It’s sad but true: The most common way for malware to get on your network is through the assistance of one of your employees.
Even sadder, but just as true: That employee might not even realize he’s let an intruder in.
The biggest security challenge for any CIO is training people in how to spot and avoid malware in its many shapes and forms. Movies and TV shows have conditioned us to think of cybercriminals as diabolical and omnipotent, connecting to a victim’s PC with a few mouse clicks, a burst of keyboard activity, and the announcement, “I’m in.”
The reality is far more mundane. Most malicious software arrives in response to a click on a seemingly innocent web link, or as a harmless-looking e-mail attachment. And you don’t have to be poking around in seedy corners of the Internet to stumble across viruses and Trojans, either.
Blue Coat, a security consulting firm, ticked off the most common sources of malware in its 2011 Midyear Security Report. As expected, searching for pornography is a high-risk behavior, with roughly 7% of infections traced to that vector. But more than half of the time, the source is one of these three legitimate activities:
- Search engines: 39%
- Email: 7%
- Social networking: 5%
So, how do you train employees to spot and stop the attacks? By making sure they understand these important security facts.
Don’t assume that your antivirus software will protect you.
If you’re involved in security planning and response, you know the importance of a multi-layered security strategy. End users who don’t have a technical background tend to think in simpler terms, with antivirus software playing the superhero role.
The reality is that even the best antivirus software detects only about 80% of incoming threats. In one recent test of a dozen security software products at the highly regarded AV-Comparatives, the best detection rate was 60%. Or, to put it another way, the best of those top-rated antivirus programs allowed the bad guys to slip through 40% of the time.
Let your users know that their role in the cybercrime-fighting process is crucial, and that even up-to-date security software doesn’t make them invincible.
Learn how to look beneath the surface.
This is one of those cases where even a partial success can incrementally improve your network’s overall security. You can’t expect your users to become expert analysts, but you can teach them some tricks to avoid being fooled by a fraudulent e-mail message.
- Don’t assume the sender is who he says he is. Don’t expect your users to master the art of reading e-mail headers, but do convince them to consider the possibility that the sender’s name is forged or that the account has been hijacked.
- Learn to identify the actual file type. An e-mail message might claim that it includes an attachment in PDF format, but the actual file is an executable. The easy way to tell? Save the file instead of opening it, and then inspect its properties.
- Don’t be fooled by logos and design tricks. The bread and butter of social engineering involves convincing you that a message is from your bank. If your organization uses Microsoft Outlook, the quickest way to spot a fraud is to move the message into the Junk folder, where you can see it in plain text format. Other e-mail clients and services offer similar features as options.
Be suspicious of file attachments in e-mail messages.
Some of the most damaging computer intrusions in recent memory have been triggered by users who opened a booby-trapped file in an e-mail attachment. Malware doesn’t just arrive in executable programs; it can also hide in PDF files, Excel workbooks, electronic greeting cards, and compressed (Zip) files.
This year, several wide-ranging malware attacks have spread using classic social engineering. In one example, the target received an e-mail from a global shipping company, with a “delivery confirmation” as a file attachment. Other scams use fake invoices, traffic tickets, order confirmations… all with the goal of convincing a recipient to open the attachment.
The best way to teach this lesson is with examples, and your users represent a tremendous source of great examples. Don’t just tell them not to open suspicious attachments; set up an in-house e-mail alias and encourage employees to forward messages they think are suspicious to that alias. Use the best of those submissions for your next security training session.
When in doubt, sometimes it’s best to do nothing.
Every field service rep has horror stories to tell of users who tried to clean up a malware infection using tools and techniques they found in a panic-stricken search session. The results are often an unrecoverable mess that makes recovery (and forensic analysis) next to impossible.
If you have installed an IT-approved security solution, teach your users how to use its built-in scanning and cleaning tools. But if they think they’ve been victimized by malware, they should be encouraged to call for help.
And while they wait, they can disconnect the possibly compromised computer from the network. Every user should know how to pull the plug (literally) on a wired network connection and how to disable a wireless network adapter.
Above all, encourage your users to speak up even if they think they’ve done something foolish. The earlier you get a warning of a potential breach, the sooner you can respond.