Journalist Kevin Townsend asked me a few months ago for commentary on phishing, for an article he was researching. He said:
Phishing really comes down to 2 basic questions:
- Can technology ever solve the problem & what are the best approaches?
- Can awareness training ever solve the problem? How?
If the answer is 'no' to both; then should we concentrate on accepting that it will succeed, and concentrate on discovering and mitigating the effects of a successful phish?
The question is this: are phishing and other manifestations of cybercrime purely technological problems? Even if this were the case, does it follow that they could therefore be solved by technology alone?
To some extent, the security software industry relies on the idea that there is always a technological answer to a tech problem (as, indeed, it has persuaded many of its customers to expect), but 'always' is a big word.
In general, when we address an attack vector technologically, the bad guys start working on finding ways round the roadblock. That doesn't mean we shouldn't look for technical solutions, but it does mean that we can't usually find a once-and-for-all-time fix. Sometimes we eventually abandon an approach altogether; more often we keep recalibrating as the nature of the threats changes.
It may be broke, but can you fix it?
There's more to surviving in a threat and counter-threat ecology than technological thrust and parry, though. To expect the security industry to fix everything is about as realistic as expecting medical technology to eradicate disease, or forensic technology to eradicate crime in the physical world. The online world doesn't have a single choke point where a single security solution can be applied and everyone will be protected, even if such a solution existed.
Perhaps we need a better word than solution. Something that sounds less like a 'this is the glorious victory at the end of the war' and more like 'this might win us this skirmish.' To quote myself (in an article for Heimdal Security to which I contributed):
The security industry is pretty good at providing a wide range of partial solutions to a wide range of technological attacks, but technology continuously evolves on both sides of the white-hat/black-hat divide, so – marketing claims notwithstanding – there is never 100 percent security across the board. Least of all from a single product. In most cases, organizations and individuals choose what defensive measures they take, and indeed whether to protect themselves at all.
Unfortunately, those choices will not always be the choices that security experts would consider to be the best.
Technology versus people
Phishing isn't (just) a technical problem, and nor is cybercrime in general. (I'll mostly be speaking about generic cybercrime in this article rather than just phishing.) In fact, cybercrime, like its pre-digital sibling, is primarily a social problem, or rather a cluster of interconnecting social problems:
- Criminal behaviour (online or offline), and the economic, educational and psychological factors behind it. To quote myself further: "Society can actually cause deviant behaviour where the individual must subscribe to more than one code, yet elements of one code are incompatible with another, leading to an uncomfortable state of cognitive dissonance, which might lead to 'irrational or maladaptive behaviour'. In other cases, perhaps it's just that in an era where fake news dressed up as satire is the common currency of the social media, the evolution of technology has far outstripped the average person's ability to apply the common precepts of everyday socialization to the online world."
- Victim behaviour, and similar underlying factors. By which I don't just mean victims recklessly failing to take reasonable precautions, but banks and other institutions contributing to the problem by failing to meet a sufficient standard of security when communicating legitimately with customers. Every time a bank sends out an email addressed to 'Dear valued customer' or including a multiply-redirected 'click here' link, they make it harder for potential victims to distinguish between phishing mails and legitimate mails. If they don't even know your name, how can you be sure that it's really your bank mailing you? If you can't tell where a link is pointing to, or if it goes to a site whose name appears unconnected with the bank, how on earth do you know it's safe?
- Legislation and law enforcement issues. Even where there is appropriate legislation, the will and the resources aren't there to enforce it in a better-than-piecemeal fashion.
Awareness, training, education
"A great deal of work has been done in raising the general level of security awareness and self-protection through some form of education"
So can awareness training/education ever solve the problem? Well, we'll probably never know for sure. Many times over the years, I've said something like 'we don't know whether user education works because no-one's ever done it yet.' That's a rather glib and simplistic way of putting it, to be honest, though it will do as a response to the equally glib assertion that ‘if user education was going to work, it would have worked by now’. A great deal of work has been done in raising the general level of security awareness and self-protection through some form of education, and I like to think I've made some contribution myself, as in this paper by Sebastian Bortnik and myself from 2014: Lemming Aid and Kool Aid: Helping the Community to help itself through Education. In that paper we asked:
How can we strike a balance when it comes to teaching of computer hygiene in an increasingly complex threatscape to audiences with very mixed experience and technical knowledge? Can user-friendly approaches to security be integrated into a formal, even national defensive framework?
And we made some suggestions as to how that could be done.
Education, Education, Education
Since I first drifted into the security field, I've generally seen myself as more of an educator (by intent, anyway) than a researcher. I realized long ago that there are hordes of people who are much better than I am at disassembling malware and writing code to detect malicious activity. I consider it a privilege to be able to work with some of those people (not only at ESET, but in the security industry as a whole), and I'm honoured that they put up with me to the extent of reading my blogs and listening to my presentations.
So while I couldn't do my job if I didn't have a reasonable grasp of malicious technology and the technologies that we have evolved to address them, my interest and abilities lie less in bits and bytes than in the psychosocial aspects of criminology and victimology. After all, my academic background is in social sciences as well as computer science, which is perhaps why I sometimes see things a little differently to my more technically gifted peers in the security industry, and have more faith that people who are not particularly IT-knowledgeable can, to some extent, be educated into being less vulnerable, certainly to attacks that are at least partially psychological rather than purely technological. I'm afraid I'm going to quote myself again.
