Inoculation

Peter Burkholder — Fri, 26 Jan 2007 23:09:00 -0800

Two recent news items in “SANS NewsBites:http://www.sans.org/newsletters/newsbites/ had me thinking about the fun (and profit) from working to ethically “inoculate” one’s staff against phishing and social engineering attacks.

To quote:

—NY “Inoculates” Employees Against eMail-Borne Malware (22 January 2007) Will Pelgrin, New York State’s chief information security officer (CISO), worked with AT&T and the SANS Institute to develop an “inoculation” program to protect state agency computer systems from malware infections. First, approximately 10,000 state agency employees received email messages alerting them to ongoing phishing activity and encouraging them to be aware of the risks of opening email from unknown users and clicking on links in unsolicited email. The next month, the employees were told that in keeping with a tightened security posture, all employees were required to have passwords. That was followed by an email that came from outside the network containing a link that if clicked on, would prompt users for their user IDs and passwords. The email contained some clues that it was not legitimate. If the users provided the requested information, they got a pop-up telling them they had failed the test and then were shown a video and given a 10-question exam. Eighty-three percent of the recipients did not fall for the scam. When a similar test was run two months later, that number rose to 92 percent. http://www.gcn.com/print/26_2/42983-1.html?topic=security&CMP=OTC-RSS [Editor’s Note (Kreitner): This is an excellent example of good security management supported by a security metric that quantitatively measures actual progress toward a specific security goal, in this case a particular change in human behavior. (Pescatore): A good effort as long as it is continuous. If they measure a month later, the number will likely drop quite a bit. If the process continues, they will likely find that the 11% improvement drops off quite a bit.]

And

—Half of Finance Managers Put Unsolicited USB Drive in Computers (25 January 2007) As a research project, a consulting firm sent USB sticks to finance directors at 500 firms in the UK. The memory devices purported to be invitations to “the Party of a Lifetime” with an anonymous sender but were actually part of an experiment. Nearly half of the finance directors inserted the stick into company computers. Media companies fared the worst in the experiment, with 65 percent putting the memory stick into computers. At technology, retail and transportation companies, the figure was between 38 and 39 percent. The devices could be used to plant malware on computer systems. http://www.vnunet.com/computing/news/2173365/uk-firms-naive-usb-stick [Editor’s Note (Liston): While this test seems somewhat contrived, you really can’t argue with the results. Human curiosity is an incredibly strong motivator that will, more often than not, overwhelm common sense. If you found a USB key laying in the parking lot outside your workplace, what would YOU do? What would the majority of your co-workers do? (Schultz): The results of this research study further underscore the great need to reach management in security training and awareness efforts, something that is much too often completely overlooked. (Honan): This story illustrates how depending on your perimeter defences alone are no longer sufficient. Comprehensive security awareness programmes coupled with technical controls such as locked down desktops and USB port management are needed in the battle against ever increasingly sophisticated attackers. Using resources such as those provided by the Centre for Internet Security, http://www.cisecurity.org/, will help. For example, a simple registry entry on Windows machines will disable autoplay from any disk type, regardless of application HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun.]

"Inoculation" by grand casino

Sat, 29 Dec 2007 08:47:14 -0800

Punenet.com präsentiert den brandneuen Grand Casino Test. Lesen Sie Informationen über das Grand Casino und deren Betreiber.

"Inoculation" by Online casino

Mon, 24 Dec 2007 07:58:30 -0800

Spielen Sie Kasino online und amüsieren Sie sich dabei. Spielen Sie nicht zu viel, sonst ist das ganze Geld weg.

"Inoculation" by online casino spiele

Mon, 03 Dec 2007 21:52:57 -0800

Spielen Sie online casino spiele in sicheren und seriösen Online Casinos, mit der Sicherheit, dass Sie vollen Zugriff auf die wichtigsten Tipps und Tricks aus dem Online Casino Bereich haben. Mit einem Überblick über Casino Bonus und Casino Aktionsangeboten.

"Inoculation" by Jennifer Smith

Fri, 02 Feb 2007 07:55:55 -0800

Hi Instant messaging security firm IMLogic warned of a new phishing attack making its way through the Yahoo! Messenger network on Monday. Jusit in case... Jennifer

Ellipsis: Inoculation

Inoculation

"Inoculation" by grand casino

"Inoculation" by Online casino

"Inoculation" by online casino spiele

"Inoculation" by Jennifer Smith