Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

97% of Americans Cant Ace a Basic Security Test
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/24/2019 | 8:40:13 AM
Re: OK but websites are not everything
I addressed just home users - my bad as most people go to work and therein, not having a basic idea, also commit stupid mistakes in judgment.  There is a video here of the subject on user education being critical as the front line of defense - all true. An amazing number of issues could be avoided IF people had just a basic idea of maybe 10 or 20 NO NO NO moves.  But that rarely is done. One great inside email campaign spoofed a spoof email and if users clicked on the link, it brought them to an internal site that said in effect BAD YOU, you need corporate education and here is where to find it.  Register now.  Great idea. 
User Rank: Apprentice
5/22/2019 | 4:18:42 PM
Re: OK but websites are not everything
Lots of websites use passwords that are at least 8 characters long, but most websites unfortunately don't have 2FA, I think it's too soon for these settings


User Rank: Ninja
5/22/2019 | 1:47:46 PM
Re: OK but websites are not everything
This should really be a FULL discussion of security.  Before moving to Georgia in 2014, I performed self-employed managed services for small  business and residential - the latter was not huge money but it was a bit of income that kept good dinners on the reservation list.  And the security knowledge in sum total of all homeowners was about nill!!!   One charming older couple got whacked by the Microsoft tech scam - lost everything.  (They called when I was in Georgia and I faulted myself for lacking a domestic backup strategy).

My other residentials were technically non-compliant (read that plain dumb).  In hindsight, I should have done far more them than I did and that is through my current position in a malware forensics CSirt department - increased knowledge across the board.  I did not have THAT up north and did not pass it to my clients, my bad.  But by basis knowledge alone they were all lacking in sophistication and not one would know HTTP from HTTPS at all - even less dual authentication, complex passwords, clicking on links, etc.  
User Rank: Apprentice
5/21/2019 | 6:49:47 PM
Re: OK but websites are not everything

User Rank: Apprentice
5/21/2019 | 9:54:10 AM
More website creators is simply better?
After reading the entire post and seeing again and again how much the average citizen does not know about Cyber Security, can someone explain to me why more Americans planning on creating websites is a good thing?  Is this based on the assumption that by doing so, we're confident that they'll take the time and put forth the effort to learn the basics of website security?  If so, that seems like an assumption as best.  If anyone can help me understand this point, I'd appreciate it.
User Rank: Author
5/20/2019 | 4:41:29 PM
Re: OK but websites are not everything
While I tend to agree with you Whislock, there are also several elements missing from the story that could greatly affect the results. For example, there is no mention of the average age (only that all participants were over 16 years old) and I'd expect poorer performance from an octogenarian than a millenial. If the average age were 30 though I would be more concerned. Alsom the sample size was only 2,000, which is not a representative sample of all Americans. I do see REISEN1955's point though - whether or not a website uses HTTP vs. HTTPS isn't necessarily indicative of whether or not the link is "OK" as the article states and there is far more to security than URL analysis. I think a link to the poll and more information about the sample that participated would help clarify the severity of the findings.
User Rank: Apprentice
5/20/2019 | 2:17:29 PM
Re: OK but websites are not everything
I have to ask why you'd even say this. There's a certain "hierarchy of knowledge" when it comes to non-technical users. Below multi-factor authentication, below VPNs (commercial VPN services are a massive security issue, why would you say this?), below the recognition of suspect software, you have the base of the pyramid, which is a basic understanding of the everyday security concepts of using the Internet and what threats exist. No, websites aren't everything, but websites are 99% of what the everyman does on the Internet day to day. If they lack even that basic understanding, why would you even suggest more advanced security concepts? That's like telling them to install a state-of-the-art home security system with all the bells and whistles when they can't even figure out to close the front door.
User Rank: Ninja
5/20/2019 | 12:40:41 PM
OK but websites are not everything
What about complex passwords?  Dual authentication?  Reading suspect emails and acting on them?  Patch updating a system?  Intallation of suspect software often with PUPs?  Usage of a VPN service?  All important too and many likely to infection and perhaps destroy a system.  Websites are not everything. 

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...