Actually, things mostly don’t change. We talk a lot about the dynamic threatscape, advanced attacks, and all sorts of other things that make us feel special. But most of the same tactics that have been owning people and technology for decades are still in play. The mass market doesn’t learn, so they repeat history – over and over and over again.
Roger Thompson makes this point on a recent ICSA blog post on Cryptolocker. He reiterates the directions he (and probably the rest of you) have been giving folks for a long time.
I told her that Cryptolocker was indeed real and is the criminal’s monetization scheme-du-jour. While it is a real pain if you got nailed by it, basic security practices would keep you perfectly safe. I enumerated those practices for her, and, although we were communicating by typing in a chat program, I could almost hear her smile as she said, “That’s the same advice from twenty years ago.” I realized she was right.
The practices are right out of the simple security handbook. You know, things like patching (not just MSFT software nowadays), don’t open unexpected attachments, don’t use admin rights (when you don’t need to), and back up your stuff. Simple. But not many people really do this stuff. And that’s why advanced attackers are only as advanced as they need to be.
To be clear, as Roger says, if you are targeted by a truly sophisticated adversary, these simple practices won’t do much. But most of the world isn’t in that situation – fortunately. So getting better at the fundamentals still matters in security. And probably always will.
Photo credit: “Dancing Dummy” originally uploaded by Dave Hogg
Reader interactions
One Reply to “The more things change…”
So why is it that we still have to give the same advice and obviously it isn’t followed widely? We have been saying the same things and still it’s not working. We need to change something. Are forced automatic updates the way to go? We can sit back and complain about ‘the user’ all day long but maybe it is time to realize that we as security professionals are guilty as well. Guilty for not making it easier to be secure.