In early 2001 a computer worm sent via email with the subject line “Here you have” created havoc for hundreds of thousands of Internet users. The malicious email promised recipients a file attachment containing a photo of tennis player Anna Kournikova. But when users clicked on the file to open it, they inadvertently executed code that sent copies of the infected email to all addresses in their email address books. The resulting traffic shut down email servers around the world.
Yesterday, another computer worm sent via email with the subject line “Here you have” was again successfully replicated with the help of unsuspecting users globally. NASA, Comcast, Disney, Wells Fargo, P&G were just some of the organizations that were hit hard yesterday by at least two variations of the worm. This time, the attack comes in the form of a seemingly harmless email requesting that the recipient click on a URL which is spoofed. Once clicked, the URL loads active code that installs itself to the local Windows directory and resends the email to everyone in the user’s email address book as well as via remote machines, removable media and mapped drives accessible to the user’s machine.
Most major anti-malware software vendors have issued advisories and updates addressing this new attack. Still, the best way to prevent becoming a victim of these types of attacks does not involve technical solutions. In fact, to be successful, this type of attack is entirely dependent on people – people letting down their guard and clicking on links when they really should know better. Social engineering attacks such as these manipulate the basic human desire to trust others by offering something in exchange for simply clicking on a Web link. The result is often infected PCs and unhappy users. At home this can be a major nuisance; at work, especially if you are a federal employee or contractor, systems compromised by malware can result in disclosure of sensitive agency data and other serious consequences. Business and government leaders tend as a general rule to focus on deploying technical solutions to combat cyber security problems – while avoiding the issue of how best to address the most vulnerable aspect of cyber security, people. Even with recent federal initiatives directed at creating a more cyber-aware workforce and culture, more resources need to be devoted to cyber security education, training and awareness.
To measure the return on investment of cyber security education and training, we can consider – What is the cost of compromised data to a federal agency? Beyond that, what is the cost of lost productivity and downtime caused by malware infections? The unavoidable fact is that 100% of the successful email worm infections that occurred yesterday would not have occurred if recipients had avoided clicking on suspicious links in emails. People need to be reminded frequently that cyber attacks are persistent and pervasive, constantly taking on new forms, and that they themselves represent the front line in defending against cyber attack. A properly trained, educated and cyber-aware workforce is still our best defense against social engineering attacks at home and at work.
One organization that is helping to raise cyber security awareness in the federal workforce is the Federal Information Systems Security Educator’s Association, or FISSEA. FISSEA is a NIST-sponsored group that is committed to assisting federal agencies in meeting their information systems security awareness, training, and education responsibilities. We strive to elevate the general level of information systems security knowledge for the federal government and the federally related workforce, and serve as a professional forum for the exchange of information and improvement of information systems security awareness, training, and education programs. If you are interested in learning more about FISSEA, please send a request to join our FISSEA group on GovLoop https://www.govloop.com/group/fissea and visit www.fissea.org for more information.
Al Lewis, CISSP-ISSMP, CISM
Cyber Security SME
FISSEA Executive Board Member
Leave a Reply
You must be logged in to post a comment.