Is the user the weakest link in security?
When examining breaches, we can almost always point to users practicing poor security — how can we change this?
Put simply, most people believe that the weakest link in the security supply chain is the user. This attitude has become so widely accepted that it’s almost set in stone. It is justified by the inherent unpredictability of humans; the knowledge that a security hole in any application or codebase is fully discoverable and fixable; and the difference between ‘machine’ error and human error. Human error is inherently random; a lapse in attention or judgement can occur at any time, often with seemingly no context to prompt it.
We never really question the idea that the user is the weakest link, but is it fair to stigmatize the user and consign them so unambiguously to being their own worst enemy? We ought to examine whether this consensus is truly justified.
How users fail security
When users have their data compromised, it’s usually as a direct result of a failure or misstep on their own part. While a determined hacker targeting an individual will eventually be able to overcome any security precaution, most of us will never be so specifically targeted. Maintaining basic security hygiene and awareness would be enough for us to protect ourselves against almost all general online hazards. And yet, we continually find that loss of security, compromised accounts or stolen credentials can be traced back to a failure on the user’s part.
Good password hygiene remains one of the hardest practices to instill in users. Our passwords form the gateway to our online accounts and potentially all our most sensitive data; no matter how secure a website may be against direct hacking attempts, if users allow their passwords to be broken or stolen it allows hackers free access to any data stored on that site. However, many users have poor password security, despite knowing the risks and the knowledge of how to improve their passwords.
In 2019, SplashData estimated that about 10% of users used at least one of that year’s weakest 25 passwords. This might not be much of an issue on its own; not all our online accounts store especially sensitive personal data, and some breaches might hold very little of value for a hacker. This assumes, though, that the user has different passwords for each account they use online and that hackers wouldn’t be able to breach other, more sensitive accounts with the same login credentials. Ten percent doesn’t seem like a lot, but this is just the tip of the iceberg.
Again in 2019, Microsoft revealed that 44 million users of various Microsoft service accounts were using vulnerable passwords that matched with a list of already-breached credentials circulating on the dark web. A survey from LastPass the previous year revealed widespread password re-use, with nearly 60% of users using the same password on multiple sites, even though 90% of respondents understood the security risks of password re-use. The same survey revealed that over 50% of users had gone longer than a year without updating their password.
This does seem a damning indictment on users, with so many understanding the risks of lax password security but continuing to use old, already breached, or weak passwords. This is despite it being easier than ever to maintain good password security thanks to services like Avast Passwords, part of Avast Antivirus, which can generate and manage complex, secure passwords across multiple accounts, eliminating the problems of password re-use, memorization and weak passwords all in one package. There is also Avast Hack Check, which can tell you within moments whether you’re using a breached password that should be changed to keep you secure.
Users are also consistently taken in by the simplest, most preventable attack there is: Phishing. There is a wealth of information on what phishing is and how to avoid it, including the entry in Avast Academy and a discussion on the Anatomy of a Phish. Even though the success rate for phishing attacks continues to go down each year, enough users still fall victim to make them worthwhile, with phishing accounting for 22% of all data breaches in 2019.
According to Verizon’s 2020 Data Breach Investigation Report (DBIR), 96% of phishing attacks are delivered via email, while the login credentials, PII, internal business data, medical information and financial credentials are the most targeted forms of data. We also see a lot of interplay between phishing and malware.
Negligence and malware
As users, we also allow malware to be more of a problem than it needs to be. Phishing campaigns extensively employ emotional manipulation and psychological techniques, so falling for one can be excused as a human lapse. In 2017, it was found that less than half of Windows users had any form of antivirus installed. The situation is even worse among smartphone users, with only 39% having any form of mobile antivirus installed.
Even as the built-in security for our devices improves, we continue to leave ourselves at risk by failing to keep our software updated. The 2019 Avast PC Trends Report found that even Windows 10, which has automatic updates built in, is out of date for 8% of users. These statistics get worse with more specific programs; 15% of Microsoft Office 2007 and 2010 users have vulnerable versions of the software installed. When we examine software in general, we find that 55% of all programs are left unpatched, while Adobe Shockwave, VLC Media Player, Skype, Java Runtime, 7-Zip and Foxit Reader are out of date and vulnerable for over 90% of users.
How security fails users
Users could clearly be doing a lot more to keep themselves safe, but does this automatically make them the weakest link in security? We can simply say that users lack vigilance and leave it at that, but without careful examination of why users leave themselves so vulnerable, we do not have the full picture.
Security by design
Security by design is a principle being pushed by both regulators and commentators in the tech industry. It refers to the concept that security should be a core part of the design and production process of any new project or service, rather than the design focusing on marketable features and security being added later. Article 25 of the GDPR calls for a form of this with its principles of Data Protection by Design and Default. This stipulates that any data controller should implement data protection measures in both their organizational structure and developmental processes, and should only store and process data that it requires access to for its operations.
Nonetheless, security by design has seen a very lackluster rate of adoption in most industries. Businesses, by their nature, are vulnerable to commercial pressures. This means they are always incentivized to push a product to market as quickly as possible; stringent security practices naturally fall by the wayside, leaving software and products with bugs and exploitable vulnerabilities. This is especially true with the Internet of Things, which has become one of the most notoriously insecure sectors of the tech market. A recent survey found that 83% of IoT devices are communicating without SSL encryption, leaving them vulnerable to packet sniffing and man-in-the-middle attacks, among many other risks. Fortunately, we have access to solutions like Avast Smart Home to protect our personal IoT, but the lack of inherent security in so many products cannot be blamed on the user.
