I'm continuing the trend my colleague Josh Zelonis started last year during Cybersecurity Awareness Month to share a few stories of the time I almost got hacked. It can -- and does -- happen to everyone, including folks that should know better. Blaming users for mistakes becomes a trap far too many of us fall into as security and risk pros, and sharing the moments when we made mistakes can help us all become a bit more empathetic towards our user populations.
Here's a selection of three examples from my past of when I made some poor decisions online:
The "EZ Pass phishing email"
I travel often, and on occasion I head to states with plenty of toll roads. Back in 2016 I'd recently traveled to Northern Virginia, New Jersey, and New York all within a couple of weeks. I returned home and about a week later I got the email below:
My mouse moved slowly over the word "here" and my finger just itched to click and figure out just what was going. And as I hovered over I thought -- wait, my rentals had EZpass, did the rental car company make a mistake? That's when I thought -- wait, how could the government and rental car companies be so sophisticated that they then emailed my personal email account for a toll I didn't pay? I don't think government is that efficient. So yes, in this scenario my skepticism of government efficiency saved me from malware. While not as useful as antivirus technology, it worked this time.
This torrent seems fine
In my past lives -- well before Forrester -- I may or may not have engaged in filesharing. I'll also go ahead and state for the record that I agree with Gabe Newell of Valve that "piracy is almost always a service problem and not a pricing problem." Anyone that engaged in extensive filesharing, especially when using public trackers on bittorrent, knows all too well the feeling of unpacking an archive, running the AV scanner and finding nothing, only to then double click and have your computer suddenly start smoking with alarm bells ringing. Yep it got me too, more than once, and I'd even started in the infosec industry at the time so I should have known better. Or I should have used virtual machines and tested things out. But sometimes you want to watch that movie or play that game you just downloaded right away!
The malware analysis oopsie
One of the first things you'll learn from an experienced malware analyst is the guarantee that you will accidentally infect your system in the normal course of duties. I'd gotten my hands on the alien book and got ready to dig in! I configured a lab and started to learn. But then like all victims of hubris, overconfidence sets in, you'll multitask and forget what you opened, accidentally double click, or even move files from one place to another and suddenly -- boom! You've succeeded in determining the file you already knew was malware, was in fact malware! I managed to move fast, and broke things.
My examples are self-inflicted, and I learned from all of them
Cybersecurity awareness month grants us an opportunity for increased exposure and access to the people that we should help -- including ourselves. Naming and shaming never solves the problem, and empathy goes a long way. People answer hundreds of emails a day in their jobs, avoiding the one that they shouldn't click on is not easy. Joseph Blankenship recently blogged about the need for layers when it comes to defending against phishing. That's why we have analysts like Jinan Budge and Claire O'Malley discussing the importance of awareness, behavior, and culture. Hopefully this blog sheds some light on the fact that accidents happen to everyone, and we can all use them as opportunities for improvement, rather than exploit them (pardon the pun) to spread blame.
Download Forrester's complimentary guide to learn how and why Zero Trust is the best way to defend your business.
This post was written by VP, Principal Analyst Jeff Pollard, and originally appeared here.