End users the weakest link in cyber security

In my experience in the IT and cyber security industry over more than 20 years, the main enabler for IT-security incidents and breaches has frequently been end-user action and inaction (Info on 1.5m SingHealth patients stolen in worst cyber attack; July 21).

Many are reluctant to admit that the end user is the weakest link.

The goal of any attacker is to infiltrate as deeply into an organisation as possible.

The typical approach an attacker takes is to go after the weakest link. The easiest way to do this is to take advantage of the inherent demand by end users for convenience.

Tricking an end user into opening an attachment or clicking a link in an HTML-enabled e-mail is one of the easiest ways for attackers to get their foot in the door.

A single action of opening an attachment or visiting a malicious webpage can nullify the protection afforded by spending tons of money on technology such as firewalls and intrusion detection systems.

What makes this mode of attack continuously viable for an attacker despite all the news about cyber breaches is modern society's demand for convenience.

Every Singaporean needs to realise that he is a target and act accordingly, and not just seek convenience at the expense of security.

Case in point: Users who say "I want to access the Internet from the same computer that I use to access my company's database, or sensitive information".

This is why end users cannot be trusted to do the right thing and why all organisations today (and not just the Government) must protect end users from themselves by cleanly segregating internal sensitive networks or systems from the systems that employees use to access the Internet.

The only forms of communication that should be automatically allowed to a corporate local area network computer should be text-only, no-HTML-enabled e-mail and domain name server lookups as these are vital for business communications.

Even then, these should go through a proper content link and attachment evaluation and scrubbing procedure.

All other traffic (VoIP, instant messaging, and so on) should be evaluated on a case-by-case basis, and on asking "do we really need this", "what happens if an attacker uses this to get inside" and "if we need it, how do we secure it properly".

In today's cyber space environment, we are already at war with other entities whether people want to admit it or not.

Accordingly, every Singaporean needs to realise that he is a target and act accordingly, and not just seek convenience at the expense of security.

Julian Ho

A version of this article appeared in the print edition of The Straits Times on July 23, 2018, with the headline 'End users the weakest link in cyber security'. Print Edition | Subscribe