PDF documents are no longer the security panacea we thought they were. And security awareness training needs to catch up with this.
For years, IT and security professionals have been advising people to distribute documents in PDF format rather than as Word .doc files. In part, this prevents the average user from making changes to the document, but it was also perceived as being more secure since Word files were known to contain macro viruses.
Banning social network use DOESN’T prevent it being used for social engineering attacks.
An excellent article in Dark Reading describes how a security consulting company carried out an (authorized) social engineering attack on a client using information gleaned from Facebook. The client’s staff had posted information about what they did for the client (job titles, phone numbers, and email addresses) and personal data (appearance, height, weight, family background) – enough information for the consultant to create a bogus business card and then bluff his way into the client’s offices.
Most of us are familiar with URL shortening websites such as bit.ly, tinyurl.com, and is.gd. It’s one of the technologies that’s fuelling the explosive growth of social networks such as Twitter – after all, 140 characters isn’t a lot of space to fit a message if most of it is taken up with a URL!
But the use of URL shortening can be a major headache since a shortened URL could obscure the real target address and, as a result, it could be used to redirect the viewer to an unexpected site such as a phishing website, or a website infected with malware.
Following my post about McAfee’s 12 Scams of Christmas, here’s some safe shopping advice from the FBI. Good source material for a seasonal security awareness message to your staff.
Along the same lines as my recent post on photocopiers and information security, a friend of mine tells me that, in his organization:
… we have a major issue with people leaving scanned expenses on a shared drive. It’s great technology, but easy to forget the obvious.
Again, we have messages for two audiences:
As my friend says, the obvious is easy to forget.
An article in a recent issue of Business Week highlighted security issues with software produced by Adobe – especially Adobe Reader which is widely used in small and large organizations. The article quotes Kapersky researcher Roel Schouwenberg saying “Adobe at the moment, is the main target.” And the article goes on to suggest that “Adobe” (presumably meaning Acrobat Reader) has replaced “Microsoft” (presumably meaning Windows) as the primary attack vector for hackers.
The Washington Post talks about a recent FBI warning that hackers are increasingly attacking law firms and PR companies using spear-phishing emails. These emails – previously used against military and defense targets – contain hyperlinks or file attachments which launch a malicious payload that can allow hackers to access the target’s network. Once they’re in, the hackers look for sensitive data – often linked to large corporate clients doing business overseas.
Sometimes, we focus so much on security issues relating to personal information (Social Security numbers, health information, addresses), financial transactions (credit card numbers, bank account details) and state security (military and defense secrets) that we forget other information can be extremely valuable to criminals.
You can find further news and warnings on the FBI Cyber Investigations Program website.
Plenty of people are blogging, tweeting and quoting this article from McAfee posted on CNET, and justifiably so – it’s well-timed and contains pertinent information.
If you’re involved in an ongoing process of security awareness training, consider including these topics in your materials – whether it’s a presentation during your November/December staff meetings, or your November/December monthly email messages to your staff, or a set of posters for the staff canteen.
Are you covering the security risks of photocopiers (and multi-function machines) in your security awareness training?
A recent news report from WINK-TV in Fort Myers, FL, has reminded us that the humble photocopier can be a security threat. Or perhaps I should say the ‘not-so-humble’ photocopier since many copiers and multi-function machines now include sophisticated electronics and disk drives, and they’re frequently connected to office computer networks.
The Washington Post is reporting that the American Realty company lost $195,000 when an employee clicked on a link in an email that purported to be from the IRS. The link then installed a Trojan Horse which stole passwords that enabled hackers to make payroll payments to a number of money mules.
So far, American Realty has recovered about $45,000 of the stolen cash, but there’s no indication of how much it has cost them to deal with the incident.
More data for you to use when justifying spending on security awareness training!
