Skip to main content
banner image
venafi logo

Are IT Professionals Training Our Users to be Phished?

Are IT Professionals Training Our Users to be Phished?

phishing, phishing attack, cyber security
May 23, 2019 | Mark Miller

We make it a point of teaching our users security awareness at least once a year. But what we aren’t thinking about is how many times a day we may be inadvertently teaching our users to be phished. But before I talk more about how (and why) we might be doing our users this disservice, let me give you a little background on how we have arrived at this particular juncture.

 

Many of us in IT started as just the computer person. In the beginning, we just needed to help people logon with credentials, fix hardware drivers for them and make their pie charts green. Soon, we moved from being IT generalists into the bigger and much more complex role of security experts. The next thing we knew, we were challenged to protect not only the perimeter but also now, each unique endpoint.

 

Then, endpoints started getting pretty jinky. With BYOD and cloud, users were using a variety of machines to connect from anywhere, to anything, on any network. With Zero trust from the outside to the inside of our networks we have found that we can no longer trust the perimeter to keep devices safe. In other words, we are now challenged to determine how to trust each device that we are requesting to interact with. Luckily, we still have the Root of Trust or the Web of Trust models to help us identify these different actors on our networks.

 

We use x.509 certificates with the SSL/TLS protocols and SSH keys to establish Identity of these many interconnecting machines. To accommodate this shift, many like myself have had to evolve from being just a computer guy to being experts in protecting machine identities. In fact, given the explosive growth of machines that our organizations rely on, we are all speeding down the byways in a journey from generic computer stuff to a very specific, high value targeted machine identity protection.

 

Cybercriminals are phishing with fake sites and real TLS/SSL certificates. Find Out More.

 

Machines do a great job with trust. It is a binary answer. I trust you and will do business with you or I don’t trust you and we will kill communication. With humans, it’s not so easy. When accessing a variety of web pages in a variety of browsers over a variety of WIFIs, there are just too many variables for humans to effectively establish trust. And we may be inadvertently exacerbating their inability to decide what to trust. Every time we create a situation where they are allowed to click through a security warning, we are essentially training these users how to be phished. How are you training users to be phished?

 

  1. Users have a job to do and they need to connect to something specific to get it done.
  2. Every time they attempt to connect to something where the trust on a certificate is broken, we prompt them with an error. We issue certificate warnings for security events, such as:
  • Expired Certificates
  • Domain name mismatch
  • Certificate chaining issues
  • Key strength errors
  • ….and more!
  1. Each time a person interacts with a certificate error we are reinforcing their likelihood of being phished.
  2. Even though they are not machine identity experts, they still have a job to do and they are going to click past that error and accept the risks. Here are some of the riskier places we commonly see certificate warnings:
  • Hotels
  • Restaurants
  • Airplanes
  • Internal networked resources
  1. Users generally skip over these errors because the warnings may seem harmless at best (or indecipherable at worst). And they are rewarded by getting to their resources successfully.
  2. Congratulations, your users now associate certificate warnings as a nuisance and are more likely to click past a dangerous one where they will enter Domain credentials and nicely hand them to a bad guy.
  3. This is our fault for training users to just click past these warnings.


Some browsers such as Chrome are fixing this by not allowing users to choose to accept the warnings. They simply reject the connection. But there are a lot of browsers and applications that do not. We should handle each certificate error as a service failure and, even worse, as a training to teach our users to be phished. Better yet, we should avoid these errors in the first place.

 

Learn more about machine identity protection. Explore now.

 

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

digital transformation, IT, vendor manager, new IT

Why Automation Is the Mantra of the New IT

certificate outages

Let’s Talk about Murphy’s Law for SSL/TLS x.509 Certificate Outages

Machine Identity Automation

How Policies Prevent Peril for Machine Identities

About the author

Mark Miller
Mark Miller

Mark Miller writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat