OK, we all know that there is a lively trade in 0-day threats. Often this is an unknown vulnerability in a popular browser that is not fixed yet. Microsoft recently announced they fixed one in Internet Explorer. If you read Microsoft's description about the 0-day and what can be done about it, there is an inescapable conclusion that you have to make. Here is what Redmond said in their TechNet Security Advisory 2847140.
It states: "In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website."
And that means that all the software layers of your defense-in-depth are for naught if the user get social engineered and clicks on the link. The conclusion: End-user Security Awareness Training may very well keep your company safe and secure. Note that I do not claim that Security Awareness Training is the end-all solution. However, it is definitely a layer that you need for your overall defensive stance.
Your last layer of defense is that end user looking at a phishing email in their inbox, with their mouse hovering over the link. When you have a well managed security awareness program that constantly sends simulated phishing attacks to all employees, you will have end users on their toes that do not click on that 0-day and save the day.
Until a patch for that 0-day is released and deployed, end-users may well be your last line of defense. It pays off to train them !
(Hat Tip to Ben Ten)
