Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Why Security Awareness Alone Wont Stop Hackers
Newest First  |  Oldest First  |  Threaded View
SSERGIO123
50%
50%
SSERGIO123,
User Rank: Apprentice
3/6/2015 | 10:16:04 AM
Re: Weak link
But that´s exactly my point, it is NOT easy. It´s hard work. That´s why almost nobody does it.
xmarksthespot
100%
0%
xmarksthespot,
User Rank: Strategist
3/6/2015 | 9:00:33 AM
Re: Security culture
The article brings up important details about the basics of information security. 

Unpatched Microsoft Office was necessary for this ploy to work.  The attack highlights the importance of applying all security patches in a timely manner.  Most banks were not susceptible to the attack due to proper patching.

The Open Web Application Security Project (OWASP), non-profit organization focusing on improving software security, places Security Misconfiguration as number 5 in it's top ten list of security concerns.

Exploitability is specified as Easy, but detectability of misconfiguration is specified as Easy.  Prevalance is specified as Common but I would assume that the banking industry as a whole is well protected compared to all other industries.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/5/2015 | 11:51:40 PM
Re: Security culture
@Preeti: I had the pleasure to attend a cybersecurity conference some time ago where a representative from the Israeli consulate spoke, and he told the audience that in Israel, cybersecurity is indeed something that is focused on at an early age -- and that students are given the opportunity to focus their studies on cybersecurity as early as high school.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/5/2015 | 11:49:56 PM
Re: Weak link
@SSERGIO123: Good point.  But then, if it was easy, everyone would do it.  ;)
jefawcet
50%
50%
jefawcet,
User Rank: Apprentice
3/3/2015 | 6:44:12 PM
Reduce the attack surface by taking out the user (somewhat)
Even with the best end user training you are doing well to get 50% effectiveness.  Supplement the end user training with removing the chance that they user will click on the spam link with a secure email gateway.   Remove the chance that a user is going to a compromised site (poison well) using a secure web gateway, secure cloud gateway.   I find doing the above is quite effective.
PreetiS347
50%
50%
PreetiS347,
User Rank: Apprentice
3/3/2015 | 11:28:15 AM
Re: Security culture
 I believe the concept of security should start right from the elementary school. The kids in school use computers. They should be given security classes as well. This process in the long run will inculcate the security culture. Just like we teach our kids to be aware of strangers, not be over friendly with people you don't know well and to let your parents know of everything that's happening with you, We can teach them how to be safe in the cyberworld. What are the signs that you are being hacked, not to release your PII to random forms and surveys etc. All this will develop the approach of being alert and logging all important security rules in the back of your  mind just like a well developed IDS.

 For the corporate world, the periodic emails showing the unusual activity is a good option but I guess there should be a team that re-screens these emails and then give  the employees an alert when an action is required. Like it is mentioned that people from bank have so many emails in a day that it is quite possible for them to miss out on the important one from security. Training I guess has no substitute. The more you know , the more you do.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/3/2015 | 10:09:08 AM
Re: Security culture > self audit
I think a  self audit could work for me, if the emails/reports were concise and showed me my activity in a manner that was easy to scan and spot anomalies. I get a spam filter report every day. And while I don't religiously open it, I do read it often enough so that I can tag emails that are mistakenly quaranteened. 
SSERGIO123
50%
50%
SSERGIO123,
User Rank: Apprentice
3/3/2015 | 7:46:49 AM
Weak link
The weak link is the hacker´s command and control server. If we analize all outbound IPs, we will detect those which are not kosher and will be able to block them. Hard work? Yes. So?
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
3/3/2015 | 5:40:15 AM
Security culture
This is the difference between security awareness in certain offices (the C-suite, the compliance/audit department, the general counsel's office, etc.) and security culture.  It comes down to convincing everyone, from the top down, that security is important.

Of course, in the particular example given, I'm not convinced a "self-audit" would be particularly helpful.  People in banking deal with thousands of emails a day; in numerous organizations they are even routinely encouraged -- if they do not take the initiative themselves -- to fudge the seeming "minutiae" a bit simply to satisfy the audit department because they feel they wouldn't ever get anything done otherwise.

So it's nice to have the policy in place...but you have to convince your staff that the policy is worth following.  That can often be easier said than done.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23478
PUBLISHED: 2021-09-22
Leo Editor v6.2.1 was discovered to contain a regular expression denial of service (ReDoS) vulnerability in the component plugins/importers/dart.py.
CVE-2020-23481
PUBLISHED: 2021-09-22
CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field.
CVE-2020-23469
PUBLISHED: 2021-09-22
gmate v0.12+bionic contains a regular expression denial of service (ReDoS) vulnerability in the gedit3 plugin.
CVE-2021-21991
PUBLISHED: 2021-09-22
The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server...
CVE-2021-21992
PUBLISHED: 2021-09-22
The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. A malicious actor with non-administrative user access to the vCenter Server vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash) may exploit this issue to create a denial-of-service ...