One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2636844 |
| Date de publication | 2021-04-14 10:00:00 (vue: 2021-04-14 11:05:50) |
| Titre | Phishing towards failed trust |
| Texte | This blog was written by an independent guest blogger. Phishing exercises are an important tool towards promoting security awareness in an organization. Phishing is effective, simply because it works. However, any social engineer can devise a marvelously deceptive message with an irresistible link that only the most tech-savvy person would spot as a phishing test. Sometimes, the phish can be sent at a time of day that catches the recipient off-guard, which causes a person to click the malicious link. These techniques are so effective, that even the most experienced people have gotten fooled, not only by phishing tests, but also by real scams. As social engineers, it is easy to play on people’s vulnerabilities; their fears, hopes, and dreams. Fears, such as those used in scams against the elderly; hopes, such as those used against the optimistically trusting; and dreams, such as those used against the wistfully romantic. However, with any security practice, we have to temper our thrill of victory, that is, the adrenaline rush of the “gotcha” moment when a person falls for our brilliantly crafted phishing test, with the reality of our true purpose, which is to educate, and build trust. With that in mind, we must ask ourselves, when have we gone too far? For example, according to a report that was published at the height of the pandemic, Covid-related scams rose to an all-time high. The cybercriminals have been hard at work, trying to capitalize on our fears, and our desires to seek information, and more recently, our desire to become vaccinated. Has your organization used the pandemic in any recent phishing exercises? How effective were they? Was the “hit” rate high? More importantly, did the people who failed the test thank you for showing them the error of their ways? I doubt it. I am not stating this merely to make enemies in the security community. As a 20+ year veteran in the industry, I too understand the struggles and the frustrations of building a security culture in an organization. However, let’s look to the legal profession for a moment to try to understand why Covid-based phishing exercises are simply wrong. The problem at hand is one of our freedom to act recklessly. If we look to the landmark U.S. Supreme Court case of Schenck v. United States, we are met with the famous quote about how freedom of speech does not give one the right to “Yell ‘Fire!’ in a crowded theater”. In a later case, Rochin v. California, the phrase “Shocks the conscience” became part of legal doctrine. An action is understood to "shock the conscience" if it is "grossly unjust to the observer." Contrary to helping an already stressed staff, does a Covid-based phishing exercise succeed in anything other than violating the senses, as well as bordering on a cavalier abuse of our “expertise”? There are so many ways to educate |
| Envoyé | Oui |
| Condensat | “shocks “yell ‘fire 20+ about abuse according act action adrenaline advisor after against aim all alliances already also any anything approach are arsenal ask avoid awareness based became because become becomes been before behavior better blog blogger bordering brilliantly build building but california campaign can capitalize case catches cause causes cavalier cheap click colleagues community conscience conscience” consider contrary corporate counterproductive court covid craft crafted criminal’s criminals crosses crowded culture cybercriminals day deceptive desire desires devise did distasteful doctrine does doubt dreams easy educate effective elderly; enemies engineer engineers enough error even example exercise exercises experienced failed falls famous far fears fooled freedom frustrations get give gone gotten great greater grossly guard guest hand hard harmful has have height helpful helping high hopes how however important importantly improve indecorous independent industry information irresistible know landmark later launching legal let’s like line link look make malicious many marvelously matter merely message met mind moment more most must need next not nothing observer off one only optimistically organization other ourselves pandemic part people people’s person phish phishing phrase play point practice probably problem profession promoting protection published purpose quest quote rate real reality recent recently recipient recklessly related report resorting right rochin romantic rose rush savvy scams schenck security seek seem senses sent shock shots showing simply social sometimes speech spot staff states stating stop stressed struggles succeed such supreme tactics talented team tech techniques temper test tests than thank theater” them these those thrill time too tool tools towards true trust trusted trusting; try trying understand understood united unjust used vaccinated veteran victory violating vulnerabilities; ways well what when whether which who why will wistfully without work works would written wrong year your |
| Tags | Tool |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.