Update your security lessons for end-users

Yesterday's advice won't protect users from today's worms, viruses, and scams

1 2 Page 2
Page 2 of 2

Does it tell them that official patches don't come in e-mail? Does it demonstrate how to distinguish between a fake anti-virus warning and a real one? Does it tell them that they can be infected by Adobe PDF, Microsoft Office, and Macromedia Flash graphic files? Does it tell them about spearphishing, where the phishing attacker knows their name and the e-mail appears to come from someone inside the company and references a product or group the user is involved in? Does the education material tell them that the top search results from their favorite search engine often brings back legitimate-looking, but very malicious Web sites?

Or does it give old advice, such as telling people to only visit Web sites they trust? Does it ask people not to open file attachments from unknown people? Does it say to look out for e-mails with typos, misspellings, and poor grammar?

If your end-user education doesn't contain warnings about today's attacks, please get someone to update it, even if you have to take it upon yourself. It's hard to blame our end-users for infecting themselves when we aren't providing modern education.

For some good starting points to the types of malware education you should be referencing, I can recommend two great blog articles. The first is from Barracuda Networks' recent acquisition Purewire. Barracuda Networks has been a longtime fave of my mine since its early anti-spam firewall days. The company has now expanded into Web application firewalls, message archiving, storage, and SSL VPNs (among other product offerings).

BarracudaLabs' excellent discussion of today's malware attacks is one of the best I've ever seen. It's a quick, easy-to-follow discussion of the lengths malware sites will go to look legitimate. I challenge anyone to view the examples and not be a little scared of how aggressive our adversaries are being or how realistic-looking their traps have become.

That blog link doesn't even cover how some malicious Web sites completely rewrite their code depending on what the end-user is looking for. Searching for cats? The malicious Web site becomes a portal of cat pictures and cat-owner blogs with software products for sale. Click on a product link and they own you. Looking for Web sites for a particular type of rare bird? They have that too. In fact, if you look at the URL in the resulting page, the search term you were looking for is included in the link as a replaceable variable. Change "cat" or "bird" to "frog" or "baseball," and installing the Web site transforms itself.

No end-user education document would be complete without referencing Dr. Jesper Johansson's excellent article called "Anatomy of a malware scam." Usually by page two, the graphics start looking hauntingly familiar to many readers.

Take a look at your company's computer security education. If it doesn't include today's attacks and protection advice, isn't it time for a little updating?

This story, "Update your security lessons for end-users," was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com.

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies