When hearing about ways hackers attack computer systems, you may have heard some buzzwords like “privilege escalation,” “lateral movement,” “pass-the-hash,” or “firmware attacks.” While terms like these might not be in the vocabulary of the general public, it isn’t necessary to understand what they mean or how they are used in a cyberattack. In general, the tools hackers use can be summed up in two categories – attacks on the hardware/software and attacks on the people using those systems.
An IT security professional might decide that the best way to protect a system is to have it isolated – functioning as an off-network, or standalone system, with limited programs to allow for one specific use. An average user would likely become frustrated and either refuse to use it and use a less secure system to accomplish the task, or use the system but find ways around the security protections to make their jobs easier. Additionally, new security patches might break an important internal program and prevent users from accomplishing their tasks completely. Herein lies the balance that must be reached when securing computer systems – making it as secure as possible while maintaining necessary functionality and being relatively user-friendly.
Grouping current attack vectors together (malware, ransomware, credential stealing, phishing, cross-site scripting, SQL injection, etc.), many of their common sources revolve around Internet browsing and email. Internet browsing and email are some of the most common uses of a computer, which means categorically prohibiting them is not an acceptable option to prevent attacks. However, allowing their use on certain systems while preventing it on others may be an option…as long as the user doesn’t feel too inconvenienced. By designating certain systems as sensitive and restricting how they can be used while allowing for general use on other systems, this will hopefully limit the feeling of being inconvenienced.
Some time ago, a shirt was being sold with the following message printed on it: “Social Engineering Specialist – Because there is no patch for human stupidity.” While this message can be considered harsh in describing humans (or maybe more specifically computer users), it has some truth to it. An IT security professional can keep a system up-to-date and patched to the best of his or her ability. Employees can also receive the best computer security training on how to recognize phishing emails, suspicious email attachments, and credential-stealing spoofed websites. If the user doesn’t take the time to think about the file they are opening, or what credentials they are entering after clicking a link, security is wasted. This brings us back to the need to have a balance between security and the user’s ability and interest to “do the right thing.”
IT security professionals should still design and implement secure computer systems, isolating or segregating sensitive systems on separate virtual or physical networks. This way, if a local network is compromised with ransomware as a result of a malicious attachment, it won’t be able to access the separate network and compromise the sensitive system. Reducing the amount of software or restricting access to certain features on the system is also a good idea. While someone working on the sensitive system might not have access to their usual network resources, they will still be able to accomplish their tasks. They will still be able to do other tasks on the general-use computer; however, they might have to move back and forth between workstations or have extra equipment at their desks. This scenario can be irritating, but it doesn’t have to be. Education and the implementation of solutions that reduce frustration, such as a KVM (keyboard, video, mouse) switch and limiting the amount of equipment can help build a balance between security and usability.