It happened when I was onsite at a contractor facility -- and as strangeas that can be, that wasn't the strange occurrence either.
Here's what did happen... An email with an attachment was sent to some ofthe senior engineers. The email was from the ''support team'' statingthat they had to change their passwords and the new password was in thezipped file attached.
Now, I found this very strange as, first off, the support team neversends out generalized password emails, and personnel always get a noticewhen it's time to change their passwords. On top of that, the noticedoesn't come from the support team. And lastly, why on earth would a newpassword be in a zipped file? Certainly the new password could not bethat long. Even if the message included a password and the directions tochange the password, the file would not be so large that it needed to bezipped.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i Sadly, however, nine out of 10 of the engineers who received this emailopened the zipped file.
I am sure you are already ahead of me on this, and you are right -- thezipped file did not contain a new password, but rather a virus.Surprise, surprise!
I was seriously amazed at the number of people who would open somethingthat had so many obvious red flags. These are the same engineers whoinstall firewalls and Intrusion Detection Systems (IDS), update andmaintain the anti-virus software, and architect security features intosystems and networks. They, of all people, should know what new worms,viruses and Trojans have been released.
And still, they opened a suspicious email attachment.
As a security community, we tend to concentrate on the latest andgreatest --like new security software, hardware, firmware. We tend toassume that everyone knows and remembers basic security foundation rules.
So, maybe its time to go back to the basics.
One of the best ways to get back to basics is through security training.This training should be given annually or to a new employee upon hire. Itshould educate users on the policies, where to find the policy, and howto implement it. Training should also include reminders on how toidentify and report suspicious emails.
By making employees aware of the consequences of bad security practices,and the pain that can be saved by using good security practices, theorganization will have a much more secure baseline.
With today's ever-changing technology, fast pace, and securityvulnerabilities, maybe it is time to go back to basics. This should neverbe an overlooked as an aspect of protecting not only the system, but theemployees, as well.