      The gullibility of the man in the street never ceases to amaze me.

      I don't know if it gullibility or naivety. People have been told for years that "the computer wouldn't get it wrong" and to trust the anything coming from the computer. Phishing is a "relatively" new thing to the man in the street.

      People will only start being careful after they have been "bitten". Hopefully the first bite isn't too painful.

    2. Anonymous Coward
      Anonymous Coward

      Re: Initially I was surprised at how low the figures were.

      IMHO those who didn't click were just too busy watching porn or looking at some "celebrities" nonsense. My data for students don't show they are better than any Joe Public.

    3. Sir Runcible Spoon

      Re: Initially I was surprised at how low the figures were.

      "Then I realised the test was on students. I bet if they did the same test on Joe Public the clickees would have been much higher"

      That doesn't necessarily follow. When I was at Uni I was amazed at some of the people who managed to make it there - most of them were idiots.

      On the other hand, my wife (who is technically illiterate) is quite capable of good security practice whilst browsing the net. She even managed to stop a virus mid-tracks once by unplugging the PC at the wall when it started doing something out of the ordinary - much faster than trying to shut the machine down and not something I had taught her to do either. Doing that corrupted the main virus file so it couldn't load upon reboot, allowing a much simpler clean up operation - only wish that were possible with laptops (and no, I'm not going to rip a battery out when it's powered up, are you mad!? :))

  4. Anonymous Coward
    Anonymous Coward

    "but it also destroys the staff's trust in the company."

    "But if you are trying to train staff not to click on suspect links, ... doing so could cause more harm than good. Not only does such training mean that some legitimate emails go unanswered and IT staff have to deal with huge numbers of false positives, but it also destroys the staff's trust in the company."

    .....Well I've lost total trust in the internet overall...

    ..........Hackers / Malware...

    ..........Constant Slurping...

    ..........Snooping / Overreach...

    ..........Lack of transparency i.e. Smart TV's & Ads...

    ..........Corporations bullying consumers into IoT...

    .....I'm an IT veteran ... Unplug more often I say!

    1. Anonymous Coward
      Anonymous Coward

      Re: "but it also destroys the staff's trust in the company."

      And that still won't save you from the rise of street cameras and spy satellites...

      1. Anonymous Coward
        Anonymous Coward

        "still won't save you from the rise of street cameras and spy satellites..."

        @AC: This isn't about Tinfoil, its about big business specifically Surveillance-Capitalism. The type of personal info slurping that Google / FB / Uber do. The type that offers a treasure trove of behavioral analysis data, that tech giants use against sheeple after selling it to the highest bidder. The Wild-West-Web has no data laws to stop them or protect consumers...

        https://www.theguardian.com/technology/2016/may/02/google-microsoft-pact-antitrust-surveillance-capitalism

        1. Charles 9

          Re: "still won't save you from the rise of street cameras and spy satellites..."

          Like I said, pervasive cameras (Google cars) and spy satellites (commercial photography satellites).

  5. Anonymous Coward
    Linux

    OSI Layer 8 student phishing test

    "Zinaida Benenson .. detailed how students were recruited for a phishing test. It showed that .. the human being, is impossible to fix."

    What desktop Operating System did they run this phishing test on? If you absolutely have to click on links in emails then set the system to only open the file under the Microsoft Word Viewer or the Microsoft Excel Viewer or the Microsoft PowerPoint Viewer. link

    1. gerryg
      Pirate

      @Walter Bishop

      "link"? Are you having a bubble? Is this a secret test analysing the gullibility of "El Reg" readers?

      1. Anonymous Coward
        Linux

        Re: @Walter Bishop

        @gerryg: Clickable links wouldn't be a problem if they moved to the Industry Standard Lubuntu desktop.

        1. Charles 9

          Re: @Walter Bishop

          "Clickable links wouldn't be a problem if they moved to the Industry Standard Lubuntu desktop."

          They'll find a way. Remember the term "rooting" doesn't come from the Windows world.

