User training can only do so much
I am a big proponent of user training. I believe that people don’t intentionally try to download malware or give away sensitive information but for the most part they just don’t understand it all. That is where we as IT professionals come into play.
We recently had a users machine get pwned. I won’t get into too many details but this machine was doing some nasty stuff such as hijacking DNS, monitoring for sensitive numbers, screen scraping, blocking security tools, and lots of advertising. After 5 minutes of this machine just being turned on and connected to the internet we captured lots of data about what it was doing and where it was going.
We just so happened to be having a staff meeting that week so I proposed that we use this a chance to do some user training. Training went really well. To kick things off I showed them a peer map of a clean machine with moderate usage. I then pulled up the peer map of the pwned machine over approximately the same time period. You would have thought I just turned dirt into gold as people were just blown away! This prompted many questions and I also went into a little rant about web security and how easy it is for bad things to happen using simple examples. People loved it, and left a little scared but much more aware of their browsing habits. We even got requests to do something similar on a monthly basis. Rock On!
Fast forward a week later. One of the users who was at the training had a family member pass away. She took a few days off. When she came back to the office and caught up on work and personal email opened something from Hallmark. She then decided to follow the link which tried installing something on her machine. She immediately cancelled it and freaked out knowing she should not have done that. We verified that the machine was fine so all is well. To her, getting a Hallmark e-card after the passing of a family member made complete sense so it never dawned on her, even though we discussed this exact email scam a week ago.
I bring this up because no amount of user training is going to prevent these situations. She knew better than to click on the link, but a current situation (passing of a family member) made it seem legit. That is why we pair up user awareness training with technology, think of it as a tag team effort toward security…you’ll be glad you did.
Filed under: Security | 1 Comment
Tags: dns hijacking, email scam, hacked, pwnage, User training