Update your security lessons for end-users

I’m still surprised by all the old computer security recommendations that so-called experts are pushing out to the masses. For example, a quarterly guidance document from a major security vendor contained the following two statements: “Don’t open up file attachments from unknown people” and “Don’t run unexpected executable software from Web sites you don’t trust.”

That’s great advice — from 10 or 15 years ago.  I’m surprised the document didn’t include a warning about accidentally booting from floppy disks in A: drive.

That’s part of what is wrong with the computer security industry. When the bad guys change their tactics, most of the computer security industry needs a year or two to catch up. It took us years to teach people not to say yes to the macro warning when opening up attached documents. It took us five years to tell people to stop just blindly clicking on e-mail links proclaiming love (a la the ILoveYou worm).

[ Track the latest IT security developments on InfoWorld’s Security Central channel. | Learn how Webmail server providers could better protect unsuspecting victims from scams. ]

To this day I don’t understand why it took years for the major players in the very entrenched, installed-everywhere, filthy-rich anti-virus industry to start blocking spam and phishing attacks with regular success. Cross-site-scripting (XSS) attacks started happening with regularity in the 1990s. It was only in the past two years that the major browsers came with serious XSS defenses built right in to the browser. Some anti-virus companies still don’t do a good job of screening IM traffic for malicious downloads.

By the time the anti-malware defenses finally get around to addressing last year’s threat in a significant way, the bad guys are onto the next big malicious thing. It’s a never-ending, losing battle.

But I don’t just want to rant at commercial anti-malware companies. First, some of them are doing a great job at responding to the new threats, and in general, the whole industry is responding faster than they did in the past. They have to! Today there are probably 50 companies that offer complete anti-malware protection (firewall, anti-virus, anti-Trojan, anti-phishing, anti-spam, and so on).

I’m just as surprised by the poor computer security education offered to end-users at most companies. Most end-user education handouts were made 10-plus years ago and don’t seem to have been updated much since then.

Let me ask you: Does your entity’s computer-security education material teach end-users that they are likely to be infected by Web sites they trust and visit every day? Does it tell them that the majority of the malware threat they will be exposed to is from very official-looking Web warnings that trick them into installing software they shouldn’t? Does it tell them that malware purveyors often break into legitimate Web sites, which then launch malware attacks on innocent visitors using inserted JavaScript?

Does it tell them that official patches don’t come in e-mail? Does it demonstrate how to distinguish between a fake anti-virus warning and a real one? Does it tell them that they can be infected by Adobe PDF, Microsoft Office, and Macromedia Flash graphic files? Does it tell them about spearphishing, where the phishing attacker knows their name and the e-mail appears to come from someone inside the company and references a product or group the user is involved in? Does the education material tell them that the top search results from their favorite search engine often brings back legitimate-looking, but very malicious Web sites?

Or does it give old advice, such as telling people to only visit Web sites they trust? Does it ask people not to open file attachments from unknown people? Does it say to look out for e-mails with typos, misspellings, and poor grammar?

If your end-user education doesn’t contain warnings about today’s attacks, please get someone to update it, even if you have to take it upon yourself. It’s hard to blame our end-users for infecting themselves when we aren’t providing modern education.

For some good starting points to the types of malware education you should be referencing, I can recommend two great blog articles. The first is from Barracuda Networks’ recent acquisition Purewire. Barracuda Networks has been a longtime fave of my mine since its early anti-spam firewall days. The company has now expanded into Web application firewalls, message archiving, storage, and SSL VPNs (among other product offerings).

BarracudaLabs’ excellent discussion of today’s malware attacks is one of the best I’ve ever seen. It’s a quick, easy-to-follow discussion of the lengths malware sites will go to look legitimate. I challenge anyone to view the examples and not be a little scared of how aggressive our adversaries are being or how realistic-looking their traps have become.

That blog link doesn’t even cover how some malicious Web sites completely rewrite their code depending on what the end-user is looking for. Searching for cats? The malicious Web site becomes a portal of cat pictures and cat-owner blogs with software products for sale. Click on a product link and they own you. Looking for Web sites for a particular type of rare bird? They have that too. In fact, if you look at the URL in the resulting page, the search term you were looking for is included in the link as a replaceable variable. Change “cat” or “bird” to “frog” or “baseball,” and installing the Web site transforms itself.

No end-user education document would be complete without referencing Dr. Jesper Johansson’s excellent article called “Anatomy of a malware scam.” Usually by page two, the graphics start looking hauntingly familiar to many readers.

Take a look at your company’s computer security education. If it doesn’t include today’s attacks and protection advice, isn’t it time for a little updating?

This story, “Update your security lessons for end-users,” was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com.