  6. Ole Juul

    "particularly where Facebook is involved"

    That's the test right there. Pass or fail on job applications based on that alone. Sorted.

  7. perfgeek
    Happy

    Layer 8 is Financial

    Layer 8 is Financial, with Layer 9 being Political. I know because I've got the t-shirt :) (web search for 9-layer model site:isc.org) So, if anything, Human is Layer 10.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Layer 8 is Financial

      It's kinda unofficial, really. Up to layer 7 is officially defined, then it gets messy. Typically, layer 8 is the human layer.

      C.

    2. tfewster

      Re: Layer 8 is Financial

      User errors (collected over the years):

      'Loose Nut on Keyboard'

      PEBKAC - Problem exists between keyboard and chair

      PICNIC - Problem In Chair Not In Computer

      PIMS (Problem In Meat-Space)

      ID-ten-T error - ID10T

      Layer 8 problem (OSI 7 layer model); Layer 7 is the Application, so Layer 8 would be the user

      CISSP: 11th Domain

      Telling the user, "I need you to FOCUS." - Focus meaning Fuck Off Cuz Ur Stupid

      "code 18" meaning the problem is 18 inches from the screen

      ESO error - Equipment Superior to Operator

      User Error, please replace User and retry

      Keyboard driver is non-compliant. Replace and try again

      Critical bug with the wetware processor.

      Due to a corrupt kernel resulting from a stack overflow due to exceeding maximum buffer length of 1 bit. The user must be rebooted.

      1. Sir Runcible Spoon

        Re: Layer 8 is Financial

        Here's another one for your list (which was impressive - not heard of some of those)..

        Chair to Keyboard interface error.

  8. SleepGuy
    Facepalm

    It's true

    In our company, people who are entry-level employees get concerned enough to open a phishing "invoice" that was sent to them. I've had 2 cases in the last 6 months where the concerned low-level employee forwarded the email to their manager who then attempted to open it.

    It's insane and no amount of training seems to help...even though they have never purchased anything on behalf of the company, don't have a company card or anything, they want to feel important and think these phishing emails matter.

    1. Mudslinger

      Re: It's true

      or maybe they think 'this looks dodgy... lets send it to my manager just to be sure'

      1. Anonymous Coward
        Anonymous Coward

        Re: It's true

        People need to accept that the users are occasionally going to do something harmful and set things up so that they can't do much harm when they do.

        If you start with a blank sheet of paper and work out what points of entry there are in your enviroment for threats then you'll be able to mitigate of the issues users can cause to the point that they aren't so serious an issue.

        The user might visit a malicious website and it might root the computer without the user touching anything? Your security settings are probably a bit too trusting. Dissallow scripting on untrusted websites.

        The user might open a .vbs, .exe, .pif, .etc file attached to an email? Check with the business about what attachments you need to accept and strip the rest at the gateway. In my enviroment literially every .exe file arriving via email was a virus. Your experiance may differ, but everything item that you can arbitarily eliminate makes the job that bit easier.

        Macros or attached scripting running in .doc, pdf, etc? Do you have any macro based scripts remaining in service? Digitally sign the ones that you do have, and block untrusted macros and scripting via GPO.

        The users might persist and manage to download something and run it? Worried about viruses spreading through file shares? Set up a Software Restriction Policy allowing people to only run files from %program files% and network shares that the users can't write to.

        You can get a huge amount of security from configuration changes and tools available free of charge if your willing to do a bit of careful planning. My users aren't aware of most of the additional security implemented because it's invisible to them, unless they try and bring .exe files in via USB at which point they get a "sorry dave, you can't do that" sort of message from the SRP.

  9. jake Silver badge

    Silly thing is ...

    ... the 'net was never designed to be secure in the first place. It was designed to be a research network for researching networking. It was designed to share information, not to hide it. You can patch it until you are blue in the face, but it will not change this fact. Now mix in TheGreatUnwashed, and you have a guaranteed security disaster. As we are observing.

