Information security has gotten a reputation as the “Department of No,” the place where new ideas go to die. This is especially problematic in a higher ed environment, where exploration is a central purpose. What if there were a way to protect our users, our systems, and our data without squelching innovation?

When your job requires “breaking the rules” of security

Security practitioners, on the whole, are very fond of lists of best practices that presume an ideal set of circumstances unlikely to be present in real-life university and college environments. There’s always that one machine that requires legacy software so that a specialized tool can be used, or the user who simply must be allowed to access things that make security folks want to scream in horror.

One of the most common pieces of security advice is “Don’t click on unsolicited or suspicious attachments.” But what if receiving unexpected files is actually a necessary part of what you do? Students as well as staff face this situation, and criminals are actively taking advantage of this necessity to spread their creations. Not to mention that expected files or links can still expose us to digital hazards such as macro virus infections or malvertisements.

Do what the malware analysts do

Rather than shut everyone down by fiat or throw up your hands in resignation, let us consider the example of malware analysts, whose job is to wade through a never-ending sea of files that are very likely to be harmful or malicious. And yet, malware analysts can do this safely.

While it might be an ego boost to say this is just because we’re such a professional and skillful bunch, the reality is that it’s also because we have tools in place that protect us from accidents and mistakes. It’s crucial to have understanding as well as effective layers of defense.

(Next page: How to keep your colleagues safe)

Here are two very important steps to take to help your colleagues act like malware analysts.

1. Start with education.

The first step in setting users up for success is to make sure they are receiving a thorough and ongoing education about what constitutes safer behavior. Start with simple, positive instructions and move to more complex information, so that users are not overwhelmed and feel empowered to take protective actions.

When educating people about how to do something new or potentially confusing, it’s a good idea to tell them what they should do to be successful, rather than what they should not do. For example, if you’re teaching someone to cross the street, it’s better to use statements that positively describe safe action, like “Look both ways before crossing.” This is much clearer than saying “Don’t run into traffic.”

Positive instructions give clear, explicit directions; they do not force listeners to figure out which action to take instead. If people are not experts, they may guess incorrectly and develop unsafe habits.

A group led by the National Cyber Security Alliance and the APWG has created a list of simple, memorable security slogans that educators can use, such as: “Keep a clean machine,” “Share with care,” and “Lock down your login.” These phrases are not intended to fully explain safer behavior, but to provide sticky ways for people to recall a more robust set of instructions.

After introducing these basic security concepts, you can move to more complex and nuanced instructions, including information on what to do if and when they run into situations that preclude the prescribed safer behavior or what to do if accidents occur. Once users understand this, you can begin to introduce them to specialized tools.

2. Use our expertise to enable exploration.

Let’s take a deeper look at the example of what users should do if they get an unsolicited or suspicious attachment or link. Security software is an important level of defense, but it should not be the only protection. Even if a file is scanned without triggering an alert, it may still be wise to approach it with a degree of caution.

If a user finds a suspicious file or message, he or she should delete it without opening it and/or report it to an appropriate person for further examination. They could also contact the sender to ascertain what the file or link is, and whether it was sent intentionally. If they have too many suspicious files for these extra steps to be practical, they could be given a more protected environment—like a malware analyst uses—to inspect it safely.

Malware analysts use a physical or virtual “sacrificial goat” machine that’s totally separated from the rest of the network, or from the Internet at large if that’s appropriate, which they can quickly re-image to a clean state when they’re done. If this is not feasible, you may wish to create separation in your network so that if a security event occurs in one area, it can’t spread to your entire network. You can also create profiles that authorize more lenient permissions for students and staff who need to explore, while locking down more sensitive groups such as payroll, administration, or healthcare.

There are ways to train even the most inexperienced individuals to pilot their way through a high-risk and complex scenario. While it may initially involve more work from security practitioners, helping users explore safely can go a long way towards developing long-lasting and durable trust.

About the Author:

As a security researcher for ESET, Lysa Myers focuses on providing practical analysis and advice of security trends and events. For nearly 20 years, she has worked both within antivirus research labs, finding and analyzing new malware, and within the third-party testing industry to evaluate the effectiveness of security products.


Add your opinion to the discussion.