"How to patch stupidity"

Interesting article in Dark Reading on the relatively powerful defense that comes from users who are trained to be smarter about security.

The article goes into the growing sophistication of "spearphishing" through harvesting of social networks to present personalized data to avoid detection like this example:

"The attacker did extensive research, likely on LinkedIn, and knew that the five executives regularly worked together on projects, Murray says. Using that knowledge, the hacker crafted five different emails, each of which looked like an email from one of the five colleagues to the rest of the group referencing a fictional meeting the recipient had missed. That message included a malicious attachment that was the supposed agenda for the fake meeting. Each email had a made-up thread to make it appear there had been a flurry of responses back and forth among the rest of the group."

In this particular case, one of the conned executives had the presence of mind to tell his IT group about it.

The article points out

"Employees now detect about 10% of the advanced attacks after they’ve slipped by technology defenses. That percentage may not seem like much, but considering that these are employees from all walks of life sniffing out attacks that most security technologies couldn’t detect, it’s a meaningful boost."