Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Why Cyber Security Starts At Home
Threaded  |  Newest First  |  Oldest First
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
11/17/2014 | 1:33:44 PM
Trying to do their part...
I would like to hear other's opinion on this topic, but in my experience one of the ways most likely to catch an end user off guard is to pretend to be something good.  This could be a pop up claiming to be an AV update, or an email claiming your email account has run out of space.  People who work in IT can spot these things a mile away but that is because we are intimately familiar with the way it should look.  End-user's often are not aware what a Java, Flash or AV update is supposed to look like, so they often mistakenly install a virus or give out their credentials by attempting to do the right thing.
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
11/17/2014 | 1:52:34 PM
Re: Trying to do their part...
Robert, 

You make a great point, and I actually thought a bit about this in re-reading my article this morning. In light of the "DarkHotel" campaign, I read the patching advice where I said, "say yes to auto-updates," and thought that might help people fall for fake updates, like the Adobe flash one used in DarkHotel... granted, that attack actually also required a man-in-the-middle attack, but there are all kinds of other ways (hijacked websites) to pop up fake update windows. 

I don't think there is a perfect or easy answer for this, but I'd recommend two things. 1) If you don't have time to go into more specifics, I think the patching advice stands. I think the value of having more people fully patched would totally outweight the occasional user that falls for a fake update. Statistically, even if everyone said yes to updates, I think the result of patched systems would vastly outweigh the people that stumbled onto a fake one (but that is only a gut feel). 2) HOWEVER, if you have a bit more time, and the user is attentive, you could simply add a caveat to the advice, by sharing that they should beware that sometimes update mechanisms are faked. You could then share a few ways they might recognize a fake update mechnism, or rather train them that if they get an update poppup, not do say yes right away, but to close the pop-up, manually open the adobe update that you know you can trust, and then if it says updates are really ready, say yes to them there...

I don't know if this is a perfect answer, but I still want to shoot for more eductated consumers since I think it would make our jobs easier and our organizations more protected.

In any case, thanks for the comment. If you have any tips on having end users avoid fake update scams, be sure to share them. ^_^

 

Cheers,

Corey
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
11/17/2014 | 3:25:14 PM
Re: Trying to do their part...
I agree. I share information and provide some "IT advice" among my family and small circle of friends and encourage them to "spread the word", as it were. The tips aren't very technical, and mostly involve what we in the security community would call "common sense", at least so it may seem to those of us who are more informed than the lay person. I especially encourage people to talk to their children about safe computing practices, given the prevalence of connected technology and the availability of connected devices to the young. It certainly is a much different world than 20 years ago.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/17/2014 | 3:49:37 PM
Re: Trying to do their part...
It's really important to get that message out..in a way that empowers people and not makes them feel intimidated or lectured to. It's a tricky balance...
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
11/17/2014 | 5:29:03 PM
Re: Trying to do their part...
In my family, I make a point of talking about security issues, so the kids keep that in mind when they see similar scams. Awareness helps a lot.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
11/18/2014 | 11:40:38 AM
Re: Trying to do their part...
@Thomas It's funny that you mention that, I do the same for my wife and kids.  Although I think they get tired of hearing from me....
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
11/17/2014 | 5:45:13 PM
Retailer Responsibility
I definitely agree with your thesis here but I truly believe there are some folks out there who will never get, don't want to get it, and frankly shouldn't have to.  For that segment of society, I believe there needs to be more responsibility taken on by retailers of computing systems.  There has always been pressure on software and service providers to write more secure software.  Microsoft, Facebook, Apple – all regularly badgered when holes appear and regular folks get hurt as a result.  But on the retail end of things, there isn't much onus on BestBuy or CompUSA to keep its customers up-to-date on their purchases from the perspective of your three tips.  I think sending that guy who will never get security home with a PC and no support is like sending someone home with a gun and absolutely no training or follow-up licensing requirements, and then also handing them a bag of bullets.  An ecosystem of unsecured wireless networks and computers is exactly how some cyber criminals excel in what they do, having that many more hop spots or dark Internet corners to work from.  There securely written software, and then common sense and community self-support, but then there is that group that will never be secure if left on their own.  How do we make retailers of computing systems more accountable for the extended care of customers, and that they are contributing to the greater security of the Internet?  Should we?
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
11/18/2014 | 12:36:14 PM
Re: Retailer Responsibility
I only half agree with you. I totally agree that software vendors and system designers bear a huge responsibility and should focus more on secure design... but I still think the user needs to follow safe practices. Look at cars... manufacturers have responsibility (legal and ethical) to create safe vehicles... but an idiot driver can still crash despite all that. Which is why we require drivers to go through training and be responsible for their driving practices... Both the software vendors and the users bear some responsibility.
geriatric
50%
50%
geriatric,
User Rank: Moderator
11/18/2014 | 7:07:36 AM
Is it Time for Mandatory Infosec Training in Schools?
You make a great point about the computer actions/inactions of another impacting everyone. An analogy can be made to automobile drivers. You may be doing everything you're supposed to, and still get t-boned from a joker who doesn't pay attention.

A couple decades ago, I was working with a school district on their computing initiatives, and the subject of typewriter courses came up. They commented how irrelevant it was, and after discussion, we morphed it into keyboarding/basic computing. Point being, things change.

A great place to raise awareness and train future generations is in our schools. Like many other subjects, starting at the genesis of their experiences is the answer. Although computer illiteracy is not generational (my octogenarian mother is one of the most aware computer users I know), we have to make sure everyone who needs trained is getting it, and what better place than our educational institutions?

Start 'em young.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2014 | 9:16:09 AM
Re: Is it Time for Mandatory Infosec Training in Schools?
Yes it is time, @geriatric, in fact it is long overdue. But I think that  user security training has to be baked in to everyday classroom activities, just as computing is at home , at school and at work. Problem is that the typical classrom teacher has neither the time or knowledge to take on that role. Maybe it's something the infosec commuity should pick up as a public service...
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
11/18/2014 | 10:59:25 AM
Re: Is it Time for Mandatory Infosec Training in Schools?
I have no problem with my tax money being used to educate school kids in the basics of infosec. I would even volunteer my time to help develop training material. It really is important to provide basic infosec training to as much of the general public as possible because as the article points out, any everyday person can become an unwitting conduit for spreading malicious activity. Even more importantly, the lack of cyber security awareness can be very dangerous for children, who are very likely to be involved in online activity.
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
11/18/2014 | 12:40:32 PM
Re: Is it Time for Mandatory Infosec Training in Schools?
I like the idea of the Infosec community helping... however, I do have a strong belief that the reason some training has failed is that users don't care, or can't "Get it," but because many of the technical folks I interact with aren't great teachers... They make assumptions about what people should know about their field, and judgements if other don't know certain things... For training to work, the training can't act like the snarky, know-it-all, cliche idea we have of the IT guy. I know many IT guys aren't that person, but I have seen enough cynical IT guys that would not make good teachers.

 
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
11/18/2014 | 12:37:37 PM
Re: Is it Time for Mandatory Infosec Training in Schools?
Heh... Geriatric, sounds like we both like the car analogies... I was responding to charles before I saw you reply which uses the same car analogy I did! ^_^... Great minds...
sbynoe
50%
50%
sbynoe,
User Rank: Apprentice
10/12/2016 | 7:14:09 AM
reply
A very good post.


How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.