Very, very often… a threat is less dependent on the effectiveness of its technology than it is on how effectively it manipulates the psychology of the victim.
Psychological manipulation of the intended victim is a core component of what we often call social engineering. Susceptibility to social engineering can sometimes be reduced by technical measures – the textual analysis of email messages with the aim of detecting text that is characteristic of a certain type of criminally-motivated communication, for example. However, educationalists favour a complementary, longer-term approach that involves making individuals more difficult to manipulate.
One step towards achieving this is through relatively simplistic training in threat recognition: for example, the 'phishing quizzes' that Andrew Lee and I looked at in 2007 in a paper for Virus Bulletin (Phish Phodder: is User Education Helping or Hindering?). But the KISS principle is not always enough. What works in engineering design doesn't always work in education. There's a perpetual tension between keeping communication within the bounds of an audience's understanding yet accurate and comprehensive enough to go beyond soundbites. (The Eleventh Law of Data Smog: 'Beware stories that dissolve all complexity.')
Even a poorly designed quiz raises awareness of the problem, but may be worse than useless if it reinforces wrong assumptions on the part of the quiz participant. Some quizzes seem to promote a service: ‘Discrimination is too difficult for your tiny brain; buy our product, or even use our free toolbar/site verification service/whatever’. That’s not wrong in itself; a vendor is in the business of selling products or services. If the product or service in question is free, it seems even more churlish to criticize, but there is a problem in that this message fosters dependence, not awareness; worse, that dependence is on a technical solution that is likely to rely on detecting specific instances of malice, rather than a generic class of detection.
Clearly, there are other limitations in the effectiveness of a paternalistic 'Gods and ants' approach. By showing potential victims a few example threats, it may sometimes be that they'll be able to extrapolate from those when faced with different examples in the same class. But not often enough. Yet, however desirable it might be in theory to provide everyone with the analytical skills of an effective security expert, that clearly isn't a realistic possibility in the workplace, let alone at home.
Not all advice is good advice
The implementation of a scheme that stands half a chance of educating everyone who needs educating would require resources, understanding and coordination that make it highly improbable that such an implementation will be achieved in our lifetime, or that of our children. And not all advice is good advice.
There’s certainly plenty of free information available, from many sources: the media, security vendors, government agencies, law enforcement, and more-or less altruistically-minded individuals offering advice, product reviews and so on. Unfortunately, the quality of these resources is even more variable, and they’re aimed at the sector of the community that may be least able to discriminate between good and bad advice. Especially advice that is in some sense competitive with other sources of advice.
But I'm not very hopeful that education could ever change human nature so dramatically that X would never dream of scamming Y, even if Y was naïve enough to fall for a scam anyway. Until education does achieve the impossible, scammers will continue to scam, and in a technological age they'll use technology to achieve their crooked aims; laws and law enforcement will have only partial success; and victims will behave in the ways that cause them to become victims. However, education and training can help everyone living in the digital to behave less like victims.
User education is also an essential part of sociological evolution. The threats we face on the internet are not new in concept: only in technological implementation. Social engineering attacks have been around since well before Helen of Troy. However, the economy of scale in the execution of such attacks was so relatively small that widespread education in recognition of the techniques used was not deemed necessary. The story of the Trojan horse has been taught for centuries as history and as a metaphor, but not seen as an illustration of one of the integral risks of everyday life. The Internet has resulted in an exponential increase in the use of social engineering attacks to the point where knowledge of how these attacks are perpetrated is a required life skill in contemporary society.
(That's from a paper by myself and Randy Abrams: People Patching: Is User Education Of Any Use At All?)
Defense and self-defense
While the proper use of multi-layered defensive technology goes a long way towards protecting people without requiring them to be security experts, technology can be deployed more effectively to supplement and implement the education of those who use it, as discussed long ago by Jeff Debrosse and myself in the paper Malice Through the Looking Glass: Behaviour Analysis for the Next Decade.
After much research, it has become clear that taking game theory to the next level – determining the most likely action that a user will take in a given situation, enabling the reinforcement of ‘safe’ decisions and the sanctioning (or at least monitoring) of ‘unsafe’ decisions – can make for a much more secure computing environment for the end-user because their security software would be able to more accurately determine the outcome of their actions.
These measures can help institutions to move away from grooming potential victims into accepting phishing messages uncritically by improving their own messages, as well as continually working towards improving their own security and that of their customers.
Teach your children well
Here is an extract from another article – Internet Safety for Kids: 17 Cyber Safety Experts Share Tips for Keeping Children Safe Online – to which I contributed, having been asked for 'The most important internet safety tip I can share with parents'. As you'll have gathered from the title, the focus of Erin Raub, who compiled that article, was on advice to parents. However, it doesn't take a long acquaintance with Facebook and other social media sites to realize that many, many adults have never been educated in terms of critical thinking and healthy scepticism, and they too need help in order 'to teach them to trust their own judgement rather than rely entirely on technical solutions and conflicting ‘official’ information resources …[and] direct them towards strategies for developing sound analysis and judgement—what educationalists call critical thinking. But it’s too critical a task to leave to educationalists…'
It's important for everyone to recognize how unsafe the internet is, not only as a vector for direct attacks, but also as a source of information. So we shouldn't abandon security education for adults or for children, and we should continue to use and improve technology so that it becomes harder for the bad guys to misuse. We should, of course, acknowledge that phishing and other elements of cybercrime will continue to find victims, and do whatever we can to minimize the impact on victims before as well as after the fact.