IE Zero Day Flaw: What Everyone's Missing
On Saturday April 26th, Microsoft announced Security Advisory 2963983, a vulnerability that affects Internet Explorer versions 6-11. According to Microsoft:
"The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."
Fortunately, Microsoft has released a fix for the problem (including XP users, for now), but in a way it feels like putting a band-aid on a gunshot wound, because the security threats are simply not going away. What everyone's missing is the first line of defense in preventing a cyber security breach, your people. Even in instances like the Heartbleed Bug, where the fault was with the OpenSSL cryptographic software library, reducing liability fell on both end user's shoulders to change passwords quickly as well as developers, many of which are likely not security experts themselves but have since become more informed.
The Threats Aren't Going to Stop
Just two days ago, Mozilla released Firefox 29 to address critical security vulnerabilities that existed. A few weeks ago Blackberry fixed a critical vulnerability that had implications similar to the IE flaw mentioned above. So the question is- when does the madness end?
The truth is it won't. And despite sophisticated email filters and the development of similar technology, the threats are increasing in volume and severity. Additionally, it's no longer just email that is a threat. Now there are threats from SMS text messages, social networks, and mobile applications just to name a few. But if you think about the threats, the technology flaws themselves aren't usually the most dangerous. What everyone's missing is that an informed user who is able to spot fake URL's in links is significantly less susceptible to the recent IE flaw. During the few days when IE was vulnerable, breaches were most likely to occur when an uninformed user visited a dangerous site.
End Users Are More Important Than the Technology
If we look at the data surrounding these security vulnerabilities, recent studies echo what I said above. In a report by Rapid7, over 80% of data breaches reported by the U.S. government were caused by human error. The Georgia Tech Research Institute declared spear phishing to be the largest threat to enterprise organizations. Increasingly the security isn't just about the hardware and software being safe, but the human understanding of cyber security threats.
In order to prevent these cyber security threats, users have to be proactive in understanding where there's risk. My colleague Jacki Williams wrote a very helpful article about creating a Culture of Secure Behavior, which outlines everything from protecting different devices to effective password management. The best way to protect yourself personally is to educate yourself on these topics and take action. No more abc123 passwords, and no more leaving your iPhone unlocked at the bar with your company email exposed. But what about preventing cyber security threats for a massive group of people from different backgrounds, like a governmental organization, private corporation, or any organizational body?
How Do you Train Hundreds, Thousands, or Hundreds of Thousands?
If you're attempting to educate users in your organization you have a few options:
- Slide presentations or videos
- Informative mass emails and PDF''s
- Do-it-yourself phishing attacks
- Cyber security assessment and training software
Getting to the Root of the Problem
The next two options, are more effective. Do-it-yourself phishing attacks are relatively inexpensive and fairly easy to implement. But beyond just assessing areas of potential weakness in email phishing, they don't bring a lot else to the table. You'll still have to train your employees, as we've found that punishing employees for poor cyber security awareness isn't at all effective in improving the cyber security of your organization.
That still leaves us with cyber security assessment and training software, which may be more expensive than these other options, but also a lot more effective. We try to be efficient as possible with getting to the end result, which is a significantly more secure organization. Additionally, depending on how much you spend on cleaning computers, such as virus and malware protection, in addition to other cyber security efforts, those costs can be significantly reduced if your "human firewall" is smarter.
The first step is assessment, where you can see where the security risks exist in your company ranging from fake phishing via email and text messages to USB attacks. From there we move to education, where you can be as flexible as possible in training specific groups or users who had difficulty in their assessments. The training modules that currently exist are always being updated and expanded to cover new security risks and currently cover everything from smartphone security training to URL training. These training modules can be completed remotely with only small losses in regular productivity, and more importantly can be targeted to a wide range of cyber security priorities.
So what's my point in all of this? There will be a security breach next week, and the week after affecting everything from operating systems to browsers to sensitive company databases. The first line of defense in cyber security is your end user. A smarter end user leads to less breaches and a more secure organization. If you're able to help hundreds, or maybe even thousands, of users in the process become as aware of cyber security threats as you are, then you can feel better knowing you're making the web a much safer place for all of us.