We don't need no education?

Despite years of malware and social engineering attacks we don't seem to be any nearer to making employees understand the dangers of the internet.

The present state of malware propagation is a familiar story to anyone who regularly uses the internet. "My friend sent me this link that was supposed to be a video which asked me to update my flash player first, but I got infected instead." Then, there's the inevitable aftermath, which is particularly familiar to users of social networking sites like Facebook or MySpace.  "If you received a weird message from me yesterday, delete it and don't click the link. I got a virus."

My friends are a more internet-savvy bunch than most, and still they fall for these social engineering tricks too. The same tricks are being used by malware writers as were used 10 years ago, though now they're more refined at their craft. At West Coast Labs we see an increasing number and variety of malware come through every day on our global research network.

The same vulnerabilities that have been used for years are still effective. The technologies have certainly matured to deal with the advanced sophistication of the threats themselves. However, the people using the technologies have changed little and they've learned few of the lessons about what is appropriate internet behaviour. More importantly than that, Acceptable Use Policies (AUP) in corporate environments have changed little since the days of the Melissa virus.

At the same time the way users interact with computers has changed drastically in the past 10 years. People have computers in their cars, their homes and laptops are everywhere. Why hasn't knowledge and education kept up? While we've been sleeping, malware authors have been working tirelessly at their creations, which has led to malware growing exponentially.

Many companies do not adequately protect their mobile devices, especially laptops, which leave the corporate environment. This lack of security significantly increases the chances of both allowing infections in and valuable data out.

Those companies that have learned the security lessons of the last decade have an operating standard for portable devices (or a corporate-standard imaged machine) which enter the enterprise, and will put machines in a walled garden until the machine has been proven safe. This ensures that the machines meet a minimum standard of patching and security effectiveness before a machine can touch corporate assets.

Technology can address only so much. IT managers need to create a policy to ensure that users practise appropriate web-surfing on corporate resources, and don't tamper with security software. However, data security education is a controversial subject -- there are no statistics which prove or disprove its effectiveness.

 
The fact that social engineering tactics have not changed could mean that education is ineffective, or that the tactics we use to educate are ineffective. I'm in the camp that says it's ineffective as the messages about what constitutes secure computing behavior have been remarkably contradictory.

If we each do our part to educate ourselves enough to ensure consistent messaging within our own environments, and then strictly enforce that behaviour, we can begin to improve the security of the internet as a whole.

Lisa Myers is director of research at West Coast Labs.