An inconvenient truth
When I teach Security Awareness classes, I use this graph to illustrate that security is not convenient. As we all have seen, the more security you add to a system, the less convenient (useable) it is. If you were to require a fingerprint and a retina scan every time you logged in, that would be tiresome. Secure as it would be, most would object to the effort and the inconvenience.
Along with the graph I usually ask “What is the most secure computer?” The most common answer is ‘One not connected to the Internet’. That used to be somewhat true. The actual answer is at the end of this blog post.*
This article is just the most recent one showing how computers can be air-gapped (not connected to an external network) and yet vulnerable to attack. Now you might say ‘How does the malware get on the computer if there is no external access?’ From the article;
Attackers then need to infect computers inside a target’s isolated network. While this sounds hard, as these are highly secure networks, past attacks with malware such as Stuxnet, Gauss, and Flame, show that a mundane infected USB can sometimes do wonders.
So one of the oldest social engineering tricks is a free/lost USB key, and it still works well. This article outlines using temperature fluctuations to control the infected computer. Other attacks use imperceptible fan speed fluctuations or hard disk activity lights to steal data. One attack uses inaudible sounds that can be picked up by microphones on cell phones or other computers to transmit data.
Granted these are not casual attacks since they require some fairly sophisticated effort to work. However, DDoS attacks used to be the province of nation state attackers and now DaaS (DDoS as a Service) and RaaS (Ransomware as a Service) websites allow anyone with a larcenous heart and a few dollars to launch devastating attacks on anyone at any time.
The sad fact is attacks against computer users and thus your business are not decreasing in sophistication, virulence or frequency. If you have a computer at home or at your business, you are a target. In order to protect your assets, it makes sense to beef up your protection. You should start with the weakest link in your protection scheme. A Google image search turned up an interesting image on this website.
Eventually it comes down to the users. Left on their own, computers won’t do anything. When they are given instructions, things start to happen and the users are the ones giving the instructions. You can add firewalls, anti-virus, and all sorts of protective measures but users still need to access the outside world. The outside world does not have your best interests at heart.
While the debate continues on the value of security awareness training and how to conduct it the fact remains that users engage in risky behavior. They do this because security is inconvenient. They do this because they are unaware of the risks. They do this because they don’t get sufficient training on simple ways to protect themselves and your business. (For example: NEVER EVER EVER click on a link without hovering over it to see where it really goes.)
I have been surprised in a class to find a fairly sophisticated user who was unaware that images in an email can have links that can be previewed, just like a hovering over a URL in an email can reveal the real destination.
Usually IT is the clearing house for helping users navigate these issues. If you don’t have an IT department, do you have a smart user that can help? SOMEONE needs to help users reduce the inconvenience of security without reducing or eliminating security. Security is NOT convenient but in today’s world it is most definitely a requirement that will only increase in importance. If you doubt that, please check this article. Security may be inconvenient, but lack of it is expensive.
*So… you couldn’t wait and had to come here first. Well the answer is in order to have a secure computer, unplug the electrical plug to make sure it is not working or connected to anything. For an extra layer of security, bury it. Very secure, dare I say absolutely secure, but sadly at the very bottom of the usability curve. If you want to do something other than unplugging and burying, contact Ashton Technology Solutions at 216 397-4080 to learn more about cyber security.