Sometimes conveniences become vulnerabilities, and most often people are still the weakest link in information security.  So much of the security realm tends to focus tightly on automation to the detriment or exclusion of education that we attempt to solve basic human behavior problems in software.  E-mail is still the most prevalent avenue of delivery for inbound threats, and it is undoubtedly the most common avenue of data loss.  But how far has security awareness training gotten us?  And are we adequately shoring up weaknesses, or just reaching for the latest elixirs?

Every security awareness training program in existence warns of the dangers of opening e-mail attachments from an unknown or unexpected source, but now e-mail doesn’t have to carry the payload, only a pointer to it.  We’ve added education about links to websites, but most users still don’t have a clear idea about how to verify the authenticity of a site.  Browser locks and certificates are a hurdle many will just not clear.  Added to that, some sites use self-signed certificates or allow them to expire, meaning that a hard-and-fast rule may not be appropriate.  It may be true that many people still don’t think before they click, but if trained well, most will pause even in the face of non-binary patterns.  But I’d like to focus on another, perhaps even more common problem that can immediately lead to data loss and disclosure.

One can make a case for DLP (data loss prevention) agents and appliances based on potential malicious activity, but I’d wager that the most common scenario resolves around simple carelessness.  But no piece of software attempting to detect and prevent will “get it right” every time.  Yes, we’ve seen famous cases of mistakes — one more recent case was Angelo Mozilo’s use of ‘Reply’ rather than ‘Forward’, but the common ordinary, everyday example is a convenience that lulls us into carelessness, namely auto-completion.  Whether the mail user agent be Microsoft Outlook, or the mail client on a Blackberry or iPhone, the behavior is the same when you add a recipient to an e-mail note.  You start typing a name, and voilà — after some number of characters, the software fills in the name and e-mail address.  “How could it not be the person I intended?”  This happens so frequently, that I’ve begun to think that it is not a question of ‘if’ disclosure will happen, but ‘when’ and ‘how often’ it will happen.  Who falls into this trap most frequently?  Probably those who are very busy.  You know — the ones who often send 1-10 word responses to e-mail messages; the same ones that would complain bitterly if auto-completion were disabled; and very likely the same people who also have access to, or communicate about highly-confidential business information.  Sounds like a recipe for information disclosure, doesn’t it?

So what should users be taught and reminded of on a regular basis?

  1. Always check the recipients list for accuracy.
    Read the names and e-mail addresses carefully.   When replying to a message, ask whether you intended to reply to all of the original recipients or just the sender.
  2. When adding new recipients to an existing thread, or forwarding a thread, consider whether or not all parts of the thread are appropriate for the new recipient.

Following just these two simple rules will avoid most problems.  For now, technology intended to increase productivity can actually cause real pain.  Disabling it entirely may be a political minefield.  Perhaps in the future there will be settings or agents that ask for confirmation everytime we send e-mail outside of our domain, or perhaps just change a color somewhere to visually remind us.  Regardless of changes to automate the enforcement of security controls, people are still the most important link in information security and nothing can replace good and on-going training.