Earlier this week, blogger and author Cory Doctorow published an account of how he fell victim to a phishing scheme:

I run an up-to-date version of a very robust flavor of GNU/Linux called Ubuntu, which has a single, easy-to-use interface for keeping all my apps patched with the latest fixes. My browser, Firefox, is far less prone to serious security vulnerabilities than dogs like Internet Explorer. I use good security technology: my hard-drive and backup are encrypted, I surf through Ipredator (a great and secure anonymizer based in Sweden), and I use GRC’s password generator to create new, strong passwords for every site I visit (I keep these passwords in a text file that is separately encrypted).

And I’m media-literate: I have a good nose for scams and linkbait, I know that no one’s planning to give me millions for aiding in a baroque scheme to smuggle cash out of Nigeria, and I can spot a phishing e-mail at a thousand paces.

I know that phishing – using clever fakes to trick the unsuspecting into revealing their passwords – is a real problem, with real victims. But I just assumed that phishing was someone else’s problem.

Or so I thought, until I got phished last week.

Doctorow goes on to describe how a perfect storm of circumstances led to him logging in on a fake Twitter page. His story is an excellent reminder that no one, even those educated on security best practices, is entirely secure against every possible threat. All of us can overlook basic recommendations at times, get distracted as we try to get tasks done, or even encounter a targeted attack that’s convincingly crafted. The tale is also a reminder that the extra time spent in understanding threats, double-checking protections, and closely examining resources really can go a long way in keeping data safe.

Good security solutions have to take into account both prevention and response. It’s important for your business to prepare for threats, as Doctorow knew common steps to avoid phishing. Yet it’s also important to be ready and nimble in case that one attack succeeds. Dealing with compromised systems is never enjoyable, but it’s far worse to be caught off-guard and without a plan for such emergencies.

This entry was posted on Friday, May 7th, 2010 at 5:02 pm by Joey Tyson and is filed under data protection, general. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.