- Principia Raid
Ignore Bad VPN User Experience At Your Peril
It shouldn't be a surprise to any reader that social engineering was involved in the recent Twitter compromise. Fakery, Fraud, and Impersonation are some of the go to methods for criminals seeking to compromise an entity's systems, after all. What is interesting, though, is the phenomenon that made the attack possible: Bad User Experience (UX). The criminals were able to prey on the low expectations of Twitter employees to extract the vital information which allowed the compromise.
As working from home has become a way of life, many end users have had to learn to use (and wrestle!) with corporate Virtual Private Networks (VPNs). VPN infrastructure allows a user's computer to create and use a segregated and secure network within an existing public network, like the Internet. (Imagine VPNs as the transatlantic telecom cables securely traversing the shark-infested ocean of the Internet. A strained metaphor, to be sure, but hopefully you get the idea.)
A good VPN is almost imperceptible to the user. Ideally, they're automatic and the end-user doesn't have to take additional steps to access the VPN. A secure design might not even allow connections to corporate infrastructure via anything but a VPN. This is easier said than done, as any practitioner (and end-user!) can tell you, VPNs can be finicky and require constant care and feeding. This is easier said than done, but VPNs are a critical and necessary step to safely and securely conducting business over the Internet.
Which brings us to the compromise at hand. It turns out that Twitter folk are just like the rest of us! They struggle with their corporate infrastructure and problematic VPNs too. So much so, in fact, that calls to the IT help desk were a way of life (Sound familiar?) This interaction became so routine that when criminals called posing as the Twitter help desk, employees were happy to provide any assistance they could. The information that employees provided during these calls enabled the criminals to access the Twitter network.
Take note: the compromise was not directly facilitated by a faulty, or misconfigured VPN. The end users had simply endured a notably cantankerous VPN for so long that getting a call from the Help desk made sense to them. The employees were actually trying to help by troubleshooting the issue on the phone with the "Help desk". Now, help desk folk are the unsung heroes of the IT world. However, they are usually significantly overburdened, so getting an unsolicited call from the Help desk should be something that makes any employee's Spidey sense tingle. Folk have to do their work, though. Even if that means ignoring some blaring security warning signs.
Which brings us to the point. A bad UX can have many unexpected consequences. One of them is simply what I would call Clock-in Fatigue. Fighting the system just to log in on a daily basis will force your end users into a state where their desire to get the job done drowns out their little inner security voice. This should set off alarms in IT management for two reasons. One: you (Hopefully!) recognize the dangers associated with employees turning off that critical thinking and going on security autopilot. And, arguably more importantly, two: IT should be a facilitator, not a blocker. If you're hearing that tired sigh of resignation from users, take note! If the plaintive cries of the end user like "I can't get on the VPN", "Is the VPN is Down again", and the ever popular "I just can't log on" are becoming routine, IT management should wake up. That's your warning siren. Fix that UX. Engage the vendor. Explore alternatives Review the reasons for some of your policies. Reach out to the end users!
As the great designer Frank Chimero has observed: People ignore designs that ignore people. Your end-users deserve better than shrugged shoulders, and it is IT Management's job to make sure they get the UX they need. If fixing UX issues for the sake of your end users isn't enough motivation (shame on you!) Think on this: You know who else is having the same problems at the end of the day? The C-suite.