Good article , but not surprising. "This human element is perhaps the most perplexing to guard against." Sadly , it is the same old story . By far the biggest security threat is the one sitting in front of the machine. I always give clients the standard advice after fixing their systems ..... use an AV ( pay for it if it makes you feel better ) and make sure that it is running ( along with a firewall ) . Keep your system and apps updated , and read ,and think before clicking anything that mentions "Install" or " Download ". And do not login as Admin. This gets ignored more than anything else .... it is often taken to mean " You are not to be trusted with sharp knives ". It always reminds me of what the doctors say .... ... cut down on alcohol , tobacco and fatty foods , eat more fruit and veg ,and take more exercise. And like them , I feel certain that the advice is forgotten or ignored before the door closes. But looking on the bright side .... there would be a lot of broke doctors and computer techs if everybody acted on good advice
Which lead to things like this. http://www.tripwire.com/state-of-se...rminated-after-falling-for-w-2-phishing-scam/
Most notable from the Tripwire article: “If you fire every employee who clicks a Phish you will soon have no employees,” commented Cris Thomas, security expert and Strategist at Tenable, as quoted by Salted Hash. “While anti-Phishing training may reduce the number of incidents, it will never be 100-percent effective. It only takes one person to click, even by mistake. You need to assume that a Phish will succeed, that bad guys will get in. It’s what you do after the attack that matters.”
Sad thing about this is that in many cases, the environment set by the CEO creates the problem. There was an incident a while back where a financial officer got an email from the CEO, order her to transfer out several million dollars. Something didn't feel right about it so the officer queried the CEO and indeed the email was bogus. But this CEO created an environment where the financial officer felt free to challenge. In a lot of situations, the environment is one of fear and employee is to afraid to challenge the CEO. Bye bye money, but where does the fault lie.
File the article in "There is nothing new" box. The human element has been recognized for many years. Remember when Mac users were supposed to be invincible? In 2007 (nine years ago!), an isc.sans.org diary reported on the first Trojan for Mac in the wild: About a year later, Marco Giuliani wrote in a prevx.com blog, I'm not willing to say that there is no solution, but the prospects for a solution are not encouraging. ---- rich