    There is only one answer: Complete, ground-up, from scratch, re-make.

    And even then, non-techies will find a way to throw away their money and/or personal data. Hell, even fscking "Advance-fee" scams (so-called "419") are still suckering the rubes ... after HOW many centuries?

    1. Anonymous Coward
      Anonymous Coward

      Re: Silly thing is ...

      It's not an "Internet" problem. Internet is just a TCP/IP transport layer, designed to be resilient to the loss of some segments. And it does it pretty well.

      The problem is what and how people use it - and how they make money from it. For example phishers would have a far harder time if domain names requests were vetted before being approved. Instead, because some greedy people makes a lot of money from it, you can easily register thousands of random domains using fake data without anybody raising an eyebrow. Add spammers getting hold if abandoned IP ranges, again without IANA and the like noticing and stopping them (how difficult is verifying they are still used by the legitimate owner?).

      Sure, there will always be crooks and naive/stupid people. But why being a crook on the Intenet is so easy? Because of technical reasons, or because too many make money from letting the crooks around? Yes, it's a layer 8 issue too - but not the one identified by the researches. Follow the breadcrumbs - and you'll find why it works.

      1. Charles 9

        Re: Silly thing is ...

        "Sure, there will always be crooks and naive/stupid people. But why being a crook on the Intenet is so easy? Because of technical reasons, or because too many make money from letting the crooks around? Yes, it's a layer 8 issue too - but not the one identified by the researches. Follow the breadcrumbs - and you'll find why it works."

        Or maybe because of sovereignty? It's hard to nab a crook if they happen to live in a country hostile to you.

  10. Anonymous Coward
    Anonymous Coward

    Links really clicked?

    How did they determine the phishing link was clicked?

    A lot of the (insanely resource hammering but that's a different issue) security suites that plug their tentacles into as many parts of the system as they can do things such as as "investigate" links in emails (which could mean the security software visiting that link without user awareness)

    AC as employer enforces bloaty, performance destroying AV software on work PC and I know the (mandated) Outlook add in it uses does sometimes access URIs in emails (quite often have outgoing traffic monitoring running as work as coder on lots of client / server comms apps so plenty of debugging logs of all networking on some bug hunts, get to see a lot of bandwidth abusing behind the scenes apps - especially glares at Chrome).

    1. toughluck

      Re: Links really clicked?

      This is actually simple. Suppose you have a database of e-mail addresses. You hash each of them and include the hash in the link. For Bank Of America, the link could look like this:

      H**PS://SECURE.BANK0FAMERlCA.COM/LOGIN?ID=hashofusernameandtimestamp

      (For the love of God, DO NOT click the link above if it gets automatically converted! I hope the fake protocol name doesn't get auto-corrected.)

      Once you click the link, the perpetrator knows exactly who* clicked the link and which e-mail compelled the user to click.

      When you log in, you give away your password to the perps, but it appears you have actually logged into your account. What they will now try to do is guide you towards entering a token code or a one-time code (what they are really doing is they have a pre-filled form just waiting for you to type the code so they can funnel money out promptly).

      There are lots of ways to do it. My bank started warning me to check if the pasted data is correct (apparently there is malware that monitors the clipboard to see if there is an IBAN account number copied to clipboard and as soon as there is, it will be replaced with the pre-programmed account number).

      --

      I partly blame banks for this. I usually type the URL myself or follow online payments to my banking site to authorize a money transfer, but my bank has disabled the use of the password manager on their site because it's apparently safer.

      Well, I have no idea how it can be safer if the password manager used to check if the site is legitimate, if the certificate matches, and so on, and disables the managed password if it fails the checks.

  11. Anonymous Coward
    Anonymous Coward

    Let's simplify this

    Could I propose "people make mistakes, so you ought to make things easier for them and PLAN for those mistakes"?

    When I was still writing code, embedding a tolerance for user mistakes was simply part of what you had to do. As far as I can tell nothing has changed other than that people are more willing to blame the users for being ordinary human beings - an approach that won't exactly help much.

