Can IT find something better to do than play 'gotcha?'

Can IT find something better to do than play 'gotcha?'

Summary: Along the theme of a previous blog "Are users really to blame for poor security", the "geniuses" in IT are at it again. They're spending valuable business resources to craft a fake e-mail virus to "test" which users are going to be fooled into double clicking it.

TOPICS: Malware

Along the theme of a previous blog "Are users really to blame for poor security", the "geniuses" in IT are at it again. They're spending valuable business resources to craft a fake e-mail virus to "test" which users are going to be fooled into double clicking it. I just wonder what they would actually do with such information. Are they planing to call those users stupid or are they planning on going to HR to demand that someone gets fired? Hey, Ihave an idea, how about if we fire the dope that has nothing better to do than to play some childish game of "gotcha?" There is simply no way an end user should ever be expected to know what they should click or not click -- especially if it's coming from the IT department itself.

As someone who works in IT, I can certainly sympathize with the daily problems that IT departments face. But experience tells me that social engineering almost never yields anything better than a 50 percentsuccess rate -- and at a great expense to boot. What does work more than 99 percentof the time is to implement the proper anti-virus defenses at the HTTP, FTP, and SMTP gateway, which I've been saying for over three years. From a cost standpoint, it's much cheaper than putting out the fires daily not to mention the loss in productivity.

What do you think? Do I have a point or am I way off base? Leaveyour comments in our new talkback section.

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So ... What's your beef?

    Just about everything in your story is contradicted by the article you linked.

    So ... What are you griping about? It looks like a useful tool. It's better for users to get a 'gotcha' (friendly reminder) from your local IT department than a virus from who-knows-where. Maybe this will remind a few users to be careful.
    • Where is the contradiction

      You can disagree all you like, but I don't know where you saw the contradiction in the linked article from 2002.

      I just think there are more effective means than social engineering to combat viruses.
  • technology is not keeping up

    With the best anti-virus and anti-spam tools, computers still get infected and users still receive massive amounts of spam. Why not educate users on operational security? I have email accounts that do not get spam and a hotmail account for online transaction/registration needs. I don't recall the last time I've had a virus on my computer. Why? Good habits.

    Sending a bogus attachment to the users in a corporate network is brilliant. It won't take long to see who clicks and who doesn't. Then you'll know where to focus your education efforts. Cheap and far more effective than anti-spam/virus software.

    Why is this "story" not in the "commentary" or "blog" section?
    • Education can't do better than 50%

      Every time I try to educate people on what to click and what not to click no matter how hard I try, it never works better than 50%. If you really want to stop execution of malware, you take measures for them like implementing a global that prevents them from executing anything that doesn't have an authorized Authenticode signature. That's much more effective.

      I have no confidence in social engineering.

      By the way, this is commentary and it is in the "blog" section. Did you see this somewhere outside of the blog section?
      • 50% is a good start

        That 50% would a nice start and good result for a couple hours of programming. I'm thinking of putting together a little spoof for my users - like the one that pretends to erase your hard drive.

        As soon as I start putting constraints on the system, there will be applications and attachments that they'll need to open - which leaves me running around removing the constraints. Then there are those business critical apps that refuse to run on default limited user accounts/groups. There are problems with any technical solution. I'll take that 50%!

        I agree that some will never learn. If I find a user constantly infected with malware, they are probably spending too much time browsing and messaging and too little time working. Not much I can do if that user is the boss! For those select few that seem to accumulate 10's of malware titles per week, I've tried to let them suffer awhile before cleaning up the mess.
        • 50% is an "F" in terms of security


          50% success rate is an "F" when it comes to security. That's like saying, we'll only let half the malware and half the hackers break in.

          You sound like a typical support guy in IT. I've personally spent years trying to correct this kind of attitude of "let the stupid users suffer a little". This is exactly why IT is so hated in most companies.

          Are you really doing everything you can to keep viruses out? Are you filtering viruses at the HTTP and FTP gateway? Have you implemented a good SMTP anti-virus gateway? Have you implemented a centrally managed desktop anti-virus solution? Have you implemented personal firewalls on the desktops that are centrally managed? Have you implemented a good IDS system that will automatically block bad activity? There are many more productive things that can be done. Letting the users "suffer" is not one of them.
      • blogs

        Click on the "News" tab at the top of the page and the second story is a list of "Recent Blogs". How naive of me to think that the "News" link would give me "News". I should have read the fine print.
        • That's why it's labled "Recent blogs"

          That's why it's labled "Recent blogs"
          • No doubt.

