User education is more important than
basic network security, because user education stops attacks before they ever
access your network. You can have the best anti-malware software available, but
it won't be able to stop every attack. As malware writers improve their attack
tactics, anti-malware can't keep up.
Anti-malware programs can't protect you
from certain attacks, mainly phishing. Phishing is one of the most common
attack vectors used today, and it has been responsible for major data breaches.
An attacker sends emails to several recipients within the organization. All it
takes is for one of these recipients to access a malicious site, input their
user credentials, and the attacker has access to your network. No amount of
anti-malware procedures can protect from this type of attack except for user
education.
What
Happens When Users Don't Recognize Attacks?
Several recent successful attacks have
been from users falling prey to phishing attacks. Even Google had a recent
outbreak of a widespread phishing attack that spread across several education
systems
(nbcnews.com/tech/security/massive-phishing-attack-targets-millions-gmail-users-n754501).
The attacker created a page that looked
similar to the Google login screen and tricked users into giving them access to
their accounts. Although the attacker never took advantage of account access,
he could have authorized password resets and used the account information to
sell on the black market.
You could ask yourself how something like
this could be prevented. There is no technology that prevents this type of
attack other than educating your users. The result of a successful attack can
be devastating to your customers and employees, which is why user education is
more important than having anti-malware software on your network.
What
Can You Do to Educate Your Users?
It's not easy to educate users, because
what seems like an obvious scam to you might not be so obvious to your users.
They need to understand the red flags, and then apply some common sense from
what they learn. The best way to educate users is to show them example phishing
emails and describe the red flags.
If you have a Gmail account you probably
have several phishing emails in your spam folder. You can use these to show
your users what a phishing email looks like. There are several standard types
like the Google lottery scam or the Nigerian prince scam, but you should show
your users the emails that attempt to phish for private details such as
usernames and passwords.
For instance, one common phishing scam is
using a clone of PayPal. The attacker creates an email that uses the PayPal
logo and tells the user that PayPal requires them to reset their password. If
the user falls for the scam, the attacker has their PayPal username and
password, and he can log in and steal their money. This attack is very similar
to what happens when the attacker focuses on a corporate network, so it's a
good example to show your users.
After you have some phishing emails
collected, you can show users the common red flags, which include:
• Shortlinks
included in the email message
• Hovering
the mouse over a link shows a domain different than the official PayPal domain
• Poor
English spelling and grammar
• The
sender's address is from a free email account such as Gmail, Hotmail, or Yahoo
In addition to training users to recognize
red flags, you should also train them to report suspicious emails. The email
administrator can block future attacks from the sender based on the sender
address or the email content. It also lets IT know that someone is attacking
the corporation, and managers can be alerted in case of a spear phishing
attack, which is an attack that targets high-level executives.
Even if it seems like a waste of time,
educating users can have a huge positive effect on your network's security. You
can stop attacks before they become major data breaches. These breaches affect
your corporate brand and customer trust. By educating users, you have a stronger
security system in place.
For help with implementing this or other technology solutions contact:
For help with implementing this or other technology solutions contact:
Robert Blake
Bit by Bit Computer Consultants
721 N Fielder Rd. #B
Arlington, Texas 76012
Direct 817.505.1257
Mobile 972.365.7010
Bit by Bit Computer Consultants
721 N Fielder Rd. #B
Arlington, Texas 76012
Direct 817.505.1257
Mobile 972.365.7010
No comments:
Post a Comment