Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Why Cyber Security Starts At Home
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/17/2014 | 3:49:37 PM
Re: Trying to do their part...
It's really important to get that message out..in a way that empowers people and not makes them feel intimidated or lectured to. It's a tricky balance...
User Rank: Ninja
11/17/2014 | 3:25:14 PM
Re: Trying to do their part...
I agree. I share information and provide some "IT advice" among my family and small circle of friends and encourage them to "spread the word", as it were. The tips aren't very technical, and mostly involve what we in the security community would call "common sense", at least so it may seem to those of us who are more informed than the lay person. I especially encourage people to talk to their children about safe computing practices, given the prevalence of connected technology and the availability of connected devices to the young. It certainly is a much different world than 20 years ago.
User Rank: Author
11/17/2014 | 1:52:34 PM
Re: Trying to do their part...

You make a great point, and I actually thought a bit about this in re-reading my article this morning. In light of the "DarkHotel" campaign, I read the patching advice where I said, "say yes to auto-updates," and thought that might help people fall for fake updates, like the Adobe flash one used in DarkHotel... granted, that attack actually also required a man-in-the-middle attack, but there are all kinds of other ways (hijacked websites) to pop up fake update windows. 

I don't think there is a perfect or easy answer for this, but I'd recommend two things. 1) If you don't have time to go into more specifics, I think the patching advice stands. I think the value of having more people fully patched would totally outweight the occasional user that falls for a fake update. Statistically, even if everyone said yes to updates, I think the result of patched systems would vastly outweigh the people that stumbled onto a fake one (but that is only a gut feel). 2) HOWEVER, if you have a bit more time, and the user is attentive, you could simply add a caveat to the advice, by sharing that they should beware that sometimes update mechanisms are faked. You could then share a few ways they might recognize a fake update mechnism, or rather train them that if they get an update poppup, not do say yes right away, but to close the pop-up, manually open the adobe update that you know you can trust, and then if it says updates are really ready, say yes to them there...

I don't know if this is a perfect answer, but I still want to shoot for more eductated consumers since I think it would make our jobs easier and our organizations more protected.

In any case, thanks for the comment. If you have any tips on having end users avoid fake update scams, be sure to share them. ^_^



Robert McDougal
Robert McDougal,
User Rank: Ninja
11/17/2014 | 1:33:44 PM
Trying to do their part...
I would like to hear other's opinion on this topic, but in my experience one of the ways most likely to catch an end user off guard is to pretend to be something good.  This could be a pop up claiming to be an AV update, or an email claiming your email account has run out of space.  People who work in IT can spot these things a mile away but that is because we are intimately familiar with the way it should look.  End-user's often are not aware what a Java, Flash or AV update is supposed to look like, so they often mistakenly install a virus or give out their credentials by attempting to do the right thing.
<<   <   Page 2 / 2

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-08-09
Improper Restriction of Rendered UI Layers or Frames in GitHub repository openemr/openemr prior to
PUBLISHED: 2022-08-09
Cross-site Scripting (XSS) - DOM in GitHub repository openemr/openemr prior to
PUBLISHED: 2022-08-09
Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to
PUBLISHED: 2022-08-09
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to
PUBLISHED: 2022-08-09
Improper Privilege Management in GitHub repository openemr/openemr prior to