CALL US: 216-397-4080  | CLIENT HELP DESK: 216-539-3686

The Eyes Have It

The Eyes Have It

Riverbank Ruminations; Observations from The Banks of The Technology River

Tom Evans ~  Ashton Engineer Emeritus

I have started this blog off with an error. Did you catch it? If you don’t get involved in voting by voice on issues, you may not see the problem. The word in the title should be ‘aye’. Dictionary.com has this entry for ‘Aye’:

  • Aye  yes: archaic or dialectal except in voting by voice

Note the use of the word ‘archaic’. So the use of the word ‘aye’ is no longer common except in a specific situation. So when you see “The eyes have it” you either say ‘That is not the correct spelling’ (if you are old enough) or “Whose eyes and what do they have?”

When it comes to security and the defense against phishing attacks, the eyes have the task of defense. Anyone with email is subject to phishing attacks via that email. The only way to protect against those attacks is to train users on what to look for and what to do when they find it. And therein lies the problem. Many times we what see we want to. (Did you catch the word order issue there or just fix it mentally and move on?)

Let’s look at an example. In the box, count how many times the number 7 appears. Please read it carefully.

There are at least 7 things that can go w7ong with quick 7eading. Can you name 4?

Ok, now how many times did the letter ‘a’ appear? I know, I told you to count the times ‘7” appears and now I am asking about the letter ‘a’. This demonstrates that you need to be careful about how you train people to observe. If it is too specific, it is very difficult for people to keep a growing list of things to look for. When it comes to spam, general principles are much more helpful than specifics.

Do You Know If You’ve Been Hacked?  Are You Concerned?

A study from the UK (2000 people) contained four points about security that should give any of us pause:

  • 31% of people in the UK are not actively concerned about cybersecurity
  • 57% do not believe they’ve been hacked and
  • 46% claimed they have never noticed or fallen for an online scam or hack.
  • However, 26% of respondents admit that they do not know the signs of a successful or attempted hack.

There is no reason to suspect that the statistics would be radically different in the US. The most worrisome point is the last one. Not knowing if you have been attacked (successfully or not), coupled with this article stating that bad guys have changed their tactics. Instead of getting in and deploying malware immediately, the average dwell time (time on the network) for ransomware attacks is 43 days. The bad guys are doing reconnaissance to determine high-value targets and making copies of your data. Once the ransomware has been deployed and your data is encrypted, the bad guys will threaten to publish your data if the ransom is not paid. While this may not be a threat to your business directly, especially if you have good backups and a good recovery plan, what about all your customers and their data? You may not be able to survive that exposure.

Do Your Users Know How to Avoid Being Taken?

Now back to the eyes of your organization. Do your users know what to look for? Unless you do business in Russia, any link with .RU in it should be automatically suspicious. Likewise, if you don’t do business in China anything with .CN should be suspect. But what about something like https://aeibye@q.rg.co/afeifj ? How do you decide here? What about https://bit.ly/334qilu ?

The first example is representative of what is called a semantic attack. There are some seldom used optional parameters to a URL that can be used maliciously. These valid parameters are defined in RFC3986 and can result in URLs that can do nasty things. They may look like they shouldn’t work but they will. There is flexibility in these parameters that allow slight variations to give similar results so looking for specific bad URLs is not productive.

The second example above is called a shortened URL. Like the optional parameters, they have legitimate uses but they can be used to hide malicious URLs. The same can be said for QR codes. There is no quick way to find out where you are actually going when clicking on a shortened URL or scanning a QR code. Your users shouldn’t have to do that detective work anyway.

Think Before You Click

The eyes should see that the URL is out of place. Does your customer normally use shortened URLs or QR codes in correspondence? That should be a red flag. Does the URL look strange in other ways? That should be a red flag. Users need to be instructed on how to check a link before they click. Hovering the mouse over the link or doing a long press of the link on a phone will reveal the actual destination.

The challenge is to get users to take the extra seconds to hover or long-press and scrutinize the URL. If it looks strange, they need to know to STOP! This takes training and that is a commitment that many businesses are reluctant to take. Unfortunately, with more remote workers, the opportunity to ask a co-worker if the URL looks weird to them has been significantly reduced. Users must make those decisions numerous times, every day. Do your user’s eyes have it? If not, training will help them get it.

To learn more about security awareness training for your team, give the Ashton Solutions team a call at 216 397-4080.

Related Posts

23625 Commerce Park, Suite 130
Beachwood, Ohio 44122
216-397-4080

Contact Us: 216-397-4080 | sales@ashtonsolutions.com

Copyright 2024 Ashton Solutions | All Rights Reserved
Linkedin Instagram Facebook Twitter Youtube