Cyber Security Awareness Month: Protecting Your Network From "Dave"

Published: 2015-10-05
Last Updated: 2015-10-05 15:14:09 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

This cartoon by John Klossner really hit a nerve with many security professionals. It nicely illustrates how many of us see the futility of our jobs: We can buy all the greatest and latest equipment, but in the end, we are up against users clicking on links and installing software that they shouldn't. Cisco recently published a statistic that 40% of all users who hit one of the recent exploit kits landing pages are getting infected by one of the exploits delivered by the exploit kit. Brad keeps telling us about the various methods how to spot exploit kits, and how they evolve over time. In the end, any user we can keep away from an exploit kit page is a "win".

This October, like in years past, we "celebrate" cyber security awareness month. The idea is to use this month for some special security awareness activities. In the past, we used a specific theme for our diaries in October. This month, we will have a couple specific diaries about tips and tricks in awareness training. If you want to share any tips, please let us know.

Here are a couple of resources:

SANS Securing the Human: (in particular the "Ouch" newsletter)
SANS "Tip of the Day":
Past CSAM Diaries:

Phishing Tests:

Information about Cyber Security Awareness Month (and links to more resources):

And if you need more inspiration for your own campaign, here are more of John's security related cartoons:

Johannes B. Ullrich, Ph.D.

2 comment(s)


Shameless plug follows...
We started using about a year or so ago and it's been a big win for us.

We send one phish test per quarter (roughly) and have seen some improvement in the number of users who fall for the phish. But IMHO one of the biggest wins is that now my userbase is paying closer attention and also reporting phish to me. So given a phish report I can go dig up the original email and if it contains an attachment, run it through some of the malware analysis tools and look for things like IPs and hostnames. Then I can look in my DNS query logs (you DO log all your user's DNS queries, right? - grin) and see if anyone fell for it. But I can also pro-actively de-fang the malware by adding a rule to our DNS filters to block that hostname (or any hostname resolving to that IP or both) preventing the download of 2nd-stage malware. Given only an IP I can go look through snort logs or Palo Alto firewall logs, etc. And if the phish just contains a link, I can use a throw-away VM and wget the URL using a faked UserAgent (so I pretend to be an exploitable browser on a windows system).

One could accomplish the same thing without a commercial solution - phishme has just made it easy.
The Sonicwall link is no longer working.

Diary Archives