How many times have you heard this?

We can not change (insert your typical phrase), it has always been done this way. As I read a post at Different River titled Be Consistent, I came to realize that in security this is something that is extremely common. I know it is an older post but some how I ran across it today. Here is an excerpt from the blog entry.

 

The Monkey Cage

Start with a cage containing five monkeys. Inside the cage, hang a banana on a string and place a set of stairs underneath it. Before long, a monkey will go to the stairs and start to climb towards the banana. As soon as he touches the stairs, spray all of the other monkeys with cold water. After awhile, another monkey makes the attempt with the same result – all the other monkeys are sprayed with cold water. Pretty soon, when another monkey tries to climb the stairs, the other monkeys will prevent it.

Now, put away the cold water. Remove one monkey from the cage and replace that monkey with a new one. The new monkey sees the banana and wants to climb the stairs. To his surprise and horror, all the other monkeys attack him. After another attempt and another attack, he knows that if he tries to climb the stairs, he will be assaulted.

Next, remove another one of the original monkeys and replace it with a new one. The newcomer goes to the stairs and is attacked. the previous newcomer takes part in the punishment with enthusiasm! Likewise, replace a third original monkey with a new one, then a fourth, then the fifth.

Every time the newest monkey takes to the stairs, he is attacked. Most of the monkeys that are beating him have no idea why they are not permitted to climb the stairs or why or why they are participating in the beating of the newest monkey. After replacing all of the original monkeys, none of the remaining monkeys have ever been sprayed with cold water. Nevertheless, no monkey ever again approaches the stairs to try for the banana.
Why not?

Because as far as they know, that’s the way it’s always been done around here.

When it comes to security one has to remember, “Keep an Open Mind”, the criminals are. Risks change everyday and so must we. Don’t take the answer of, they have done it this way for years. If you can show that it could, or should, be changed for the better then recommend the change.

Keep up the good fight.

Facebook ID Probe

A good read here, “Sophos Facebook ID probe shows 41% of users happy to reveal all to potential identity thieves“.

Sophos Facebook ID Probe findings:

 

• 87 of the 200 Facebook users contacted responded to Freddi, with 82 leaking personal information (41% of those approached)
• 72% of respondents divulged one or more email address
• 84% of respondents listed their full date of birth
• 87% of respondents provided details about their education or workplace
• 78% of respondents listed their current address or location
• 23% of respondents listed their current phone number
• 26% of respondents provided their instant messaging screenname

Talk about an opportunity to educate our members. This type of information could also be used in Spear Phishing attacks.

 

In the eyes of a Phiser

In a post recently from RSnake at ha.ckers.org, he had a chance to discuss items from a Phishers perspective. The phisher he spoke to calls himself “lithium”.

In the post there were two questions asked that caught my eye:

“Are there any anti-phishing deterrents (tools or technology) that make life as a phisher harder?

Oh sure, There are many things that make pishing harder. But since Internet Explorer 7 and firefox 2 have implemented an antiphishing protection, Those two cause the most irritation.”

and

“Do you forsee any changes to the phishing industry that are worthy of note?

No.”

With those thoughts in mind what will a .bank TLD do to help the Anti-Phishing efforts. I still believe that education of members and staff are the best way’s to combat Phishing.

End User and Member Education

I read an article today called People will click on anything and it got me thinking about education.

It seems that Didier Stevens from Contraste Europe created aGoogle Adwords Campaign called Drive-By Download, get you PC infected here. During the six month period that he had the ad up the ad was viewed 259,753 and clicked on 409 times.

What does this have to do with Education. It seems we stress so much on email, phishing, virus, and other threats, that when it comes to the daily habits of users we do not stress enough about security. People are so used to just “Browsing” the web that they do not care about what the site could or could not do to their PC’s.

Another article on MSNBC’s Red Tape Chronicles New Net threat: Infectious Web pages shows that insecurities in web based applications could cause your PC to become infected with Malware. It could even come from the site you visit every day.

Education on the threats that are out there and how to keep yoursel, members, and staff is extremely important. The tricky part of this is not to scare them, but to educate them.