|Intro|
|News|
|Threats|
|Alerts|
|Papers|
|Events|
|Reading|
|Links|
|About Me|
|Powered-by...|
Click Here!
[Back to Main]
If you just found yourself staring at the front page of my employer, you realize how easy social engineering is. A simple
suggestion to "click here" and many users will happily comply, taking them to who-knows-where and with who-knows-what
results. Preventing users from doing dumb things always has, certainly is now, and will most likely for all eternity be the
biggest challenge for an IT team.
Computers have been adopted in to every facet of every day life, and while very basic user
skills such as using a mouse (foot pedel?) and operating a CD-ROM drive (cup holder?) seem to be catching on, sadly other basic
ideas such as "don't click on unknown links" and "don't open unexpected attachments" are sorely missing from the vast majority of
today's computer user base. In fact, many otherwise apparently savvy users will do incredibly dumb things with very little
coaxing. A former coworker of mine at an e-mail software company infected our entire network with an e-mail virus from
Hotmail, not once, but
twice in the same day!
To make matters worse, malicious senders try their hardest to come up with enticing reasons to get people to ignore common sense,
such as "click here to see pictures of famous people naked", "download the latest operating system patch immediately to protect
yourself", or "help me make a large money transaction and you can share a piece of the spoils". What can be done to protect
people from themselves? First of all, a good employee training program is essential. When a new employee shows up,
they sit down with HR, go over the benefits package, the employee handbook, the dress code, and the code of conduct, but what
about IT training? The next thing you know, Joe Newguy is sitting at a desk with a computer that he may or may not know how
to operate, and usually he has to rely on fellow employees who are only slightly more clued-in to tell him how to use it. No
where in the above is he told the do's and don'ts of how to use this dangerous tool.
IT and security training should be part of the standard orientation for any new employee. Even employees who won't be using computers (if such a position exists any
more) should be given the company security policy on how to handle confidential information, who they may let in the building,
etc. Naturally, part of this security policy should include best practices about how to use e-mail and The 'Web (see my list of DOs and DON'Ts in the Spam section).
Also if
you are creating such a policy for your company, consider writing in penalties for policy violations. Certainly their are
penalties for failing to follow sexual harassment guidelines, and infecting your company's network with a lethal virus could
potentially be even more damaging than a costly and embarassing employee lawsuit. Consult with HR and legal for ideas on how
to include penalties for violations. Typically these departments are skilled in such matters, and they'll probably come up
with something slightly more business-appropriate than "users found to be opening attachments will be hung by their toenails and
pummeled with staplers", which is what you're probably inclined to write after the third virus outbreak in a week.
Last, an effective anti-spam/anti-virus/anti-spoofing/content-filtering solution can help cut down drastically on the amount of
social engineering attempts that enter your network through e-mail. Many social engineering attacks are sent in bulk, which
can be identified as spam. Many other social engineering messages contain worms, that are often detected by anti-virus
engines. Another characteristic of a lot of SE messages is that they have spoofed origins, which technologies like SPF can
identify. Last, some things you just know aren't right, like messages regarding a lot of money that come from obscure African
nations. Crafty content filtering rules can help you out there, especially with a commercial solution since many of them
offer specific dictionaries that target common scams.
This site © copyright 2003-2011 Brian Keefer. Unauthorized republication is forbidden.