All the latest UK technology news, reviews and analysis


RSA: User ignorance blamed for firms' security woes

27 Feb 2013
rsa2013

The education of end users is the missing element in corporate cyber security, said an expert panel at this year's RSA conference.

Panel members say that educating end users in how to recognise phishing emails is one of the best ways to prevent attack. They report that the ever-increasing sophistication of attackers means that phishing emails are no longer as easy to spot as they once were.

"The thing that blows my mind is that as that threat ecosystem has evolved, the efficiency of these actors has gotten so much higher," said managing partner at MAD Security Mike Murray during a panel on social engineering in the cyber security space.

"The things we used to see state-sponsored actors do is now being done by all bad actors."

Murray says that the threat landscape for email phishing scams has evolved past the old "Nigerian prince" scams of the early 2000s. He says that attackers are now improving their methodology and getting better at social engineering emails.

"Every breach I've been involved in the last five years started with a phishing attack," continued Murray

"The bad guys are getting more sophisticated. It's not just a Nigerian prince anymore."

The MAD Security executive highlighted new scams which feature emails that don't even feature malicious links. He told delegates at RSA that if a scammer successfully social engineers an email, they can convince some end users to hand over private information on their own volition.

For an example, he discussed a test phishing scam his company ran that featured a non-malicious website that tricked users into entering in their account information by promising to strengthen their password.

"We saw a gradual progression of things getting much more organised. The common element is they saw that the weak link was human interaction," said fellow panelist chief executive of PhishMe, Rohyt Belani.

Belani said that when his company performed test phishing attacks 26 percent of those who were hit were tricked into inputting their personal information. In total, Belani reported that phishing attacks worked 58 percent of the time.

But while security people have tried to educate users, part of the problem may be their inadequacies as trainers, Murray said.

"We insist on overloading people with all this data that only we find interesting as security people," said Murray.

Both Murray and Belani agree that the best way to educate end users is focus on behavior modification and not simply education.

The panel's discussion comes following a slew of higher profile attacks that started because of a phishing attack. Apple, Microsoft, and Facebook were all the victims of an attack earlier this month.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
James Dohnert
About

James is a freelance writer and editor. In addition to ClickZ, his work has appeared in publications like V3, The Commonwealth Club, CachedTech.com, and Shonen Jump magazine. He studied Journalism at Weber State University.

More on Management
What do you think?
blog comments powered by Disqus
Poll

IT curriculum poll

With coding now compulsory in schools, how important are digital skills for the next generation of school leavers?
65%
8%
18%
9%

Popular Threads

Powered by Disqus
V3 Security Summit

V3 Security Summit Day 2: Botnet, skills and BYOD intelligence incoming

Keep V3 bookmarked for news updates on all the key security concerns and topics facing businesses

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Architect (Siebel CRM) - London - £65k-£85k + Bens

Architect (Siebel CRM) London - £65k-£85k + Bens...

IT Support Specialist

Argus is a fast-growing global B2B media company providing...

IT Support Specialist - 2nd Line Support

onefinestay is searching for an IT support specialist...

IT Technician

IT Technician Internal Grade: 3 Ref : JDITTech...
To send to more than one email address, simply separate each address with a comma.