As a professional services consultant, I am pleased to meet customers around the world and talk to a wide range of IT security experts who are at the forefront of malware defence.
One of my favorite topics is how people have started their IT careers, but I am frequently surprised by the number of people who take double jobs when I share my chosen subject when I start discussing my own early years and touching my university degree.
Applied psychology and computing can appear to many as an unusual combination of topics until I explain how much the two subjects can take from one another. Whether we use psychology to inform the design of strategies of an artificial intelligence to learn or use psychical techniques to improve our understanding of how interactions between human and computer can be enhanced, there are many practical benefits to apply one field of science to the other.
Unfortunately, it’s a trick not lost to malware designers who increasingly take advantage of smart traps that leverage end-user psychology and system administrators. Manipulation is an old way of doing things, but psychological studies consistently reveal new facets of “pushing” people into certain behaviours, and malware is more than happy to use such techniques.
Recent malware and spyware have seen timers that encourage users to act fast without fully assessing the consequences of their decisions, careful wording aimed at emotional responses and promoting “errors” that help viruses take over networks or leverage users ‘ habits for infecting or spreading malicious software.
When we are up against these threats, it is easy to blame users, but there has never been such an easy way to attack people in such a large number with such strategies. The problem is that we (as individuals) often struggle to learn from experience when tricked. Consider that today too many people are exploited by similar strategies in the real world, despite a large knowledge of pyramid schemes.
Thus, even though it is easy to blame users, the truth is that human errors can not be eliminated entirely like software bugs–and old tricks can work just as newer tricks can. While user behavior is a factor that malware makers can exploit, it is not primary to encourage good user behavior alone.
So what can we do when there is a very real risk that an end user action will not stop a threat from reaching your network? In my view, a major part of the equation ensures that all your prevention, detection and response pillars are robust.
Of course, in this particular case, when I talk about prevention, I’m talking about preventing further infection–making sure that you manage your server infrastructure against client network attacks and keeping your vulnerability management software on top. And this must go far beyond the initial stage of infection and far beyond user-based alerts or the hope that antiviral software will detect everything (because nothing is 100 percent effective). Instead, you need to ensure that you know what malicious agents on your network actually handle.
Lastly, your answer must go beyond the hope that users “learn their lesson” and automated tools solve the problem alone. The true impact of an infection and a review process of the “How” that led to the situation first needs to be understood.
Even with this and as the detection and infection technology continues to improve, the delicacies that malware makers can achieve will also improve. With improvements to user experience (UX) design in the software industry made in recent years, it is probably only a matter of time before we see more ransomware using new and unusual concepts to promote interaction.
I would not be surprised if I could see more malware imitating popular software features such as on-board two-factor authentication (to capture telephone numbers) or experiences in social media. All this means that you will need to continuously educate your users over the coming years.
The good news is that the technology has opened up new paths for users to be educated, with videos, e-mails and social media that makes it easier to reach the organization than ever before and that helps everyone to understand the latest tricks. And psychology helps us understand better what “sticks” information in these formats, making it efficient and effective to train the company.
Going back to my college days, I spent some time working on developing and studying the user effectiveness of alternative authentication methods in my last year (many of which at present seemed unusual, but are currently uncommon–image passwords, for instance, were added to Microsoft Windows a few years later).
Now, if we consider that the bad guys have understood this in recent years, maybe those of us on the other side should also start knowing more about it.