Osterman Research Blog


Why Common Sense Needs to be the First Layer of Security
March 8, 2012, 1:55 am
Filed under: Uncategorized

The best protection against malware, spam, hacker attacks, policy violations and other threats is a layered set of defenses in which software, services, hardware and policies are used to protect data and other assets at the network, system and application levels.  However, an obvious – but often-forgotten – layer in this cake of protection is the common sense of your users – one of the critical layers to prevent threats from gaining a foothold.  For example:

  • Social media tools are a great way for users to share information – and a great way for a spearphisher or whaler to target someone.  For example, as I write this I’m looking at the Facebook page of someone with whom I am not connected.  I can see that she is a realtor, has listed a home at 657 Noble in [city name withheld], was born on January 26th, has a dog named Lou, is a member of the Agent Leadership Council at a southern California realty organization, goes ice skating, lives in Thousand Oaks, speaks French, and took a trip to Orlando on February 11th.
  • If I was a bad guy intent on sending her a spearphishing email – perhaps with the intent of infecting her PC with Zeus – I could use this information to craft an email that she would be likely to open.  For example, an email with the subject line “Need to schedule a vet appointment for Lou” or “We mistakenly overcharged you on your recent trip to Orlando”, or perhaps a LinkedIn invitation that includes personal details, would likely get her attention and increase the chances of her becoming a victim of a spearphisher.  This is not to say that this Facebook customer lacks common sense, but the information she has posted could be used against her and needs to be evaluated in that light.
  • Spam filtering technology is effective at blocking emails that contain links to malware sources (albeit with some spam filters more effective than others).  The RSA exploit in April 2011, in which some employees received an email with an Excel attachment, was the result of spearphishing emails that were effectively quarantined by spam filtering technology, but later opened by employees from the quarantine.
  • A spearphishing email at the Oak Ridge National Laboratory in April 2011 was received by 530 employees, 11% of whom clicked on a malicious link.
  • Many users are not sufficiently skeptical when asked for information.  For example, before last year’s royal wedding between Prince William and Kate Middleton, a Facebook scam was making the rounds asking respondents to create their royal wedding guest name.  This name consisted of one grandparent’s name, the name of a first pet, and the name of the street on which the victim grew up – all likely responses to security questions one might get asked when resetting a password.
  • A study by Trusteer found that 73% of Web users employ the same online banking password that they use at other Web sites.

The bottom line is that common sense exercised in the normal course of using corporate systems – mixed with a bit of skepticism – needs to be the initial line of defense to protect systems, data, financial accounts, sensitive data and other assets from compromise.  Without it, technology is less effective and organizations are at greater risk.

About these ads

1 Comment so far
Leave a comment

Excellent article, Michael.
Click on a link, fill in the fun gui on facebook, leave your computer open, use your dog’s name as your password for your online banking…it all ends up in the end that many people just trust too much.

Comment by Melissa Hastings (@frauleinmelissa)




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



Follow

Get every new post delivered to your Inbox.

Join 2,095 other followers

%d bloggers like this: