The biggest problem that I have, isn't viruses or phishing. Most people run at least basic AV protection on their machines. My problem is the users themselves.
I run a pretty tight setup at the school where I work. Active directory with group policies, Symantec Endpoint Protection, a Linux firewall/internet filter (Ubuntu/Squid), nobody on AD is admin to their profile or to the machine.
However, personal laptops, which many people like, cause they can take it home and work on stuff, and it's "theirs", are a huge security risk. Most of them run some kind of AV as well, and I don't let them bring their laptops if they don't.
The issue is that most users tend to be very "non-educated" (I want to use bigger words, but I will refrain). They will click on everything on the internet which says: "click me!" and install messanging programs, optimizers, fake AV and anti-spyware, every P2P program under the sun, the list goes on.
While this is usually not an issue if they don't connect; if they DO connect, by network or by removable media, they bring their crap with them. And while my network is fairly secure, all that crap is guaranteed to try and access the internet and will ball-up the network if their are lots of them. Not to mention the risk that some of that stuff is actually capable of hacking/infecting network PCs remotely, even though I try to keep my PCs up to date with their security updates.
And that's just PC users. Mac users get lulled into a false sense of security, thinking that Macs can't get viruses. They can, and though they may not exibit symptoms, they WILL pass them on without the user ever knowing about it.
IT security defenses misdirected
Summary
A Sans report says two security risks — web applications and phishing — carry the greatest potential for damage, yet users instead tend to concentrate on less-critical risks.
Topics
Businesses are finding it difficult to prioritize defence strategies against cyberattacks because most of them do not have an internet-wide view of the attacks, according to a report from Sans, the security training organization.
As a result, two security risks — web applications and phishing — carry the greatest potential for damage, yet users instead tend to concentrate on less-critical risks.
The report, published by security training organisation Sans, amalgamates global data from security attacks on computers from March 2009 to August 2009.
It identifies two main defense priorities for enterprise users. The first is targeted email attacks, or spear phishing, that exploit client-side vulnerabilities in programs such as Adobe's PDF Reader and Flash, Apple QuickTime and Microsoft Office. These applications are described as "the primary initial infection vector used to compromise computers that have Internet access", and are the result of attackers taking advantage of "programming errors that are not being picked up by common vulnerability scanners".
The second priority is vulnerable websites. More than 60 percent of attacks are against web applications and "convert trusted websites into malicious websites serving content that contains client-side exploits" by exploiting the most common vulnerabilities such as SQL injection and cross-site scripting flaws, in both open-source and custom-built applications. Such vulnerabilities make up more than 80 percent of attack opportunities.
A further finding is that applications are now more vulnerable and see more exploitation attacks than operating systems. There were no new major operating system worms seen in the wild during the reporting period.
Additionally, the report found there has been "a significant increase" over the past three years in the number of people discovering zero-day vulnerabilities: flaws that become known to attackers before they are discovered by security researchers, opening the chance of an attack against which no preparation has been made.
A Sans spokesman said: "This report is different from anything we have done before because it reflects massive amounts of data on the actual attacks (millions of them) and on the speed with which the underlying vulnerabilities are being patched (actual data from thousands of companies)."
The report sources includes attack data from 6,000 organizations, compiled by security hardware vendor TippingPoint, vulnerability data from nine million computers compiled by security software vendor Qualys, and additional analysis and tutorial by the Internet Storm Center and Sans faculty members.
This article was originally posted on ZDNet UK.
Talkback Most Recent of 5 Talkback(s)
-
blackepyon01@...15th Sep 2009 -
Amen
Preach on brother.
Another one is friends and family that discount most of what you say even though you take your own time to do it for FREE and then ask you to take your time to 'clean it up' and are offended when you tell them that you are not going to keep encouraging their bad behavior. After the $200 charge from the local shop they usually seem to be humbled a little.
netuzer16th Sep 2009 -
Amen indeed
Convenience will always trump security issues for most users. The only way to change this is to make insecure behavior more inconvenient than the alternative.
zdnet-gregc16th Sep 2009 -
RE: IT security defenses misdirected
I am an IT Director for a 6000-member trade association, and the response from my leadership is this, when I attempt to promote training and sensible 'net behavior: "I don't have to know how to build a watch, in order to tell the time".
The "non-tech" side of business, today, IMHO, is filled with ignorance, illiteracy, sense of "entitlement", and a pervasive attitude of free-play abandon, with little or no consideration of security as an issue; "There are geeks in the basement to fix this stuff, if I screw it up. Not my job to know anything about the tools of my trade".
I often use the analogy of a carpenter showing up to build a house, and having no clue how to apply a level, or which end of the hammer should meet the nail.
How do we fix it? Education, I think... but then, that's a whole 'nother area of abject failure in America, these days...
I read the Exec Summary of the report behind this article, and not one item of the information was a surprise or "eye-opener" to me; welcome to my world. I have walked into the home offices of folks originating loans for the largest purchases of peoples' lives, their houses, and found their entire business housed on cheap computers with NO security whatsoever, NO backups, and NO firewall, with all appliances still carrying the default passwords existent "out of the box", and a hard disk stuffed with the personal identities of hundreds of clients, everything needed to approve financing of a half-million-dollar loan.
There are some really basic changes needed, and, at least in America, I think we're going to have an easier time "training" the appliances than the users. AI and adaptive security built in, with NO available circumvention, IMHO, will be the eventual answer. We need systems and interfaces that just won't connect, unless and until the connection is secured properly, and the interfaces themselves able to perform the task.
mike@...16th Sep 2009 -
RE: IT security defenses misdirected
I'd like you to check our inzerosystemsdotcom website and then mine: wbc4securitydotcom... This is the BEST pc sec in the WORLD, cert'f'd nist-bt-lockheed++
Paul@...17th Sep 2009
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Facebook Activity
