A great many teaching stories from various traditions emphasize how the press of daily life, or normal human emotions, can crowd out and turn off common sense. At its core foundation, Internet security awareness relies on peoples abilities to stop and think before they act. Of course, this isnt always possible, so its also advisable to erect as many other automated defenses as possible on behalf of Internet users: anti-malware, e-mail screening, URL and content filtering, comprehensive firewall rules, and so on and so forth.
But at some level, users must be allowed to venture out of their safe havens on their own hard disks, and corporate intranets, so that they can do their jobs properly. Once they leave those protected precincts and whenever they deal with information that comes from outside those boundaries they must be taught to stop and think before they interact with Web sites, e-mails, Twitter feeds, and the plethora of software and services presented to them daily on social networking sites. If users can learn to apply four simple rules, they can avoid 99% of the sources from whence attacks occur, no matter how subtle or carefully couched they may be to catch the unwary or unwitting:
Never click links on unknown or un-vetted Web sites to download anything: this is the Web-based equivalent of a link in a phishing e-mail. Tell your users they dont want to go there, and you dont want them to go there, either.
Regular reminders and check-ups are also a good idea to keep users on their toes, and to provide constant input that they must always stop and think before they act or click, or download on the Internet. If they can remember the four basic rules outlined above, they will steer clear of most sources of trouble, and the human element in your security perimeter will become more secure.
Stu Sjouwerman
But at some level, users must be allowed to venture out of their safe havens on their own hard disks, and corporate intranets, so that they can do their jobs properly. Once they leave those protected precincts and whenever they deal with information that comes from outside those boundaries they must be taught to stop and think before they interact with Web sites, e-mails, Twitter feeds, and the plethora of software and services presented to them daily on social networking sites. If users can learn to apply four simple rules, they can avoid 99% of the sources from whence attacks occur, no matter how subtle or carefully couched they may be to catch the unwary or unwitting:
- Never click links in unsolicited, unexpected, or unwanted e-mail: this is how phishing begins, and is far too often enough to enable malefactors to establish a beachhead on user systems
- Never open unexpected e-mail attachments, even if they appear to come from someone you know very well: this is how many attacks occur, simply because users dont stop to think that a celebrity photo or surprise RFP may indeed contain surprises above and beyond what shows up on their screens
- Never download software from anything other than a major, well-known, reputable source: this means only from vendor sites and well-known sites (like CNET/
Regular reminders and check-ups are also a good idea to keep users on their toes, and to provide constant input that they must always stop and think before they act or click, or download on the Internet. If they can remember the four basic rules outlined above, they will steer clear of most sources of trouble, and the human element in your security perimeter will become more secure.
Stu Sjouwerman
