Comments
Social Engineering Defenses: Reducing The Human Element
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
PaxDominicus01
100%
0%
PaxDominicus01,
User Rank: Apprentice
4/30/2015 | 12:45:05 PM
Replacing poor training with impractical technical controls is not a real solution.
While the author makes some great points and backs some of it up with data, I have to disagree with his overall abstract. First and foremost, Rob Ragan is absolutely correct about that fact that most awareness training is poorly convinced and poor implemented and the problem is only compounded when companies decide not to bother tracking whether their security training is even having an impact. Rob goes on to suggest that organizations should re-allocate their budgets and implementing technical controls to reduce the attack surface that makes up the human element while eliminating the employee training and its associated cost. Here's where things start to fall apart; many of his technical controls are not practical.

-Implementing SPF, DKIM, and DMARC will help to reduce phishing emails that appear to come from your organization but doesn't do anything to stop the countless phishing emails masking themselves as originating form a legitimate organization.

-Disabling HTML in emails is a great suggestion on paper but not when you go to implement it. There are two options when you do this. You can either convert an HTML email into plain text which means all the links are removed and if the link wasn't presented as a URL the link is now lost, meaning you can never click it. Or you can just present HTML emails as text which would present users with a jumbled mess of HTML markup.

-Using browser plugins to prevent the technical portions of typical social engineering attacks is something most tech savvy users do and I'd love it if everyone one of my company's users did it but there one problem. If we aren't doing any awareness training how am I supposed to train and encourage my users to actually use this plugins instead of disabling them?

I could go on but I stop here. In the end, even if everyone could implement all these controls does it stop the root cause? No, users are going to continue to make poor choices or avoidable mistakes.

Here is my proposal. Let's start building a security aware culture at our organizations by better demonstrating the need for security with relevant threat intelligence, providing awareness training that educates users over time instead of the same exact training ever year regardless of skill or experience, conducting remedial training for users involved in incidents, rewarding good behavior, and monitoring the impact our awareness program has.

Users still won't be happy they have to do the training but if they walk away feeling like they've learned something new and we can measure that, then mission accomplished!
<<   <   Page 2 / 2


Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
How Systematic Lying Can Improve Your Security
Lance Cottrell, Chief Scientist, Ntrepid,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.