This past month, I witnessed a strange occurrence that I thought I would share with you. No, I didn't see a UFO or go through an entire workday without an issue arising -- nothing that strange.

It happened when I was onsite at a contractor facility -- and as strange as that can be, that wasn't the strange occurrence either.

Here's what did happen... An email with an attachment was sent to some of the senior engineers. The email was from the ''support team'' stating that they had to change their passwords and the new password was in the zipped file attached.

Now, I found this very strange as, first off, the support team never sends out generalized password emails, and personnel always get a notice when it's time to change their passwords. On top of that, the notice doesn't come from the support team. And lastly, why on earth would a new password be in a zipped file? Certainly the new password could not be that long. Even if the message included a password and the directions to change the password, the file would not be so large that it needed to be zipped.

Sadly, however, nine out of 10 of the engineers who received this email opened the zipped file.

I am sure you are already ahead of me on this, and you are right -- the zipped file did not contain a new password, but rather a virus. Surprise, surprise!

I was seriously amazed at the number of people who would open something that had so many obvious red flags. These are the same engineers who install firewalls and Intrusion Detection Systems (IDS), update and maintain the anti-virus software, and architect security features into systems and networks. They, of all people, should know what new worms, viruses and Trojans have been released.

And still, they opened a suspicious email attachment.

As a security community, we tend to concentrate on the latest and greatest --like new security software, hardware, firmware. We tend to assume that everyone knows and remembers basic security foundation rules.

So, maybe its time to go back to the basics.

  • Attachments -- Any attachment that comes with an email should be thoroughly identified prior to opening. If there is any doubt as to why it was received, who the sender is or what the attachment is, check with the security office prior to opening it. Once opened, any virus will be executed.
  • Suspicious Emails -- Although it seems to be a matter of common sense, suspicious emails should be reported to the security office. What makes something suspicious? Look out for emails that may include an unknown sender; general junk mail; a return address that looks very similar to one you're familiar with but is slightly different, or an email sent by a known entity but triggers a red flag. Also watch out for emails that request information that should be on file, or asks for information that is not normally passed via email or attachments.
  • Passwords -- Passwords should never be shared. If they are shared for emergency reasons, they need to be changed as soon as possible. Passwords should not be something common to the user, like a spouse's name, birthday or children/pet names. Additionally, passwords should be alpha-numeric, with special characters to make it harder to crack. Most experts agree that passwords should be changed every 90 days. IT managers will not have your password. They should always be encrypted.
  • Security Software -- Security software needs to be kept updated and current. This is done through updates of the virus software and installation of security patches or upgraded software versions. Most users rely on their security office to push any changes to the system. However, it is in the best interest of the individual user to ensure that his/her system is current. A great example is the latest worm -- if the security patch put out by Microsoft had been installed, then the worm would have been stopped.
  • Security Policy -- Contrary to popular belief, security policies are not written to make the user's life miserable. Security policies are put into place to protect the user. It is each individual user's responsibility to read and understand the policy. Once read, the policy should be implemented, followed and, most of all, enforced. These basic security policies can include rules of behavior, contingency planning, security feature user guides, and security operating procedures.

    One of the best ways to get back to basics is through security training. This training should be given annually or to a new employee upon hire. It should educate users on the policies, where to find the policy, and how to implement it. Training should also include reminders on how to identify and report suspicious emails.

    By making employees aware of the consequences of bad security practices, and the pain that can be saved by using good security practices, the organization will have a much more secure baseline.

    With today's ever-changing technology, fast pace, and security vulnerabilities, maybe it is time to go back to basics. This should never be an overlooked as an aspect of protecting not only the system, but the employees, as well.