It happened when I was onsite at a contractor facility -- and as strange as that can be, that wasn't the strange occurrence either.
Here's what did happen... An email with an attachment was sent to some of the senior engineers. The email was from the ''support team'' stating that they had to change their passwords and the new password was in the zipped file attached.
Now, I found this very strange as, first off, the support team never sends out generalized password emails, and personnel always get a notice when it's time to change their passwords. On top of that, the notice doesn't come from the support team. And lastly, why on earth would a new password be in a zipped file? Certainly the new password could not be that long. Even if the message included a password and the directions to change the password, the file would not be so large that it needed to be zipped.
I am sure you are already ahead of me on this, and you are right -- the zipped file did not contain a new password, but rather a virus. Surprise, surprise!
I was seriously amazed at the number of people who would open something that had so many obvious red flags. These are the same engineers who install firewalls and Intrusion Detection Systems (IDS), update and maintain the anti-virus software, and architect security features into systems and networks. They, of all people, should know what new worms, viruses and Trojans have been released.
And still, they opened a suspicious email attachment.
As a security community, we tend to concentrate on the latest and greatest --like new security software, hardware, firmware. We tend to assume that everyone knows and remembers basic security foundation rules.
So, maybe its time to go back to the basics.
One of the best ways to get back to basics is through security training. This training should be given annually or to a new employee upon hire. It should educate users on the policies, where to find the policy, and how to implement it. Training should also include reminders on how to identify and report suspicious emails.
By making employees aware of the consequences of bad security practices, and the pain that can be saved by using good security practices, the organization will have a much more secure baseline.
With today's ever-changing technology, fast pace, and security vulnerabilities, maybe it is time to go back to basics. This should never be an overlooked as an aspect of protecting not only the system, but the employees, as well.