Forum Discussion
Ryan Heffernan
Microsoft
MicrosoftYou're doing it wrong
There's a good article in Dark Reading today by Michael A. Davis:
"We've all seen them — you might even have one open right now: an Excel spreadsheet with red, greens, and yellows that tell you...
In general, we need to understand the threat model within a domain. For example, in a company when we are assess threats for finance department, protecting Excel and financial software consider higher priority and we might set policy in excel for that department to block all codes and extensions. While in the same company for developers, we never set such policy and we concentrate more on protection codes and prevent running malicious scripts.
In also depends on the how employees learn about threats, in social engineering attacks, you could just do a smart data mining on social media and pretend to be head of IT and contact company and ask credential of employees directly. We need to understand threats in each environment and create defend model for each attack model and keep updating it.
In also depends on the how employees learn about threats, in social engineering attacks, you could just do a smart data mining on social media and pretend to be head of IT and contact company and ask credential of employees directly. We need to understand threats in each environment and create defend model for each attack model and keep updating it.