Ted Demopoulos’ securITy

_________________________________________________________________
Subscribe to S e c u r IT y, our free E-newsletter on Information Technology, Security, and their intersection with Business.
_________________________________________________________________

User Phishing Awareness Survey Results
Criminals often attempt to spoof bank, auction, and other trusted websites, requesting personal information from users via emails and other electronic communications such as Instant Messages. These communications are known as phishing, and phishing has reached epidemic proportions. Many users receive phishing emails weekly or even daily. Some of these are extremely sophisticated and very believable. Personal data captured is used for identity theft, credit card fraud, and other crimes.

I surveyed 110 people in the USA between August 15 and September 30 on their awareness of phishing threats. Anyone known to work in IT was specifically excluded. Those surveyed included lawyers, secretaries, plumbers, telephone repairmen, telemarketers, doctors, and other people I encountered walking down the street – essentially a wide array of people.

Less than 48 percent of Internet users have heard of phishing, and only 30 percent have any idea of what it is. Less than four percent of Internet users have changed their online habits due to phishing threats. These are appallingly low percentages since most Internet users have been subjected to phishing attacks! Full results at http://www.demop.com/articles/Phishing_Survey.pdf

It’s not surprising that there is such a wave of phishing attacks today. It must be quite profitable for criminals since most Internet users are blissfully unaware.

Some Participant's Comments:

· “You mean I should worry about these?” -yes, you should
· “Changed my habits? – hell no!”
· “You mean the band ‘Phish?’”
· “My credit cards are maxed out so it doesn’t matter.” -yes, it does!
· “I have several phishing attacks weekly.”
· “Phishing? That’s a stupid name.”  -yes, but a real threat
· “I don’t even open email unless I know the sender.”
· “I read about them last week but don’t remember.”
· “I just got one this morning.”

Often it is easier to attempt to modify human behavior than to directly attack computer systems. For example, it is usually far simpler to trick a user into divulging personal information than to break into a secure server than contains this data. These types of attacks are known as social engineering. Wikipedia defines social engineering as "the practice of obtaining confidential information by manipulation of legitimate users." Often social engineering is effective because of the natural tendency of people to want to be helpful, for example the help desk worker who receives a desperate call from an alleged user who has lost their password.

Combating social engineering involves user awareness. Many organizations have user awareness programs aimed at increasing security awareness. Unfortunately user awareness must be an ongoing process. User awareness is like exercise - its results are short lived unless it is part of a regular routine. Users forget very quickly!

In addition to user awareness, a set of formal rules for user behavior, designed to protect the organization AND users, is necessary. These are typically part of an organization's Security Policy. When a help desk user is confronted by an angry person on the telephone at 5PM on Friday claiming to be an executive vice president and demanding their "forgotten" password be reset because an extremely large contract is at risk, and threatening the help desk worker with disciplinary action if they do not comply, what are they supposed to do? Quite simply, follow the Security Policy rules that pertain to forgotten passwords.

The Internet is still fairly new to most people. Most people are not as aware of Internet risks as real life risks. An individual usually has healthy skepticism when a stranger approaches them on the street with a request, and quickly determines whether to honor that request. As users gain more experience, they will naturally develop a sense of what is suspicious and potentially dangerous on the Internet, just as in real life.

I sometimes compare the Internet and safety to driving a car and safety. A relatively new driver, say someone who has been only driving a few months or years, statistically has more accidents than a driver with many years of experience. As the length and depth of experience of the average Internet user increases, so will their ability to “surf safely,” and they will develop a “gut feeling” for what is legitimate as well as suspect.

Ted Demopoulos, Consultant and Professional Speaker, 603-231-8782 (cell)
_________________________________________________________________
This newsletter is Copyright © 2005 by Demopoulos Associates, Durham, New Hampshire, USA.  All rights are reserved, except that it may be freely redistributed if unmodified.

Sharing securITy is encouraged if the copyright and attribution are included.

The free newsletter of Demopoulos Associates, www.demop.com