File Attachments, Security Awareness and Sophos

“We’ve done a pretty good job about teaching people not to open executable attachments in their email”, claims Sophos’ Chet Wisniewski in a recent YouTube video educating users about the dangers of PDF files.

I nearly fell out my chair.   I took that as a general statement about Information Security and users.   While it may be true to say that Sophos has done a good job teaching people not to open attachments, I think Chet was speaking more generally.   Isn’t it more true to say that Microsoft changed Outlook’s default security to prevent users from opening executable attachments in email, and that is what has greatly slowed email viruses.

This goes back to my last post about security awareness training versus security controls.   Which is better:

Option 1
Spend countless hours on corporate newsletter articles (that aren’t read), preparing lunchtime brownbags (that are attended by the security curious and not those needing awareness) and require every employee to bill an hour to overhead while taking security awareness training annually

Option 2:
Disable access to executables in email.

Option 2 was implemented because it was a Microsoft default.  Security by default is something everyone can agree with and it hardly cost any productivity.   Just some emails resends with the file renamed or zipped.

Regarding PDFs, you could make a good case at educating users to make sure they know that PDF !=secure.   But at the same time there is a huge argument for making sure they are running Reader X [1]with security sandboxing enabled and javascript disabled.   The IT department can deploy that once for everyone.  The danger of the one guy forgetting to be aware is lessened or removed.

[1] Please no “switch to foxit” comments.