Saturday, October 20, 2012

Red Sky Weekly - From the users perspective...

From the users perspective...

This week we released Fusion Report 27. FR12-027 contains analysis on the Citadel Banking trojan to include details on how the malware encrypts communications and behaves differently in a virtual environment. While this activity was not targeted in nature, the malware appeared to be widespread and affected users in both of our Red Sky and Beadwindow communities. This prompted me to thinking.. what does a typical user think about simple intrusions like this one?

To that, I took I the opportunity this week to have great conversations with users whose machines had been victimized during various events. I wanted to bring this back to
a “human” perspective and write this week’s blog and talk a bit about how users react when their computer starts to act funny. These are great observations. Infosec folks should pay attention. This is important. Here are a couple of observations and thoughts:

Users are becoming numb



This user, deep in work, checked his email, never suspecting that simply previewing email might launch a host-side attack, allowing the attacker access. The problem started with the bluetooth being turned on on his computer without his taking any action. The user simply closed the laptop assuming the operating system was acting up. Small issues, when noted on computers running multiple applications don’t mean much. One issue, when seemingly cleared up on reboot is far less trouble than contacting the helpdesk.

Agents on enterprise computers do funny things

When your computer slows down for no apparent reason, a typical user chalks it up to bad bandwidth, or all of the agents running on a computer. Antivirus slows performance, as do other agents running. Many applications fire up the webcam momentarily to gain situational awareness for later use, and contact lists are routinely updated, exported and interact with social networking sites --all creating small ‘glitches’ that are normal, but make real ‘gotchas’ seem normal too. Users can’t tell the difference.

Spearfishing and waterhole tactics are invisibile

Does the human have the advantage when identifying spearphished emails before they infect their computer? I’d argue not. What about waterhole attacks where frequently visited websites are poisoned in hopes users would stop by and become infected without knowing? Absolutely users are at a disadvantage. Users must take responsibility for their actions, but many, many of these attacks are designed to get past the user or infect their computer when they visit their favorite web page.

It’s easier to reboot or work through it

What’s more important, worrying about the obscure chance that someone is in your computer, or meeting the deadline? We work all hours day and night, and the inconvenience of something happening (for reasons known or unknown), simply mean a little extra work or inconvenience. The dedicated user works through it, waiting to see if it worsens. If so, they might contact the helpdesk or Infosec, but heck, we’ve got an Infosec team and they’re watching anyway, so if there’s really something wrong, Infosec will call.. right?

Bottom line: Users are learning to live with risk. Agents running on machines, the constant threat of bad email, and simple enterprise issues that arise daily are all causing users to work through the pain.

Users don’t know how to prioritize those risks that might really be stealing information,
or how to recognize the symptoms. How do we reach them? I’m interested in your feedback and thoughts.

Thoughts?
Jeff