有愚蠢的补丁吗？

我第二天与客户的安全组发表讲话，他们抱怨他们的安全事件中80％是因为用户在互联网上做愚蠢的事情。他们一直指向报告突出显示他们的用户如何通过恶意软件清理和停机为他们生成如此多的工作。这次谈话让我考虑了那些报告真正展示的东西。是用户愚蠢的还是别的东西？问任何真正的黑客，“闯入网络最简单的方法是什么？”而且你必然会得到同样反应的一些变化。这是通过人们启动应用程序或点击他们不应该的东西。黑客直接技术只是简单的努力工作。找到一个0day漏洞，可以武装成一个特权升级攻击就像在黑色杰克的胜利，但它可能但不太可能。让用户单击一个链接以查看戴着湿套装的猫的图片？ Practically guaranteed! This is why attackers are so busy going after users through browser and email based attacks. It’s just an easy way to compromise a ton of machines very quickly. Attackers are actively targeting our trust of friends on Facebook or Twitter and the assumption that our favorite websites are safe. As security professionals we scream until our eyes bulge and veins pop out, about the risks of weak web security controls in browsers and on websites. Every day we hear of a new vulnerability in a browser plugin that requires yet another patch while millions of websites are vulnerable to SQL injection and XSS allowing attackers to distribute exploits targeting these vulnerabilities. The evildoers on the Internet know that users don’t read or understand cryptic browser warnings and will happily click away and load their malware. Why are we expecting the average user to know the nuances of these many attack vectors? The biggest problem for organizations trying to keep their assets clean of malware is that the people with the least technical knowledge are being asked to protect themselves on the web. In my opinion, fixing this issue requires a mixture of user education and security technology to mitigate the impact of targeted attacks against people. Users need to be trained and updated on current attack methods and vulnerabilities so they can better recognize when they are in a dangerous situation. They will never be experts but at least they will better understand the risks. Technical controls also need to be in place that scan web traffic for malicious code and leverage website reputation to block evil websites through filtering. We also need browsers with better sand boxing for plug-ins. Organizations should also conduct network security assessments that don’t just focus on technology weakness, but also incorporate social engineering to gauge user security awareness. So is it stupid users, or poor security controls that caused the bulk of this customer’s security incidents? Personally, I think its wrong to blame the user for technology and awareness issues. Organizations that don’t factor in the people aspect of security often have stupid reach up and bite them on a regular basis. What are your thoughts?