Don’t Click the Link

Human psychology is a fascinating yet troublesome area of interest for me as a cybersecurity professional. In over 30 years in the industry, the primary “unsolvable” problem has been human behavior. Most people don’t intentionally try to create problems, but they sometimes can’t help themselves. Take for example, the continued growth of phishing campaigns, which allows malware into your environment.

Malware (short for malicious software) is unwanted programs that can cause your system slower speeds, damage or can result in the loss of data or control of your operational systems. Types of malware are extensive, but some of the terms you have heard include virus, worms, ransomware, adware, and more.

If you aren’t familiar with the term “phishing”, it is a play on the word fishing, where you are trying to bate or entice someone, normally via email or a web advertisement, to click a link. That link will then take you to a compromised site or download the malware onto your system. If your system or network has exploitable vulnerabilities, then you can further compromise your environment, resulting in the loss of confidentiality, integrity and/or availability of your critical data or operational environments. Phishing may be used to ask for your credentials to a specific site (bank, credit card, social media).

How do people get caught up in these types of activities? Well, here are just a few of the more common reasons.

Curiosity

The email header reads: “Queen announces retirement from Royal Duties”. In the email is a link that says “read the latest news here”. Of course, you are curious; but do you click the link? Of course NOT.  If you think it is real news, you can find it on reputable news sites. If you scan the headers of your emails, you might find a few dozen or more headers with attempts to catch you with something you would be interested in.

Rewards

The email header reads: “Complete this survey and get a $100 Walmart gift card”. Inside the email is a link that appears to go to a survey. Of course, it likely isn’t legitimate.

Fear, Uncertainty and Doubt (FUD)

The email header reads: “Action Required: Your PayPal Account is Suspended”. Inside the email is a professional looking button that says PayPal Login. Looks legitimate? Do you have a PayPal Account? Maybe your wife set one up in your name? Don’t click the link. You can check the status of your account by going directly to the vendor’s known legitimate website.

Boredom

You are just sitting there trying to find something new and interesting to read or do. Those kinds of situations get us all into trouble.

Exhaustion or In a Hurry

Sadly, the faster we try to go or more tired we get, the more likely we are to make a bad decision or just not analyze the situation correctly. This is the same reason why most people don’t read the terms and conditions associated with their applications and memberships. With an average attention span of 8 seconds, people tend to look for “instant gratification”.

Can You Prevent Cyber Security Threats?

How do you stop humans from “clicking the link”? Better to ask, can you? The human nature will revert to its habits, so cybersecurity education, training and awareness will only take you so far. Don’t get me wrong, education is still essential, but you do have to assume somebody will click a malicious link, and organizations must be ready when they do.

1. Don’t default to administrator rights so software can be automatically installed. This will help to prevent malware installation and escalation of privileges compromises. You can force any software installation to require additional actions or privileges. While inconvenient, this closes a lot of opportunities for malware installation.
2. Deploy malware detection tools on the systems and networks. This additional layer of security helps address two possible point of entry.
3. Logically or physically separate operations on your network. Production operations is normally where your most critical operations occur. Keeping this network segment (or vlan) away from more administrative types of functions moves entry points further away from critical operations.
4. Seriously consider whether you allow non-organization-owned equipment to connect inside your network. This would include smart phones, tablets, and laptops that don’t have confirmed protections.
5. Limit the number ports and applications allowed onto your systems and network to the bare minimum needed for operations. While malware can use common communication channels, many will try to use some of the less common channels.
6. Monitor your network and systems for unexpected issues. This would include performance impacts, attempts to use uncommon communication channels, loss of storage, or increases in resource utilization.

Sadly, there is no perfect prevention; however, a few pre-emptive actions can significantly reduce the likelihood of a successful malware attack.

Dr. Greg Miles, Ph.D., CISSP, CISA, CISM, is an experienced security consultant with over 30 years of information technology and security experience. He is a United States Air Force Veteran, has planned and managed Computer Incident Response Teams (CIRT), Security Assessments, and Cyber Security training capabilities. Dr. Miles has been a featured international speaker at the BlackHat Briefings, DefCon, TechnoSecurity, Secure360, and Security Week Brazil. He applied his Electrical Engineering degree to computer systems while in the military and ultimately earned his Ph.D. in Engineering Management after joining the civilian workforce. Dr. Miles holds multiple cyber security certifications and is a published author and speaker. He has been a part of the UAT community since 2004 in various teaching positions in the Cyber Studies Program.