Whether they are downloading dangerous content or falling prey to phishing scams, the end user continues to be the toughest security risk to mitigate in most organizations.
“From our perspective, this is one of the most difficult things to protect end users against, because you are trying to protect them against themselves,” said Matt Watchinski, head of the vulnerability research team at Sourcefire, a Maryland-based security products provider.
Web surfing, which is done by many users these days in the workplace and on work-issued devices, is just another portal for trouble.
“This is kind of the crux of security,” said Watchinski. “The security guys are responsible for making sure you can’t do things that you can hurt yourself with, but the end user wants not to have any problems and just do their job. When you start locking stuff down and turning off specific pieces of functionality on networks, like not being able to read Adobe files on Internet Explorer, people can’t do what they need to do.”
With that constant struggle in mind, giving users education about what they are doing and why it is dangerous is the more effective strategy. Watchinski walked us through some of the more common security missteps users take when they are browsing around the World Wide Web and gives advice on how to head them in the right direction
Blindly installing Active X controls
When browsing with Internet Explorer, users are often asked to use Active X in order to view certain information.
“You get pop-up that says install to view,” said Watchinski. “People will just do that. They don’t really think about what the consequences might be. They just want to get to that data.”
But Active X controls, noted Watchinski, are really just code that runs. So a bad guy can make an Active X control, ask you to install it to view content, and then it might later do something malicious. The typical way users are attacked by Active X is through another vulnerable Web site after downloading a bad Active X earlier
“You go to some big site that uses Active X controls and there is nothing malicious in the site, but it has a vulnerability,” said Watchinski. “You’ve installed this Active X control before and sometime later you come to that vulnerable Web page that uses that Active X control and (the earlier download) will do something bad with it.”
How can users get educated about Active X? Watchinski advises telling them that Active X is just like installing any other application on a computer.
“Every time you install one, you have to think about exactly what you are doing. You are installing a new piece of software that could be vulnerable to something.”
Watchinski also added that the latest version of IE has the ability to lock controls down to a specific website. For example, if a user gets an Active X request from Google, it will only work on Google.com. Administrators should implement this in their group policy controls so users are forced into that situation, he said.
Trusting bad SSL certifications
“When you get that pop up that says ‘bad SSL cert,’ most people just click ‘add exception’ and then continue on about their business,” said Watchinski. “I don’t think people really understand what a bad SSL cert means.”
What does it mean? That you are going to a site that is claiming to be something it is not, according to Watchinski.
“Maybe you click on link on Google and you think it will take you to another Google address. But the bad guy has changed that to: www.google.badguy.com. But you’re not really paying attention and when that bad SSL cert pops up, you just say OK. And then you are not really where you are supposed to be.”
From now on, said Watchinski, advise users to look carefully the next time they see a bad SSL cert pop up.
“Users have that mentality of I want to get to my content now,” said Watchinski. “But they should be looking at what pops up to make sure the link is taking them where they want to go.”
Allowing unsigned content
In the next scenario, Watchinski lays it out like this:
“You’re browsing the Web, you get to a file, and it says you need application XYZ to view it. It prompts you to download that app from that site. You click ‘install application.’ Then something says ‘Unsigned content. Microsoft cannot verify where this application came from or who made it.’
Regardless of the warning, people will click and say OK, said Watchinski. Not a great idea.
“If you are a Microsoft partner and you make applications for Windows, you have a key for their install Window. If you get a box that says the content is not signed, you should think about where you are installing that application from.”
Instead, advises Watchinski, ask users to head to downloads.com, a site where users can take advantage of a free service to obtain downloads in a safer manner. Downloads.com scans applications for viruses and often times you can find the application you are looking for there.
Letting curiosity get the best of you
By now just about everyone has seen one of these come-ons. On Facebook, it might be a link that prompts you to ‘Check out this video of you.’ On e-mail, it might be a message warning you that your bank account has been breached and it contains a malicious link where you are asked to enter your account number for verification. These scams are common, and have been around for years, on the Web. So, why are people still falling prey to them? Curiosity continues to get the best if us, said Watchinski. His advice to users: Resist temptation.
“If you get unsolicited feedback on eBay or a social networking site, it is just not a good place to go.”
Let users know anything one might receive that is not expected, whether it is an email message or a message on Facebook, should raise suspicion levels. Even if it appears to be a friend, it may not be. Unsolicited communication needs to be checked out. Advise users to contact the alleged source separately instead of clicking on any links or giving out any sensitive information.
Having a ‘just do it’ mentality
People are busy. When they come across problems, they just want their PC to work, so they click whatever they need to make it work, said Watchinski.
But users need to think about what they are doing in order to view something online, he said. Advise them to consider whether or not it is really important right now or if it can wait so time can be made to download or view something safely.
“Users must figure out a better way, instead of clicking yes to every security exception that pops up,” said Watchinski. “You have to assume some responsibility for the system that you have.”
Source: CSO (US)