Bruce Schneier today shared an interesting link to a CMU study that attempted to discover whether users could be incentivized into running harmful code. In the linked article they mention the surprising statistics, and elucidate their experimental methods including virtual machine detection to identify security researchers/the computer savvy who would obviously not put their base OS at risk.
The results of the study prove that users can be trivially manipulated.
The study notes that ~70% of those studied were well aware of the dangers of executing unknown code. A staggering 22% of users proceeded to execute the code despite the remuneration being just one cent. Now that’s incredible. The authors summarize (and borrow from the paper’s title) that it is “all about the Benjamins” but given the amounts offered I believe it is unlikely that the financial incentive played that great a role. If you make anything interesting or novel, as this experiment did – then people will play along, just as marketers discovered years ago when they started making their promotions interactive. If people feel that they have to work to receive some arbitrary award then compliance would be even better. A great recent example of this was the Coke ‘Friendly Twist’ promotion where the company designed ‘trick’ bottles that could only be easily opened by locking the lid into that of another and dumped a refrigerator full of them at a college campus on the first day of the school. Ostensibly the advertisment stated that the first day of college for many is an awkward and isolating experience, and that through the magic of their novel piece of polyethylene the ice was broken. These kids will have lasting relationships, and it will all be thanks to the clever execs and PR folk at Coca-Cola.
We often focus a lot of attention on the technological side of securing our systems. We ensure that all un-necessary services have been shut down, make sure that those services we must run remain patched up, perform regular audits, run an intrusion detection and network monitoring system, configure remote logging to an immutable and append only medium, ad naseum. But what about the fools who already have legitimate access to your systems? How do we know that they haven’t decided to bring a USB stick full of trojan-laden warez into the building, or decided to write their credentials on a sticky note affixed to their office wall. Perhaps they are particularly stupid and have decided to connect their Pentium 4 era Windows XP laptop complete with Zeusbot (and white gunk between the keys on the keyboard, most noticeable near the T key, which has gone AWOL in protest against what could either be dandruff or low quality cocaine) onto your office network. Oh yes, you know the guy, down the hall in HR. He requested VPN access so he could telecommute and upper management went over your head and have asked you to make it happen as his 200# body exudes an odor that can only be referred to as offensive and his office is right near the air conditioning’s pickup.
Sure, you’ve tried to cover at least some of the human aspects. You’ve ran a memo around the office explaining about your IT Acceptable Use Policy and why opening that important looking “payroll.pdf.exe” isn’t such a good idea, and done your best using group policies to prevent people from doing the really stupid things that have already been considered. But you can’t lock everything down to the point of uselessness. Your attempt at implementing two factor authentication resulted in people just hiding their smartcards under their keyboards. People don’t like being inconvenienced by what they often see as un-necessary security theater. Because nobody is going to attack our business, right?
Our users are the weakest link, and the threat posed by rogue (and just stupid) employees is difficult to entirely mitigate. Many business applications make things worse by requiring privileges that they shouldn’t even need, further weakening an already flimsy defense. The simple fact is that most organizations have reasonable IT security to protect themselves from externally originating threats, but the true soft underbelly of the corporate network lies within the safety of the city wall. We can always do better – be more granular in access control, have behavioral based detection to identify users attempting risky behaviors, religiously adhere to the principle of least privilege and ensure that each user’s privileges are individualized to their requirements and that they have the bare minimum in privileges to do their job. This approach may make you unpopular around the water cooler, but a breach – especially a breach that exposes confidential data like customer credit card numbers and billing details to the world could potentially kill a smaller enterprise, and will undoubtedly do severe damage to the reputation of even the largest business on the block. Unfortunately, the majority of problems are between the keyboard and chair.