Drive-By Downloads can be initiated by websites or from infected USB drives
Sometimes, you just don’t hear it coming; and “zap”, your infected.
According to Ryan Naraine, an anti-virus expert who works for Kaspersky Lab, over 70 percent of all web-based malware is now hosted by legitimate websites that have been infected. Click HERE for an article with more info from Ryan. One way or another, the sites either host what’s called a “Drive-By Download”; or they redirect or link you to a site that hosts one.
Recently, for example, the Business Week website was hacked, and various parts of the site became infected with malware that caused visitors to be automatically redirected, or rerouted, to third party websites without them knowing it. At the new sites, a download is initiated, usually by trying to take advantage of security flaws in browsers that mistakenly trust a site that initiates a download, or by impersonating a legitimate download, such as a Flash Player upgrade that it says is “required” to continue.
While the website statistic is scary, this same risk can appear from USB drives, or other mobile storage devices, that are infected with malware, or which have file links to Drive-By Download sites.
Some newer browsers, like Firefox 3.0, have “Malware Blockers” that can detect some instances of this activity, but not all of them.
The moral: Keep your eyes open for anything suspicious, even when visiting what you think is a “trusted” website; and don’t ever use unknown or untrusted USB devices.
Using Honey Sticks can measure security awareness based on real human actions
Recently, I’ve been receiving a growing number of inquiries about how people can use The Honey Stick approach to test security awareness in their business. It turns out that there are a few good reasons to use this approach for doing baseline measurements, and as an indicator of how well your security awareness program is working.
As Michael Santarcangelo commented to me recently, it is much more valuable to measure real human actions instead of just asking people their opinions or to recall how often they perform various activities. The Honey Stick approach is a cheap, easy and safe way to get an indicator of what level of awareness staff has. As a result, I am in the process of putting together a guide book and a kit that can be used to do basic metrics for how safely an organization’s staff handles unknown devices.
It’s always good to have questions, comments and anecdotes from real industry people. So, if you provide a relevant story in this thread, I’ll consider including it in the book, and I’d be happy to give you a copy when it is published. What would you like to see in the book or kit?
Practical security help for small business managers - The Streetwise Security Zone
It’s time to get streetwise about information security. One of the areas in which I think the security industry has been weak has been in giving small businesses affordable and practical tools for sifting through the mound of technical mumbo-jumbo created each day on the Web.
I imagine that they must feel a bit like high school teenagers walking into a baby’s clothing store… They don’t have much interest, even though - someday soon - they know they will need to know about the stuff.
The Honey Stick Project was my first attempt to raise awareness among small business managers and others who should be aware of the real risks in today’s information world. I still have some new ideas for testing the psychology of how people think about mobile storage devices they find or lose. But the small business problem is much bigger than this, in my view. (more…)