Just Don't Open Attachments

Recently The Register covered a PWC report (pdf) on a ransomware attack on Ireland's health system. The attack, as attacks frequently do, started with a user opening an attachment.

One of the annoying "solutions" offered in The Register's comment section was "Don't open any attachments" with lots of contempt offered for the poor user who had opened the attachment.

This annoys me for its naivety.

"Don't open attachments" might be useful advice for a home user without any friends, but in the real world it is up there with "don't breathe in" (for tackling polluted air) and "don't eat calories" (for losing weight).

Many people have no choice but to open attachments. Are you going to ignore purchase orders or RFPs because they are attachments? Ignore invoices from suppliers? Discard resumes from prospective employees?

And what if the mail appears to be internal? Are you going to delete the spreadsheet from your boss or open it? The resume from HR asking for feedback? The updated test report from engineering?

So why the blame for the person who opened an attachment? It's like blaming an anti-aircraft gunner for missing one enemy aircraft in a mass bomber attack. Actually that analogy makes it sound too easy. It's like blaming an anti-aircraft gunner who is expected to both let hundreds of friendly aircraft through, and shoot down the one or two enemy aircraft painted with friendly markings hidden amongst them.

If you talk to penetration testers, the commonly held view is that with a targeted attack they can always get someone in an organization to click on a link or open an attachment. It's just unreasonable to expect anything else. Staff can't be that perfect at distinguishing the good from the evil. Defense in depth is the only viable strategy, and the first line of defense should not be singled out for blame if it doesn't always hold.