One Article Review
| Source |  taosecurity |
|---|---|
| Identifiant | 1593657 |
| Date de publication | 2020-03-12 09:29:36 (vue: 2020-03-12 14:01:53) |
| Titre | COVID-19 Phishing Tests: WRONG |
| Texte | Malware Jake Tweeted a poll last night which asked the following:"I have an interesting ethical quandary. Is it ethically okay to use COVID-19 themed phishing emails for assessments and user awareness training right now? Please read the thread before responding and RT for visibility. 1/"Ultimately he decided:"My gut feeling is to not use COVID-19 themed emails in assessments/training, but to TELL users to expect them, though I understand even that might discourage consumption of legitimate information, endangering public health. 6/"I responded by saying this was the right answer.Thankfully there were many people who agreed, despite the fact that voting itself was skewed towards the "yes" answer.There were an uncomfortable number of responses to the Tweet that said there's nothing wrong with red teams phishing users with COVID-19 emails. For example:"Do criminals abide by ethics? Nope. Neither should testing.""Yes. If it's in scope for the badguys [sic], it's in scope for you.""Attackers will use it. So I think it is fair game."Those are the wrong answers. As a few others outlined well in their responses, the fact that a criminal or intruder employs a tactic does not mean that it's appropriate for an offensive security team to use it too.I could imagine several COVID-19 phishing lures that could target school districts and probably cause high double-digit click-through rates. What's the point of that? For a "community" that supposedly considers fear, uncertainty, and doubt (FUD) to be anathema, why introduce FUD via a phishing test?I've grown increasingly concerned over the past few years that there's a "cult of the offensive" that justifies its activities with the rationale that "intruders do it, so we should too." This is directly observable in the replies to Jake's Tweet. It's a thin veneer that covers bad behavior, outweighing the small benefit accrued to high-end, 1% security shops against the massive costs suffered by the vast majority of networked global organizations.The is a selfish, insular mindset that is reinforced by the echo chamber of the so-called "infosec community." This "tribe" is detached from the concerns and ethics of the larger society. It tells itself that what it is doing is right, oblivious or unconcerned with the costs imposed on the organizations they are supposedly "protecting" with their backwards actions.We need people with feet in both worlds to tell this group that their approach is not welcome in the broader human community, because the costs it imposes vastly outweigh the benefits.I've written here about ethics before, usually in connection with the only real value I saw in the CISSP -- its code of ethics. Reviewing the "code," as it appears now, shows the following:"There are only four mandatory canons in the Code. By necessity, such high-level guidance is not intended to be a substitute for the ethical judgment of the professional.Code of Ethics Preamble:The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.Therefore, strict adherence to this Code is a condition of certification.Code of Ethics Canons:Protect society, the common good, necessary public trust and confidence, and the infrastructure.Act honorably, honestly, justly, responsibly, and legally.Provide diligent and competent service to principals.Advance and protect the profession."This is |
| Envoyé | Oui |
| Condensat | 2003 2020 abide about absolutely academy accrued act actionable actions activities adhere adherence advance against agreed almost already among anathema answer answers anyone appears approach appropriate are asked assessments assessments/training attackers awareness backwards bad badguys bankruptcy because before behavior bejtlich benefit benefits blogspot board both broader but cadet called can canons canons:protect cause certification chamber cheat cheated cissp click code com common community competent concerned concerns condition conduct: confidence connection consider considers consumption contrast convicted copyright costs could covers covid creating crime criminal criminals cult decided: despite detached determine digit diligent directly discourage districts does doing don double doubt duty each echo else emails employs end endangering ethical ethically ethics even everything example: expect fact fair fear feeling feet field following: four from fud game global good gray group grown guidance gut hardened has have health helps here high highest holder honestly honor honorably how however human imagine implying imposed imposes increasingly information infosec infrastructure insular integrate intended interesting interpretation introduce intruder intruders item its itself jake judgment justifies justly larger last legally legitimate less level lie lied lines lose lures majority malware mandatory manifesting many massive mean might mindset more much necessary necessity need neither networked newcomers night nope nor not nothing now number oblivious observable observe offensive okay only organizations other others outlined outweigh outweighing over past people perfect perhaps phishing please point poll post practicing preamble:the principals probably profession professional properly protect protecting provide public quandary rates rationale read real red reinforced replies requires responded responding responses responsibly reviewing richard right safety said saw saying school scope security seen selfish service several she shops should shows sic skewed small society solutions some standards statement steal step stolen strict subject substitute such suffered supposedly tactic taosecurity target team teams tell tells test testing tests: than thankfully them themed there therefore thin think those though thread through tolerate tolerated too towards training tribe trust tweet tweeted ultimately uncertainty uncomfortable unconcerned understand usafa use user users usually value vast vastly veneer version visibility voting ways welcome welfare well what which who why will word worlds worthless written wrong www years |
| Tags | Malware |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.