            I just missed that part on my first pass at reading the "news".

            This is off topic but a "Blog" is a Web Log where people of all types write whatever is on there mind. News organizations write "Commentary". There has been other "commentary" on this site about "blogs" (blogs about blogs?). Why would any respected news organizaion want to reduce their professional "commentary" to a "blog"? Is it just supposed to be more hip? When I first saw the term I tought it was a splotch of spilled ink (which is not a bad analogy).
    • What tools are you using?

      I don't know what tools you're talking about, but I almost never see any email virus outbreaks any more. Maybe a small outbreak once a year that quickly gets contained (within a few hours) once the definitions are up to date from the vendor.

      As for spam, education is useless about spam. A good anti-spam gateway is over 95% effective with almost no false positives.

      It's not technology that isn't keeping up; it sounds more like your particular implementations that are not keeping up.
      • three simple rools

        Firewalls are not an issue. 95% of the people I support are behind a router with built in firewall. The chances of outside attack are minimal for most users and small companies. Viruses aren't much of a problem either except when a user disables their virus protection or the tool doesn't have an auto-update. The biggest threat to these computers are the users.

        If you can teach someone to click on the "start" button or enter a URL, you can teach them the three basic rules.

        (1) Never open an attachment you weren't expecting. Call the sender and ask about the attachment.

        (2) If you get a popup question while browsing the web, the answer is ALWAYS no! If you need a plugin, go the source for the download.

        (3) Only give your private email to coworkers, associates, friends, and family. Get a second email if you want to use it for online services or registratoin.

        It really is that simple. It's just common sense. Little different for the phone credit card rule - never give your credit card information to someone that calls you on the phone... etc.
  • step into the real world

    I support many different types of users. Those who sign the checks and insist they know enough to have administrator access. Home users. The home systems of my corporate users. Systems running poorly written but business critical applications that require far too many privileges. IT budgets that are severely limited if they exist at all. You can't just tell a small margin company to dump the software they've been using for 10 years and buy something that costs much more because there is a security risk.

    It would be nice to have complete control and a uniform network with uniform software in a nice clean, well-funded utopia of internet tools and infinite budgets but it ain't gonna happen. I make suggestions. My users make their own decisions and I clean up the mess. You may polish the general's brass but I work in the trenches. I'm familiar with the same tools and same systems that you refer but it's not enough.

    I agree that I don't see many viruses. A few of my "kids" don't like the messages and disable their anti-virus software. I'm ready with fxNetsky when they start to ask (for the nth time) why they are getting failed delivery messages that they never sent in the first place. The biggest headache is malware and adware.

    I'm not a babysitter. These users are primarily adults - some with fat wallets and most with fat egos. They are responsible for their bad habits. All I can do is offer advice.

    The government labs call it "operational security". I was in that environment (as a "user") long enough to know that even the most advanced tools cannot protect your systems if you don't have responsible users.
  • I agree with you

    But sometime even anti-virus is not enough especially when the new DAT file to fight the virus has not yet been updated by the anti-virus vendor. In our company, we finally implemented a change in our mail server to remove all executable attachments. Our virus infections almost nil. We have also implement strategies to take care of non-company computers brought on-site by consultants, contractors, visitors etc. This has reduced infections even further.
    • A gap in the lines of defense

      Email message: You have an e-greeting from John Doe, click here to view your greating.

      User Clicks and gets a popup from a professional looking web site. YOu must install this application to view your e-greeting. "yes" or "no"... User clicks "yes", system is infected with a browser "helper" object that isn't in the virus database because it's not a virus. Tech support has a new headache that could cost a day's worth of labor (or more) to track down the nasty new objects on the computer (there is more than one and they reinstall the rest when loaded), etc... If you can't figure out the tool, your stuck with the cost saving choice of reinstalling.

      For each user you educate not to fall for this type of ruse, you've saved a complex system clean-up, and perhaps a day or two of tech labor. Training tools make sense - even if it's a gotcha.