IT professionals are aware of the damage malware can cause, at least this is part of their everyday work. On the other hand, end users are often not aware that such harmful code may be living in their computers, tablets and smartphones. From a security perspective, since the users are not aware of the risks, no security measure can do anything about careless user behavior. Therefore it is of utmost importance to educate the users about the security threats and the tactics that cybercriminals use.
Since digital security is a complex (and to be frank unpleasant) topic to talk about it is best to make it and keep it simple. We need to make sure that the users receive the information they need to understand the risks they are facing. We have to start with the basics and make our users thoroughly understand those basics. Then we can build on top of the basics to make them truly understand the current sophisticated threat landscape.
I would start with telling the users about malware and cybercrimes. Understanding what malware is in terms of worms, spyware, keyloggers and how they relate to criminal activities is a good start. Then I would go on by explaining why any one is a potential target and why thoughts like “I have nothing they can want”, “my information will be of no use them”, “how will they find me among so many people” are plain and deep wrong. I would explain the concept of botnets, how they are formed, operated and cashed. I would also emphasize that the cybercriminals have become very adept to the create threats that can easily bypass security restrictions: assuming that having antimalware applications and thus thinking that we are safe is a false sense of security. One careless click and it is over.
Here I would go on by explaining the other types of malware such as rogue applications, which appear to be legit applications, requesting updates. Many of those type of applications appear to be antimalware applications and system cleaning/performance tuning applications. Some claim to originate from police departments, even FBI. They look very authentic and they are hard to differentiate from legit programs. What they do is to make you send money or install additional malware. I would tell the users to stop what they are doing and contact IT if they see such an application on their PCs.
Then I would go for ransomware, which as the name implies hold the data and the applications on the PC hostage. Clicking on a link in an email, visiting a malicious website can easily make you a victim. If the company is not providing central backup of user files, the users have to make sure that any business critical data should be regularly backed up.
The next topic would be phishing. I would start with telling the users about social engineering and how it is related to phishing. The key issue that the users need to know is the tactics are all about tricking users to disclose some information which they would not voluntarily share. The type of information they are after are credit card numbers, passwords, social security numbers to name a few. To achieve that goal, cybercriminals use deceptive websites, fraudulent emails that contain links to malicious web sites, malware downloads etc.. Cybercriminals scourge social media sites to collect enough information about the target user to make sure that the attack is as concealed as possible. I would further tell the users that since people are using the same password in more than one site, compromising a forum account password may make the way to compromising a social media account.
Similar tactics are employed by the cyber criminals in the social media sites. One very common attack is to take ownership of a social media account and then contacting friend list, telling that he is in a difficult situation and in urgent need of money. The takeaway for the users is to call their friends back and inform them about the situation.
I would then move on to tell the users more about drive-by downloads, which is already mentioned in (and precursor to) the phishing attacks. The users have to be aware of the emails that appear to be coming from trusted websites. The critical element is to earn the user’s trust: when the user trusts, he clicks the link. I would say that the icons that appear in the email can also be deceptive. The user may see a PDF icon in the download section in the email, which may conceal a malware behind it. I would tell the users that cyber criminals disguise their malicious codes behind emails that arises curiosity: shipping confirmation, mortgage payments, abnormally high ISP/cable bills, celebrity images, fake news etc..
I would also say that there are certain websites on the Internet that disguise their true intention. Cyber criminals know what the users are searching and tailor their websites so that they look like the result of the user’s particular search. Most of the websites spur after a major news breakout. I would give an example of the 2014 iCloud scandal and the number of websites opened claiming to have the “complete leaked images ready for download.” Google is very good at spotting these websites and protecting the users – usually finding them takes a couple of hours. Takeaway for the users: browse the web with care.
Then comes the mobile threats. I would start by telling the users that thinking malware is limited to personal computers is a huge mistake. The rise of malware in the mobile devices is as fast and as much as their proliferation and it is the fastest growing segment of malware. Malicious mobile software do such damage as calling and/or texting international mobile numbers, stealing personal data or transmitting username and passwords to their writers/operators. I would tell the users how mobile malware is prominently distributed; either by using the names of the popular applications or by offering huge discounts if the application is downloaded from another website. If an application is sold by a developer for USD 10 on App Store and Google Play, and it is offered for USD 1,99 on www.downloadcheapiosgames.com, then there is something to be suspicious about. I would tell the users what application stores are for, how they are monitored to some extent and tell them to install applications from trusted developers.
These all may seem blindingly obvious to you. However, adopting the tips in this post to your end user security training will enable them to do their part on protecting the company’s network from data breaches, defending against identity theft, protecting company’s data and at the end protecting company’s reputation.
Image credit: http://article.wn.com/