Staff education is an effective security strategy

by David Emm    Mar 05, 2010

Today cyber criminals employ a range of sophisticated techniques to hide malware activity or
to make it difficult for anti-virus researchers to find, analyze and
detect malicious code. David Emm of Kaspersky Lab, explains how humans are the weakest link in the security chain and why is it essential to find ways to patch these human vulnerabilities.

Cyber criminals continue to make extensive use of social engineering. We see this in the continued success of phishing scams, designed to lure people to a fake web site to disclose their personal information, such as usernames, passwords, PINs and any other information that cyber criminals can use.

However, just like pickpockets, online scammers follow the crowds. Given the ever-increasing number of people who use Facebook, MySpace, LinkedIn, Twitter and other social networking sites, it’s no surprise that cybercriminals are increasingly targeting these services. They may use hacked Facebook accounts to send out messages containing links to malicious programs. Or send out ‘tweets’ containing links, but concealing the real destination by using a URL shortening service.

The popularity of social engineering is also demonstrated by the increase in ’scareware’ programs. Such scams start with a pop-up message on a web site, which says the computer is infected and you should download a free anti-virus program to remove the malware which has supposedly been found. But when you download and run the program, it tells you that you need the ‘full’ version in order to disinfect your computer - and you have to pay for this. Of course, the cyber criminals potentially win twice with this scam: not only have they taken your money under false pretences, but they also now have your credit card details.

One of the problems with social engineering-based attacks is that they form a moving target:  successive scams never look quite the same. This makes it difficult for individuals to know what’s safe and what’s unsafe. Sometimes people to make their lives easier use the same password for each account, or to use something like a child’s name, spouse’s name or place name which has personal significance and is therefore easy to remember. Using any of these approaches increases the likelihood of a cybercriminal either guessing the password, or, if one account is compromised, getting easy access to other accounts.

For businesses and other organizations, staff education should be one
of the core building blocks of an effective security strategy. Employees need to understand what protection measures the organization
has deployed, and why, and how these may affect them in carrying out
their duties. People who use
computers as a business resource at work also use them to shop, bank or socialize from home. Showing employees
how to protect their own computers ensures that staff - who increasingly may be working from home
- are not exposing business resources to unnecessary risks.

Cyber crime is here to stay, it is both a product of the Internet age and part of the overall crime landscape. So it would be unrealistic, I believe, to think in terms of ‘winning the war’. Rather, it’s about finding ways to mitigate the risk. Security education is similar to housework - it can’t be seen simply as a one-off task, but needs to be carried out on a regular basis to ensure good results and a clean, safe, environment.