ESET Threat Blog

"Now may I suggest some of the things we must do if we are to make the American dream a reality. First, I think all of us must develop a world perspective if we are to survive. The American dream will not become a reality devoid of the larger dream of brotherhood and peace and goodwill. The world in which we live is a world of geographical oneness…" - Dr. Martin Luther King, from a speech delivered at Lincoln University, Pennsylvania, June 6, 1961

If Dr. King had still been alive today to see the wonders of the global connectivity of the Internet, he would probably consider the quoted portion of his speech as a "statement before its time."

Today the current global Internet penetration rate stands at approximately 24%. With a global population of 6.7 billion, that equates to roughly 1.6 billion users on the Internet across the globe. At the current penetration rate, cybercrime has become pervasive, pandemic and increasingly connected with other parts of the criminal ecosystem. It ranges from the theft of an individual’s identity to the complete disruption of a country’s Internet connectivity due to a massive distributed attack against its networking and computing resources.

With the remaining 5 billion users to connect to the Internet, there are significant challenges – one of which is cybercrime (via its many methods). There are technological preventative measures that help mitigate cybercrime attacks, but technology alone is not the answer.

The next one billion users on the Internet will not come from developed countries, but rather mostly from developing countries. Awareness, even simple levels of awareness, of various types of risks and cybercrime attacks can yield positive results. This is primarily due to the fact that the weakest link in the “security chain” is, correctly, always quoted as being the end user. The additional one billion users on the Internet will be considered “fresh targets” by the cybercriminals.

The target of cybercrime centers on information – the data that is electronically stored for retrieval and subsequent use. For instance, even with varying levels of per-capita income, the amount of money that stands to be lost to a cybercrime called “phishing” (one of the most common online attacks where a person is socially engineered to provide personally identifiable information by someone posing to be a trusted source) has the potential to be quite significant due to the sheer number of users at risk (unaware).

A real-world example of the scope of the threat: cybercrimes, like phishing and data breaches, are a scalable threat to the United States. These threats are so severe they are detailed as national security threats in the 2009 Annual Threat Assessment Intelligence Briefing to the Senate Intelligence Committee. This representes the scope of one cybercrime problem in a single country, whose users have had several years of exposure to the Internet. New Internet users will face the same difficulties – but from cybercriminals that have had also years of experience and that have optimized their attack and evasion techniques. 

Infrastructure build-out, deployment and subsequent end-user connectivity should be coupled with effective cybersecurity awareness training – in addition to application usage training. It is the ignorance of on-line risks that poses the greatest threat to the new generation of global Internet citizens. Coordinated global efforts in effective awareness training will transform these new Internet citizens from potential victims to increasingly aware, and less vulnerable, people as a whole.

Jeff Debrosse
Senior Research Director

Securing Our eCity community initiative: http://www.securingourecity.org/

I promised you some more thoughts on the AVAR conference. Randy Abrams and I put together a paper on user education for the conference (it should be up on our White Papers page quite soon) about the argument between the two main camps in security thinking on the topic. You could sum it up as "If user education was ever going to work, it would have worked by now!" versus "You can’t fix social problems with technological solutions!" And I guess you could sum up our position as "Since neither approach is going to eradicate security breaches, why not integrate the best elements of both approaches into a multi-layered strategy?" (Not as simple as it sounds, but it’s worked for both of us in our previous careers.)

While Randy was doing the presentation (it’s called delegation ) I had one of those moments of blinding clarity. The trouble with these instances of dazzling insight is that sometimes they turn out to be about suddenly realizing something that the rest of the world has taken for granted since the Renaissance, but I’ll share it with you anyway.

I’ve spent a great deal of my working life in user support: not so much manning (personning?) the helpdesk phone – though I’ve a fair amount of flying time there, too – but second and third line support. You can certainly look at user education and training as a close relative and in some contexts a subset of user support functionality (no, that isn’t the insight).

There are, it occurs to me, two ways of approaching user support (not that they’re mutually exclusive): for each trouble ticket with your name on it you can take whatever technical measures are appropriate almost without reference to the end-user. That way, you often get a quick fix (re-install, disinfect, replace a malfunctioning component, reset a password) and you can move on quickly to the next job. Users are generally happy because you aren’t expecting any significant effort from them. But what if it’s a problem to which they contributed in some way? All they’ve learned is that if the problem reoccurs, you’ll come back and sort it again. You’ve treated the symptom, not the disease.

The alternative is to look at each trouble ticket (logged request for support) as (potentially) a learning experience. If the user has some understanding of what the problem is, he or she may also realize that there’s a better way of approaching the task that originally sparked the problem. Involving the customer more directly in the problem-solving process may add significantly to each incident resolution, but that’s not a problem if it results in some reduction of the overall volume of incidents. This is social engineering in its more general sense, persuading people to do what’s good for them and the groups to which they belong, not what’s good for some blackhat Svengali.

Of course, some users will resent any attempt to educate them: they will regard it as your job to fix anything they break, just as some AV users expect that because they’ve installed AV, they should be able to click on anything they like without thinking about it. Well, teachers don’t manage to educate all their pupils, either, but we haven’t given up founding schools and universities…

David Harley CISSP FBCS CITP
Director of Malware Intelligence