One of my favorite all-time cast members from Saturday Night Live was Norm MacDonald. In particular, when he did his Weekend Update reports featuring “the fake news.” Little did we know that the “fake news” would actually become a thing. If you use the interwebs, then you likely have been exposed to the fake news, but folks on both sides of the aisle – and folks outside of our country apparently – amped up the fake news in the run-up to our late presidential election.
What does fake news have to do with cyber security?
Probably to me, one of the most interesting things about these fake news stories is that they all have catchy “click bait” titles that you want to click on. “You’ll Never Guess What (insert candidate name here) Said About (insert topic here)” and such. And we all know what happens when employees click on catchy titles… you see an increased risk of phishing and malicious software introduction from employees registering for web sites because they want to read that fake news article they just clicked on.
Although not directly impacting a company, these additional security exposures greatly increase the risk of employees being compromised. How? Employees let their guard down not realizing that clicking on links are equally as dangerous as links sent via email.
Reducing the Risk
There are two ways you can reduce the risk of bad behaviors like this:
- Take the standard preventative measures to remove administrative rights from the endpoint. Doing so limits the surface area exposed to an attack. If a user doesn’t have the rights and permissions to access sensitive areas of the network, data, etc., then that attack gets cut off.
- Increase awareness at the layer of proxy control for employees – basically modeling what “good” and “bad” behavior looks like.
If you would like to learn the one weird trick for reducing belly fat, or the three steps to pay off debt (ohmigosh, number 2 blew my mind!), we can’t help you. But, if you choose to allow your users to access the internet and read articles online during work hours, there are IT best practices in place to mitigate the risks of the negative consequences.
Scott Carlson, Technical Fellow
As Technical Fellow, Scott Carlson brings internal technical leadership to BeyondTrust, strategic guidance to our customers, and evangelism to the broader IT security community. He also plays a key role in developing innovative relationships between BeyondTrust and its technical alliance partners. Scott has over 20 years of experience in the banking, education and payment sectors, where his focus areas have included information security, data centers, cloud, virtualization, and systems architecture. He is also a noted thought leader, speaker and contributor to RSA Conference, OpenStack Foundation, Information Week and other industry institutions.
Prior to joining BeyondTrust, Scott served as Director of Information Security Strategy & Integration with PayPal, where he created and executed security strategy for infrastructure across all PayPal properties, including worldwide data centers, office networks, and public cloud deployments. He led several cross-departmental teams to deliver information security strategy, technical architecture, and strategic solutions across enterprise IT environments. As a member of the office of the CISO, CTO and CIO, Scott spoke on behalf of the company at global conferences. In addition, he was responsible for infrastructure budget management, vendor management, and product selection, while also serving as the cloud security strategist for private OpenStack cloud and public cloud (AWS, GCP, Azure). Prior to PayPal, Scott held similar roles with Apollo Education Group and Charles Schwab.