Co-authored by Quinn North, Senior Incident Response Analyst, IBM Security.

The security world abounds with case studies demonstrating that end users are a weak point within the organization. End users are constantly bombarded by phishing attacks, are notorious for using weak account credentials and are preyed on by malware relying on the user to introduce malicious software into an environment. All of these examples may lead to significant damage to the organization and negative headlines.

Unfortunately, despite significant efforts, end user security issues continue to stymie even the most well-funded and resourceful security teams. Even with end user training, new hire training, annual security certifications and periodic emails from an exasperated security teams pleading to think twice before clicking on a link, end users continue to introduce and ferment risk within an environment.

It’s safe to assume that most end users have good intentions and are not actively trying to open the doors for the bad guys. So why does the end user continue to be the weakest link? Perhaps we need to adjust how we interact with end users.

Introducing the Feedback Loop

A feedback loop consists of four unique stages:

  1. Capturing or measuring a behavior;
  2. Conveying information to the end user in a manner that is easy to understand;
  3. Conveying the direct consequence of the behavior; and
  4. Recapturing or remeasuring the behavior.

One method to illustrate the feedback loop in the information security realm is via spear phishing exercises. These are exercises sanctioned and conducted by the organization to identify users that are prone to clicking on malicious links. Spear phishing training exercises are an excellent method to correct unwanted end user behavior.

Feedback Loop in Action

Demonstrating the exercise in a feedback loop, an end user first clicks on a spear phishing email that, ideally, should be recognized as malicious. The first step in the feedback loop has been satisfied.

As soon as possible after the user clicks on the link, the individual should be educated on what happened and how to avoid the same mistake in the future, per the second step.

The third step is informing users of the consequences of their actions. This should be done both from an information security aspect (i.e., what the ramifications were to the state of security within the organization) and from a human resources perspective. No one is advocating formal disciplinary actions over clicking on a link in a test. However, repeat and frequent occurrences may warrant additional attention.

Finally, the fourth step, retesting participants, is necessary to ensure they have learned from the affair and the unwanted behavior has been corrected.

Driving End User Security Awareness

While the basic steps of the feedback loop are equally important, attention must be given to their temporal spacing. If it takes three months to notify users of their unwanted behavior, the ability to learn from that behavior is diminished. The more closed the feedback loop is, the more likely the end user behavior will be adjusted.

While the example above focuses specifically on spear phishing, the feedback loop can be applied to a variety of other user practices, such as unwanted web browsing, the installation of unapproved software packages and so on.

Teaching end user security can significantly drive awareness. It is potentially a powerful and effective force multiplier to your security posture. When incident response teams respond to computer security emergency events, a lack of end user security awareness is too often the root cause.

More from X-Force

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting…

You just got vectored – Using Vectored Exception Handlers (VEH) for defense evasion and process injection

10 min read - Vectored Exception Handlers (VEH) have received a lot of attention from the offensive security industry in recent years, but VEH has been used in malware for well over a decade now. VEH provides developers with an easy way to catch exceptions and modify register contexts, so naturally, they’re a ripe target for malware developers. For all the attention they’ve received, nobody had publicized a way to manually add a Vectored Exception Handler without relying on the built-in Windows APIs which…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today