Recently there was a malware attack discovered. “So?”, you might ask? “There’s always a malware attack of some sort or another being identified, reported and measured for its scope and impact.” Well, this one was unique in several ways:
- First, it seemed to target Mac OS, which is a rarity for technical (its UNIX roots) and opportunity (tiny user population compared with Windows) reasons.
- Second, the “malice” was limited to the ultimate introduction of adware.
- Third, the code was concealed through the use of stenography (hiding code or other content within a picture or other object).
At first glance, this seems to be a fairly sophisticated threat and one requiring a good amount of technical skill and resources to combat effectively. Sometimes, appearances are more deceiving than code concealed by stenography. How the image’s embedded code was translated into action is not material to this article. For those of you who are into those technical details, you can find them here: Malvertisers target Mac users with steganographic code stashed in images – Ars Technica
What’s important to this discussion was that the code embedded in the image redirected Mac users to a website that served display ads. These ads falsely claimed a visitor’s Flash Player was outdated and offered an update. Executing this “update” actually infected the user’s machine with something called Shlayer. It’s a trojan, first noticed about 11 months ago, used to install adware.
While adware is a nuisance, it’s not an existential threat by itself. Which is fortunate. As a cyber risk professional, what’s the risk in this scenario? Is it preventing adware from distracting users? Gathering personal information and sharing it outside the company? A bit, perhaps. And what remedies would you recommend be deployed? More monitoring of the periphery for and blocking inbound malware concealed with increasing sophistication? Further strengthening platforms at users’ locations? Restricting what platforms may be tied to company networks? Adding network monitoring technology and staff? All of these? Others?
The real risk is in user behavior. And uninformed, unaware users are an existential cyber risk! The approach of the malware attack just described fails completely if targeted users are mindful of where they go online; what and from where they download updates and other files; examining and vetting sources first before acting. It doesn’t matter that the redirecting code was concealed in an image and invisible to the user’s eye. It doesn’t matter that stenography might defeat many malware monitoring technologies. And it doesn’t really matter that some users were working on Mac OS platforms.
What does matter is that users freely, and perhaps foolishly, trusted an unfamiliar site and chose to initiate a software update from an untrusted site. THAT is how the malware/adware was installed! The risk is that people may act in unsafe ways, from a cyber security perspective. They may ignore rules, policies, and published practices. Thoughtless action by users, both on staff and from supplier organizations, have been the root cause of several recent significant cyber attacks. Not everyone has been “fortunate” enough to just receive adware in a download…much more malicious code could just as easily have been substituted, with devastating effect!
The beginning of each year is a great time to evaluate your cyber risk program from the perspective of user training and awareness. It’s a time when we are all looking out at the year ahead, formalizing plans, and preparing to execute them. This is the perfect context for considering cyber risk. What are the obstacles that would derail your organization’s plans, achievement of its goals, and progress for 2019? What cyber risks were most prevalent in your experience in the year just passed? What incidents occurred, and, more importantly, what was their root cause? How likely are they to recur and what would their impact be now? How many might not have materialized had users been better informed and trained? Have new controls been implemented? If so, how aware are users of any controls that require a change to their behavior? How are you planning to evaluate how well these have been understood and adopted across your user population?
A well-formed user awareness program is the first, and in many respects the strongest cyber risk control to implement across an enterprise. Answering these 10 questions may help you address this “educational” risk:
- Do you have a plan for evaluating the effectiveness of your current user education program?
- Are policies and procedures current?
- Are users subject to at least annual refresher sessions on key practices?
- Are pro-active processes in place to broadly communicate procedure and policy changes when they occur?
- How do you measure user awareness and adoption?
- What aspects of cyber security need more attention in your education program?
- Are there plans to strengthen them?
- Do you have evidence of your current position and where you need to be to support resource requests from Executive Management?
- How do your most recent cyber risk assessments support your assertions and plans?
- What leading metrics are monitored to identify a user awareness problem before it leads to a “front page” incident?
An entire category within the core function PROTECT of the NIST Cybersecurity Framework v 1.1 deals specifically with user awareness and training;
NIST also indicates where this imperative maps to other standards related to IT, risk, and security management. Specifically:
- CIS CSC 17, 18
- COBIT 5 APO07.03, BAI05.07
- ISA 62443-2-1:2009 18.104.22.168.2
- ISO/IEC 27001:2013 A.7.2.2, A.12.2.1
- NIST SP 800-53 Rev. 4 AT-2, PM-13
Depending upon the content, structure, and frequency of your risk assessment program you may have considerable data built into your current risk processes to evaluate your current situation. Combining these data with results of training efforts, communications programs, user testing (you do test how your users respond to possible phishing attacks and unvetted communications like those in this article, I hope) and incident tracking may offer a comprehensive understanding of strengths and opportunities for your user education program.
User education is a foundational practice. It enables many other controls essential to cyber risk management, including access control (logical and physical), authentication, supplier management, and more. Treating it as such will strengthen your overall risk program and help it yield results that will justify continued attention, support, and resource assignment from your Executive Management. And, it will help you assure active, effective, cyber risk management!
Note: Another article, The Oft Transparent Link in Cyber Security’s Risk Chain — People! addresses many of the aspects of staff education critical to effective cyber security.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.