    Of course, you cannot plan for all mistakes (and you can never out-engineer stupid) but I found that combining fault tolerance with some guidance tends to slowly educate users, even the ones some call "dumb".

    Remember that you're designing for humans, not robots.

    1. Anonymous Coward
      Anonymous Coward

      Re: Let's simplify this

      "Of course, you cannot plan for all mistakes (and you can never out-engineer stupid) but I found that combining fault tolerance with some guidance tends to slowly educate users, even the ones some call "dumb"."

      But as you've pointed out, you can't fix stupid, and you can't mitigate catastrophic mistakes since once they hit it's already too late. Combine these two with greater access and a greater potential for any given mistake to become catastrophic, and you're dealing with more hopelessly-error-prone users in an environment where there are more deadly booby-traps than the real world normally throws at you.

  12. John H Woods Silver badge

    Errm

    It is maybe an unpopular, and certainly somewhat simplistic, view of mine that no software application should be exploitable by feeding it incorrect inputs. ok, you could click a link and see something horrendous, like a bad taste video, or a PowerPoint of your company's training policy but, in the end, you are just feeding input to a program. It seems to me that our apparent inability to create programs that are resistant to such input is the real issue we need to address, not the futile task of trying to persuade people to never click links or, even more unfeasibly, to never open attachments.

    1. Charles 9

      Re: Errm

      Trouble is, sometimes you can exploit a system by feeding it CORRECT inputs, too.

  13. netminder

    We have gotten better

    Where I work we have been running phishing tests for a couple years now as part of a security awareness program. We have reduced the click rate from nearly 30% to under 10%. Given how easy it is to do that is a huge ROI. We intentionally build very good emails and will continue to do so if for no other reason than it reduces the alerts coming from our protect/detect devices. That it significantly reduces our attack surface is an added bonus. We will never (I assume) get to 0% but there are a few thousand fewer people here today that are as likely to fall which makes the phishers job harder.

  14. Tikimon
    Unhappy

    We have good users and it's STILL a serious danger

    I'm lucky enough to work in a small shop (45 people) where everyone knows each other. My colleague and I have worked hard to instill them with our paranoia about e-mail, and for the most part, it works. Not only do our users not click links, they ask us to check anything they're not sure of. About three times a year a distracted user will click a mystery link and immediately call me apologizing profusely.

    However, this year we started being spear-phished. These e-mails are legitimate sounding messages from parties we're likely to be involved with. The From address is the correct person at that company who would be sending such a message. All the contact info matches, the logos match, most links point to the real company. I received one that even referenced legitimate patents the company holds. The ONLY clue was the URLS in the two of the links didn't match the displayed address.

    Even willing, educated and helpful users can't be expected to catch every one of these increasingly sophisticated attacks...

    1. FrogsAndChips Silver badge

      Re: We have good users and it's STILL a serious danger

      Yes, phishers are getting better. A few weeks ago, I received an email whose From: was an internal staff. I didn't know her, but we're a big company and everyday I receive emails from colleagues I've never spoken to. As the From was a real company email address, I could even see her 'Active' status in Outlook/Skype.

      The email was mentioning a mailbox issue, and guess what? I was in the happy few who'd had mailbox issues recently, so I wasn't completely surprised.

      The email was properly written, no blatant grammar or spelling errors.

      I could have clicked on that link, which did have $COMPANY_NAME in it, but a tiny detail made me think twice and eventually click on the 'Report Phishing' button instead. Turned out this was not a test but a real one.

      The thing is, once I started questioning the veracity of the message, more and more elements became obvious: it was not using $COMPANY format, it was linking to an external website instead of the intranet, the issue described was not really the one I had encountered, it was conveying the classic doom warning "click now or your PC will stop working"... But it shows that even if you've been trained to detect these attacks and regularly receive awareness communications, it only takes a few seconds of inattention to make the wrong move. Statistically, it will happen sooner rather than later, if not to me then to the guy sitting next to me.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like