You Won’t Believe How Adorable This Kitty Is!
read emails featuring the photo of a Turkish Angora cat with a purple mohawk, sent to nearly two million [office workers] so far. It includes an attachment or link promising more feline photos. Those who click get a surprise: stern warnings from their tech departments.
The Dr. Zaius email is a simulated cyberattack. It is among the ploys companies are using to dupe employees into committing unsafe computing as a way to train them not to be so easily fooled.
Many big network breaches begin not with brainy hacker code but with workers who are tricked by so-called social engineering, which manipulates people into revealing sensitive information. So companies are trying to get workers to act badly before the bad guys do.
“It’s a gotcha service,” says Tom DeSot, executive vice president at Digital Defense Inc. of San Antonio, whose 10 confidence-men-for-hire – “ethical hackers” in cyber-lingo – craft attacks to exploit employees’ human failings. Their objective, he says, isn’t to get anybody fired or in trouble, but rather to help everyone learn the techniques malicious hackers also use.
Back in 2005, New York state twice sent 10,000 employees and contractors a “phishing,” or deceptive, email urging them to divulge passwords on a linked website. The first time, 15% fell for it, but the second time, only 8% did, says Will Pelgrin, who ran the test as the state’s chief information-security officer at the time and is now chief executive of the Center for Internet Security in East Greenbush, N.Y.
PhishMe Inc., the Chantilly, Va., company that created the Dr. Zaius emails and other fake phishing attacks that companies can use for tests, says clients have used its services to teach a lesson to 3.8 million employees.
Ryan Jones, who leads a half-dozen ethical hackers for a Chicago digital-security company, Trustwave Holdings Inc., likes to drop thumb drives and CDs in the bathrooms, driveways and nearby coffee shops of companies that hire him. Often, he will attach the company’s logo, a competitor’s logo or a label that reads “confidential.”
Almost without fail, an employee will find one of the decoys and stick it in a computer. “It starts off as curiosity,” he says. “It is kind of the same reason people watch reality TV: They want to see what else is going on in people’s lives.”
Mr. Jones’ devices contain software that takes over computers, hijacking built-in cameras to snap photos of the employees. …
PhishMe co-founder Aaron Higbee, who each week helps craft two new faux emails that companies use, says there is one universal weakness on email: “We always recommend they start with cute cats,” he says. The Dr. Zaius trick has worked on 48% of recipients, says Mr. Higbee, the real-world owner of Dr. Zaius (the cat’s real name, after a simian character in the movie “Planet of the Apes”).
Brian Fees is chief financial officer of CedarCrestone, an Alpharetta, Ga., tech firm that hired San Francisco-based MAD Security to do quarterly hacks on employees. Last summer, the team turned on him.
It plotted a hook Mr. Fees couldn’t resist: a pressing email from his CEO. “We went through their website and figured out who one of their key clients was, and then set up a fake email chain,” says MAD managing partner Michael Murray.
Sure enough, Mr. Fees opened the faux email and clicked on a link—that took him to a sham website. “Just as soon as I did, I knew I shouldn’t have,” says Mr. Fees, who quickly unplugged his ThinkPad from the network and called his security team.
Shortly, he learned he had been duped.
Mr. Fees says he is now sensitive to “how much more vulnerable” he is to responding to an attack when it appears to come from someone he works with most often.
The effectiveness of such efforts are a point of contention among security experts. Bruce Schneier, chief security technology officer of U.K. telecommunications operator BT Group, ignited a recent conversation on the topic with a blog post that said security awareness is a waste of money. “We should be designing systems that won’t let users choose lousy passwords and don’t care what links a user clicks on,” he wrote.
Still, it is a lesson some employees don’t forget.
Article Source:http://lms.brentphone.kr/board/newspaper_write2.asp?mcl=&opt_gubun=title&opt_wrd=&opt_lang=1&seq=4703&job=M
ImageSource: "alignright wp-image-18104" style="margin-left: 8px; border-width: 1px; border-color: black; border-style: solid;" alt="cat" src="http://www.studentnewsdaily.com/wp-content/uploads/2013/03/cat-240x150.jpg" width="200" height="150
VOCABULARY WORDS
1.Feline/adjective: relating to or affecting cats or other members of the cat family.
2.Ploy/noun: a cunning plan or action designed to turn a situation to one's own advantage.
3.Ethical/adjective: relating to moral principles or the branch of knowledge dealing with these.
4.Deceptive/adjective: giving an appearance or impression different from the true one; misleading.
5.Divulge/verb: divulge; make known (private or sensitive information).
6.Effectiveness/noun: the degree to which something is successful in producing a desired result; success.
7.Contention/noun: heated disagreement.
8.Expert/noun: a person who has a comprehensive and authoritative knowledge of or skill in a particular area.
9.Lousy/adjective: informal,very poor or bad; disgusting.
10.Ignite/verb: catch fire or cause to catch fire.
QUESTIONS FOR DISCUSSION
1. Define the following words as used in the article:
- simulated
- cyberattack
- ethical
- hacker
- phishing
2. Why are companies increasingly conducting simulated cyberattacks?
3. Why are many cyberattacks successful?
4. What is the main objective of ethical hackers?
5. a) In 2005, how many New York state employees opened a phishing email urging them to divulge passwords on a linked website; how many fell for the second email?
b) Are you surprised by the numbers? Explain your answer.
6. Why does Aaron Higbee of the ethical hacking company PhishMe recommend clients start with the cute cat to trick employees?
7. How does the chief security tech officer of U.K. telecom BT Group differ in his approach to cybersecurity?
8. a) Will any of the information in this article cause you to change your email viewing habits? Why or why not?
b) Ask a parent the same question.
