Security Operations

For Cybersecurity Awareness Month, how about better cybersecurity advice?

Let us be frank: The same old warnings to users aren’t cutting it, and it’s the technologists’ fault. Chester Wisniewski lays out a wiser way.

It’s Cybersecurity Awareness Month once again — the time we set aside each year to raise awareness about online threats in attempt at making the internet a safer place to work and have fun.

Problem is, we trot out the same tired advice every year and most people have heard it all before. We only have our coworkers’ attention for a short bit each year, so we ought to be sure we are arming them with the most impactful advice possible, not scaring them into not using public Wi-Fi.

There are two particular pieces of advice I see frequently in cybersecurity awareness training that need to be retired, rethought, and retrained. We all recognize the risk email presents for gaining a foothold into our organizations, so we continue to lecture on not clicking suspicious attachments or links.

Don’t click that link

I have worked in this industry for 25 years and I am not quite sure I can abide by this advice. In 2022, simply looking at a domain name, if it can be seen at all, isn’t the silver bullet it once was for indicating an email is fake.

Let’s presume you are a Microsoft Office 365 customer and use many of their cloud services. Here is an incomplete view of domains your users might encounter over a day:

A disturbing cloud of URLs

Figure 1: Can you spot the non-Microsoft-approved URL in this cloud? Trick question! They’re all approved. (Source: Microsoft Office 365 URLs and IP address ranges)

The list provided by Microsoft includes at least 159 domains and subdomains (only one level) that someone may encounter when using a mix of Microsoft tools and cloud services. Is this part of your training? Shall we memorize these and know which ones are OK to click or allow through our firewalls? How often shall we update that training, do you think?

Don’t open dangerous attachments

Here I have an advantage over the average user, but it has been recently getting even more complicated to apply this advice for the average person. The old advice was things like not to open executable files (.EXE), screensavers (.SCR), and COM objects (.COM). In more recent years we tried to add Visual Basic scripts (.VBS) and JavaScript (.JS) to the list. Fortunately, Microsoft does show file extensions in Outlook, but still hides them by default in Windows Explorer.

Microsoft, in an attempt to make email attachments safer, introduced a new feature in the last few months that renders users unable to execute macros in Microsoft Office files if they originate from the internet. Files downloaded from the internet get tagged with what is called “mark of the web” (MOTW) and it appears criminals have been pursuing methods to sneak past these protections using various archive and container formats that might not preserve the MOTW on Office files.

Many of these file types are things Windows can open without any external assistance like .CAB (cabinet archive), .ISO (disk image), .UDF (disk image), .IMG (disk image), and .VHD (virtual hard disk image). Others target compression archive formats commonly able to be extracted by popular utilities 7zip and WinRAR, including .LZH, .ARJ, .XZ, and .ACE.

Considering that users are not typically able to see file types once saved to disk, warning users about obscure extensions that might be a protective container for malicious files is very challenging. Not to mention the list of abused file types is constantly shifting and evolving as criminals discover new ways to bypass security functions.

What to do?

Clearly, we need a better approach. Technical measures should never be offloaded to the individual users, as those are better managed by those who understand the problems and can be implemented through policy rather than ad-hoc training.

Links should be blocked by security layers at the network edge and on the end computers themselves. In a highly mobile workforce, security protections must be present on the devices themselves. Well-coordinated endpoint protection will see other layers cover the gaps in any URL blocking.

Blocked file types should be centrally managed at the email and web gateways. It is important that your security solution does not blindly trust the file extension, but rather analyzes the file to determine its “true” file type and be able to analyze any containers recursively to inspect their contents.

Access to known-abused archived formats can also be mitigated to some degree by using application control for unnecessary applications in the business environment, such as WinRAR and 7zip. Blocking execution of JavaScript and Visual Basic scripts can also help. Policies to only execute PowerShell that is signed by your organization will also trip up many threat actors.

Should we still conduct security awareness training? Of course! The more aware you are, the better hygiene you are likely to practice. Dodgy looking links and attachments should still be avoided, but the burden on the user should shift from the technical aspects (which can lead to time-wasting hyper-analysis by users hoping not to get tricked) to the social aspects.

First and foremost, users should be taught the basics of phishing, as most of us have done before, but focused on what types of things criminals are likely trying to get you to do: Disclose passwords, open unsolicited documents, or share information to unauthorized parties. If it doesn’t feel right, your instincts are probably correct.

Ideally, your security team should be easy to contact in a known way and be available to “take a quick look” at things staff suspect might not be right. Many organizations make their security teams available via phone, email, and corporate chat (Slack, Teams, etc.). Regular reminder emails about security threats should always include this contact information as well as putting it on a sticker on every phone or laptop, like you would an asset tag.

An asset tag with phone numbers for tech support

Figure 2: Or put it directly on the asset tag.

Another effective technique for catching people’s attention regarding email threats is to use real-world examples, especially if they have been sent to your own staff members or leadership. Everyone thinks it won’t happen to them and an example of it happening to someone they know helps make it more real.

Telling good links from bad has gotten increasingly difficult in recent years, and users’ time is likely better spent managing their passwords, gaining comfort with multi-factor authentication, and hearing stories about the latest types of lures criminals are using to trick them into assisting them.

This Cybersecurity Awareness Month, let the technology worry about the technical things and focus our own energy on engaging our staff where they are. Tell stories, share examples, and explain the high-level goals criminals have when trying to trick us over email, SMS, WhatsApp, Discord, and Facebook Messenger. We should always listen to our Spidey-sense and when in doubt, call your friendly, helpful IT security team to check it out.