I had a dream the other night, more of a nightmare really. I was in a cold and windy industrial setting, desperately trying to remove malware from the laptop of my company’s CEO. For some reason, he was dressed all in black, and wheezing like the three pack-a-day smoker that he isn’t. Just as I thought I had finally killed the errant process so I could start to disinfect his machine, he double-clicked an attachment in an email, cut my hand off with his letter opener, and said “Cas, I am your father!” I screamed, and jumped off the ledge, and then woke up shaking.
Turns out, this was less a dream and more a vision, as sure enough, the next day, I got called up to his office to look at his laptop. He had it out on the little terrace his private office opens out to, and it was windy, and he was wearing black, and for a moment I was seriously tempted to jump, because sure enough, he had opened some attachment sent to his personal email, and it was malware, and his machine was toast.
These days, it’s as much about what is your malware, as it is about who is your malware, since almost every single technical protection you implement can be circumvented by your users. No matter how hard you try, some people will always be your weakest link. Always have been, always will be.
So let’s take a look at all the ways they make our jobs exciting and new and challenging ways by examining the six worst types of human malware already on your network!
1. I am above your puny rules
Yes, we have a policy that prohibits accessing personal email from corporate machines. We even have a proxy in place to block access to all known (by URL) personal webmail services. But try telling the CEO no, just once. Go ahead. Try. If users, any users, can exempt themselves from policy, and don’t take extra cares when they do, they will be a way malware finds in to your systems.
2. Trust everyone
You have to love these people for their undeniable faith in humanity and trust for all. You have to try not to kill these people for believing everything, from the banker in Elbonia trying to move money out of the country, to the Prince who has been wrongly deposed. Then there is the helpdesk person who needs their password to restore their data that was lost to a server crash and the relative stuck in a foreign land who cannot call, but can email, asking for funds to help get them home. You almost need to assign them a babysitter so they don’t get phished or fooled again and again and again.
3. I’ll click anything once
These are the same people who you probably convinced to lick a flagpole on a freezing day, or to try hamster treats because they taste so good. If they see it online, it must be true, so they will click anything to get that free download, or that prerelease copy of the movie, or to see those pictures that can’t be believed. How many times have you had to reimage their machine because something they clicked was just so, so bad?
4. Fool me once, shame on you. Fool me twice, shame on me.
Fool me daily, and it’s just something to laugh about. Chief Engineer Montgomery Scott taught me that Scottish saying, all but the third part. These are the folks who do the same thing, time and again, no matter how many times it has bitten them. Maybe they got tired of waiting for the machine to shut down, so they hit the power switch. Or maybe they keep trying to download cool screensavers, no matter how many times it has turned out to be a virus that trashes their machine. Or maybe they keep giving out their creds to every social engineering attack because the attacker said “please.” No matter what, they just can’t seem to learn.
5. I feel the need, the need for speed
“And your crappy antivirus program is making my machine run too slow, so I disabled it. But don’t ask me how a virus got in, because I certainly didn’t download it! Maybe your firewall is not good enough!” In my not so humble opinion, disabling antivirus should be a capital offense!
6. Patches? We don’t need no stinkin’ patches!
The worst offender is the one who consciously chooses not to apply a patch. Maybe they are too busy, or don’t have time to test, or just don’t think they need to patch. Patching is one of the best ways to close vulnerabilities that worms and other malware exploit. Leaving a system unpatched is tempting fate, even more so than leaving your sunroof open on a cloudy day.
Of course, it doesn’t help that we are seeing cleverer phishing examples than ever before. The recent LastPass/LostPass phishing attack made public by security researcher Sean Cassidy has everyone trembling at their knees because there is no way to distinguish between the real thing and the phishing attack. He details the whole process in his blog and also provides a list of how to stay safe. Cassidy says you can be safer by ignoring notifications in the browser window, enabling IP restrictions if on a paid plan, disabling mobile logins, logging all logins and failures, and by informing your employees of this attack – which I guess would only work if you don’t have any of the above types.
What about you? Do you have any of these human malware types on your network today? Do you have another type we missed? Leave a comment below and let us know what you think of the big six, or who should be number seven on our list. Come on, we’re listening!