Sustained pressure weakens any chain
The tendency for vendors to prioritize their commercial interests over security has a knock-on effect on user behavior. Phishing has a complete dependence on user error to be effective, and these errors usually come from the user acting on their emotions and impulses rather than thinking rationally and critically. Marketing, advertising and sales would be in a poor state if users weren’t vulnerable to their emotions; just consider the concept of ‘clickbait’ and how legitimate news sources need to make their headlines as eye-grabbing and enticing as possible to generate user engagement. A well-produced phishing campaign can be indistinguishable from a legitimate marketing campaign for a new product or service. Marketers have even started to incorporate aspects of phishing into their techniques.
In a more professional context, even our work environment can exert soft but constant pressure to turn us into weaker security links. In a previous blog on authentication (The Authentication Puzzle), we examined the concept of “user friction”, a way of describing how much effort a user must exert to stay secure. Especially in the workplace, better security almost always means higher user friction and will encourage employees to bypass any security measures in place. Even if the decision to do this is down to the individual user, any organization must expect that at least some of its staff will compromise their security in response to user friction. A 2017 report revealed that 95% of businesses suffered from this in some way.
A confusing world
This is far from exclusive to business environments. Even those of us with a good understanding of security and risk are bound to be overwhelmed by all the different best practices and products we’re expected to support. If we were to practice perfect security at all times, we would need to use a separate anti-malware and firewall solution for each of our devices, connect to the internet via a trusted VPN service, use a password manager to generate a different, secure password for every online account we use and enable multi-factor authentication – sometimes with a dedicated MFA device for each service. Sometimes the only reasonable alternative to simply leaving out some steps is to use a consolidated security suite, like Avast’s antivirus, which can protect an entire network of devices and incorporates options for password management and a VPN.
Security’s fundamental flaws
User authentication in today’s security landscape has one critical underlying flaw: a password, even with MFA enabled, does not prove the user’s identity. All that is proven by our current methods of authentication is that the person logging in has access to the user’s password and any relevant MFA device. Anyone with access to these has access to the user’s account and all information stored on it with no checks or barriers.
We already have the technology to replace passwords, but new systems and products continue to employ passwords for authentication, and frequently allow for relatively weak password security. In most cases, MFA is not mandatory and password complexity requirements are lax. This leaves our accounts with a lack of inherent security and places the responsibility on the user to make up for any intrinsic security holes. Yet authentication processes never provide any incentive or strong requirement for us to compensate for their weaknesses.
Both these problems could be solved together if the security industry updated its approach. Technology for both biometrics and behavioral biometrics already exists, and has been implemented with good results outside of the consumer sphere. There would need to be nuance in implementation depending on the nature of each service, but incorporating these two concepts into a new standard of authentication would be possible even today. Requiring a simple form of biometrics (a fingerprint or facial scan, for example) and using behavioral biometrics in the backend would provide a much stronger proof of the user’s authenticity than passwords do, with more checks and fail-safes than current forms of authentication. This would also take the onus off the user to compensate for inherent security flaws.
We discussed that many users are insufficiently protected against malware, and don’t use an antivirus despite knowing the risks. What we glossed over until now is the question of why such anti-malware solutions are necessary in the first place. Malware exploits flaws, whether these are flaws in an OS, flaws in software or flaws in the hardware design of a device. Can we say that lack of malware prevention is entirely the user’s responsibility when malware infections could be equally reduced by elimination of bugs and vulnerabilities in the products and processes we use?
Software developers lack a governing body or self-regulation; and security compliance seems to be totally focused on the end-user environment, rather than the development process. While we have increasing security regulation with legislation like the GDPR and CCPA, these are more focused on personal information and endpoint data protection.
This lack of regulation in the design and development phase of new products means that new products are produced with flaws that can be exploited by cybercriminals either now or in the future.
The currently unfolding controversy over Huawei products in the US and UK is an example of this. The US is concerned about Huawei creating intentional back doors in its products to be used by Chinese government-backed hacking groups. UK-led investigations have not confirmed this, but have found several insecure practices in Huawei’s development cycle that leave numerous potentially exploitable bugs and flaws.
User error is clearly the catalyst for most breaches. When we examine where along the supply chain a breach happened, we can almost always point to the user practicing poor security, making a blunder or being deceived by a scam or some form of social engineering attack. Through this lens, it seems obvious that users are the weakest link in the supply chain and the most prominent security issue. When looking at the entire supply chain, however, we often find that the circumstances leading to that user error could have been prevented much earlier.
A possible exception to this is phishing scams. Because they exploit human weakness, the only effective defense against them is education and awareness among users. Making this education available can only go so far; even companies with mandatory security training report users taking risks they already know they shouldn’t. Anywhere from 60% to 74% of employees report flouting their company’s security policy in some way. All it takes is a personal lapse, rather than a fundamental lack of intelligence or awareness, to fall for a phishing scam.
User error will never be entirely eliminated from security; users are humans and humans make mistakes and will never stop making mistakes. But the industry could be doing more to prevent these mistakes; users are allowed, and even encouraged, to be the weak links in the security chain. It should not be our first concern that we correctly distribute blame between industry and users; that will not help us solve the security issues that we all face. The way forward is to minimize the opportunities for human error to cause harm and work with user needs to make good security the natural behavior, rather than the exception.
Kevin Townsend, 26 November 2020