By visiting which type of website are you more likely to get infected with malware? A religious site or an adult site? I’ve been asking that question to computer security professionals for almost a year now. If you’ve read the Internet Security Threat report version 17 you know the answer. It’s religious sites. We discovered that a higher percentage of religious sites have been hacked into and loaded up with malware by the bad guys than adult sites.
I like to quiz people on this one, because it doesn’t meet expectations. Some people sense a set up in the question, but most answer that you’re more likely to get infected on a adult website. The real message I try to leave behind with that question and the ISTR data is that any type of site could infect you with malware. It’s not dicey sites that will get you infected by a drive-by download, it’s sites with dicey security.
One expectation I find I have trouble shaking is that end-users are hopeless when it comes to understanding computer security. We live this stuff everyday and yet we run out of patience for the end-users who don’t, and therefore lack our security savvy. Computer security professionals shrug their heads and grunt disapprovingly whenever you talk about trying to train end-users. Expectations are that they are not trainable.
I completely disagree. And I think we have to take a lot of the blame for end-users not getting it. We’ve forgotten how to talk to the non-professional. We have our own phrases and acronyms that we pepper our talk and training with. To the typical end-user we are talking a foreign langue. We also want people to understand security the same way we do. And truly, they don’t need to. We can take care of the technical end of things. They don’t need to know how an exploit works, they just need to recognize when the bad guys are trying to fool them.
We can do better in training end-users to protect themselves against malware attacks. In honor of National Cyber Security Awareness Month, I’ve tried to do my part to help. I’ve put together a presentation targeted at end-users; to help them spot and avoid getting fooled by the bad guys. It’s a presentation that is fun to present, with a lot of show, not tell. It’s meant to engage, not put off an end-user audience. And I think that even a security professional could find common ground with an end-user by using it. Here’s a webcast presentation I’d give to end-users – check it out and feel free to educate your end-users: http://bit.ly/Ry8FDp.