Smart Stupid People Click Phishing Links

Yeah but i'm thinking about corporations when i talk about security. For the military, security has a whole different meaning. Lives will always be more important.

The problem when it comes to security is either you restrict everything to deal with the lowest denominator, in which case you create artificial hoops for people to jump through. The smarter worker will actively try and circumvent those barriers because it's interfering with their jobs. That opens up a whole bunch of other problems down the line when they do figure out a way around whatever stupid thing you put in place and share it with everyone.

Or you take the smarter approach and figure that to really be secure is to plan for people to get infected and plan for people to fall for phishing schemes/randsomware eventually (because eventually someone will be dumb enough to get in trouble with this) and put systems in place to mitigate any potential damage. Daily/weekly backups for starters is a good way to get around half the problem. With phishing sites, monitoring internet traffic and blocking known phishing sites is a way to prevent this. Routinely testing people with phishing sites made to test employees and having the ones that fail take a mandatory class is another way to prevent through education. Making sure everyone is using ad/popup blockers in their browsers and limiting access to sensitive information is yet another. Start utilizing 2 factor authentication is yet another one which will eliminate the effectiveness of most phishing sites.

My whole point is disabling html in emails is like the least effective way to prevent phishing.


Agree right down the line until the end ...... disabling html is one more step that can be taken when warranted following a proper risk analysis. In other words, if your use case points to a high risk from html vulnerabilities in email it should be disabled, particularly if it's not needed to support current or planned business practices. But if you use embedded html in email and your organization won't incur serious risk .... it would be worth the risk to keep it.

You can't paint across IT security with a broad brush, you have to go through the moves, examine processes and evaluate risks. You know this or you wouldn't have written what you did above, you are just focused on your own use case and see it from that perspective. Therefore you are right.... from your own company's use case.
 
it is AP. Extremely untrustworthy when it comes to Russian news. ( or any news of any country the US and it's allies deem as hostile or where news is deemed as inconvenient ie Middle Eastern allies)

So take it with a bucket of salt.
 
Work email is what you need it to be for your job so you telling me I am doing it wrong is just asinine. We eliminated the daily reports via email a long time ago and now we have web portals where authorized users can log in if they want to see reports that are generated.

We have a policy of not clicking on links w/out verifying senders first and our emails automatically identify and flag outside external senders to give you additional warnings that links and attachments may be dangerous.

Ditto,...again.
 
Had a coworker who came from Lockheed Martin. He talked about how earlier this decade (around 2010-2012 -ish) a coworker had plans for a new stealth fighter. That same coworker had limewire installed on his WORK computer for listening to music. Low and behold one file ended up in the wrong folder. Six months later and reports come out that Russia is working on a fighter very similar to theirs. Needless to say, the worker was canned.
 
Back
Top