Skip to content

Fear and Loathing in Enterprise Security

October 21, 2008

It’s October 21, 2008, and we’ve just been through two of the most turbulent weeks in the history of global financial markets. While perhaps, to borrow from Mark Twain, rumors of the death of capitalism are greatly exaggerated, it’s clear that there’s no overstating when it comes to the increase in security attacks that go hand-in-hand with turbulent times. As IT news outlet CNET recently posted ( regarding an article in today’s upcoming McAfee Security Journal, fraudsters are taking the opportunity to exploit fear by ratcheting up not only the quantity of attacks, but are significantly increasing attack vectors. Veiled in a broad range of scams – fake news stories with shocking headlines (“Dow Drops 2,000 points! Click here for details!”), valueless stocks (“make back the money you lost last week! Buy OTCBB.BADSTCK today!!”), and even targeting industry leaders (Steve Jobs did not collapse from a heart attack last week, thank you very much) – unscrupulous people are continuing to use a broad array of techniques to exploit fear.

Traditional spamming and phishing techniques are being augmented by both technical methods (typosquatting, trojaning, baiting) and social engineering methods (pretexting, quid pro quo) to create a powerful set of tools established for the purpose of getting access to confidential information. When major events occur like the current financial crisis, it’s just not rational to assume that employees will abide by, for example, acceptable system use policies, and won’t attempt to catch up on news, check their bank account, or try to transfer their 401(k) to less volatile instruments – all of which can expose them to any and all of these techniques. While information security can partially enforce good user behavior, there is no technology in the world that will prevent a person from divulging their social security number, their username or password, or non-public details about their company.

What does all this mean for the enterprise security professional? It means that, more than ever, security tools, technologies and platforms are not enough to protect your environment, your users, and your organization. Anti-malware, proxies, and other technologies are definitely vital to your environment, but addressing the human factor is just as important as implementing the right technology; to that end, employee awareness of information security threats is a critical countermeasure to protecting your people, processes, and technologies. It’s critical to ensure all your people – employees, contractors, vendors, and suppliers – understand not only that a policy is in place (“do not divulge private company information to anyone outside the organization”), but more importantly, why it is in place; knowing both the consequences and sanctions of treating information securely will augment your security technologies and help ensure that your people become a critical part of your security program.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: