Skip to content ↓ | Skip to navigation ↓

Most of us have seen the oh-so-convincing pop-ups that appear in our browser from time to time, purporting to have found “errors” or “security issues” on our PC. Some of us may have even clicked on them in a moment of weakness, or had to clean up after some unsuspecting co-worker or family member had clicked on one of these deceptive alerts.

To try to fight this, the US Federal Trade Commission (FTC) is cracking down on scams that sell bogus “fix it” tools and fake security products. These products not only scam victims out of hard-earned money, they often also contain keyloggers and other malware.

In other cases, these fake programs come with “technicians” who are scam artists that take over your computer through remote control. Bad mojo.

The tricksters are getting trickier

The challenge is that many of these scams are convincing, even if you know they are false—for example, the screen shot of “SecurityTool” looks fairly legit; but it isn’t.

BogusSecurity

I’m glad the FTC is getting aggressive about this, but that doesn’t eliminate the need to harden our user community. Make sure your users know the name of the legitimate security tools deployed in your enterprise, and condition them to look for alerts from that vendor only. This will minimize the chance of them falling for “SecurityTool” or “Antivirus 2000” or some other bogus security product.

If your organization doesn’t conduct any kind of remote outreach to fix or clean users’ systems, make sure they are aware, so they will be suspicious of remote “support” requests. Furthermore, if you do employ remote assistance that requires user action or acceptance, you’d be well-served to add some additional layer of authentication to the process.

Vigilance – Necessary, But Difficult

Of course, one of the problems with securing humans is that vigilance is difficult to maintain. Users may pay attention for a while, but soon things go back to business as usual and people begin to drop their guard.

For that reason, I recommend establishing a cadence of training, reminders and tests to ensure that you regularly touch the user community with awareness tips and training to keep them thinking about security.

Phishing tests can be useful, particularly if you make it entertaining and not drudgery. Likewise, a phishing contest with incentives can increase users’ awareness and make employees more alert of what to look for in a suspicious email.

Prevention – or at least reduction of risk – is possible

To limit the potential damage of accidentally clicking on one of these malicious fake security programs, you might consider “taking away the keys” from your users by removing local administrator privileges on their systems. We’ve long recognized the risks associated with “root” or “Administrator” levels of access, but the vast majority of users are still admins on their local systems.

From a consumer perspective, unfortunately, Microsoft’s default is to set you up as an Administrator, so only security-savvy end users are likely to run as a Standard user. In a corporate environment, our chances of removing local admin privileges are much better, as we often provision users with a standard image and can enforce things better through Group Policy on Windows (and the corporate security tools for Macs are improving, as well).

Several years ago, I made these adjustments on my home network because I was tired of dealing with malware outbreaks from my teenagers’ use of our home systems. Taking away local admin rights created a bit more work for me when it comes to installing or updating applications, but occasionally using RDP to authorize an install was a lot less work than rebuilding their systems after a malware incident.

By the way – for “power users” who have a legitimate need to have admin privileges on their local systems, you can still get this benefit by setting them up to operate day-to-day in a Standard role, while providing a local admin-capable account for updates and installation.

 

Related Articles:

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Image header courtesy of ShutterStock.com.