基本HTML大乐透走势图500期图
Page 13 - 网络防御杂志 - 2017年9月
P. 13

If  you  read  the  opinions  of  cyber  security  experts,  you’ll  find  that  many  believe  security
               awareness training is a total waste of time and resources. After all, why should individual users
               shoulder the burden of cyber security when most don’t even understand what it is.

               Rather than providing higher-quality training, they argue, you should strive to create a network
               environment that is immune to any mistakes your users might make.
               And  in  theory,  this  approach  makes  sense. After  all,  most  people  really  are  clueless  when  it
               comes to cyber security, and user errors are a common cause of data breaches.

               Moreover, it’s easy to understand the argument that users should not be expected to consider
               security, as it should really be wholly the responsibility of the IT department.
               But here’s the thing. All of this is good in theory, but it just doesn’t translate into practice.
               In the real world, there’s no combination of technical controls, security products, and network
               hygiene practices that can completely protect users from cyber-attack
               .
               And, as a result, if you’re serious about the security of your organization, there’s just no getting
               around the need for high-quality security awareness training.

               Why Improving Awareness is a Terrible Goal

               A big part of the reason why most security awareness training is so bad, is that it starts with
               completely the wrong objective in mind.

               Let’s be honest, what good did awareness ever do anybody? Does being aware that we should
               eat healthily make us less likely to take the kids to McDonald’s on the weekend?

               Clearly not. What we really need to improve are security behaviors.

               Knowing this, we can start to think about what useful security training might look like. After all,
               everybody knows which poor security behaviors are the biggest cause of security incidents.

               Improper data disposal. Leaving laptops on trains. And, of course, accidentally clicking on links
               or attachments in phishing emails.

               In fact, according to Verizon, over 90% of all data breaches include a phishing or other social
               engineering  attack  somewhere  along  the  line.  Knowing  this,  you  can  start  to  make  sensible,
               proactive decisions about the future of security at your organization.
               Now of course, in some cases, technical controls really are the answer. Nobody plans to lose
               their  laptop  or  USB  drive,  but  ensuring  that  all  such  devices  are  encrypted  can  dramatically
               reduce the potential impact of their loss or theft.

               Similarly,  it’s  reasonable  to  assume  that  no  matter  how  good  your  security  training  is,  some
               mistakes  will  still  be  made.  Tightly  controlling  user  access  levels  and  implementing  sensible
               network architecture are two ways of limiting the impact of those mistakes.

               But when it comes to a threat vector like phishing, technical controls can only do so much. Many
               phishing  campaigns  no  longer  rely  on  malicious  software  or  downloads,  but  can  still  have  a
               tremendous negative impact on your organization. BEC scams, for example, are routinely used
               to  trick  low  level  employees  into  authorizing  huge  payments  directly  into  attackers’  bank
               accounts, and are practically immune to technological security controls.




                    13   Cyber Defense eMagazine – September 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   8   9   10   11   12   13   14   15   16   17   18