It is not breaking news that fark.com was the victim/target of a hacking attack. But take a moment to think about this attack. Someone sent spam and spoofed emails to Fark employees. The spoofed emails appeared to be from colleagues. The links contained went to websites hosting trojans and other malware, some of which seems to have stolen and sent out pilfered passwords.
Think about how your organization would be protected from an attack like this.
Users don’t check email headers, at all. They wouldn’t know these messages are spoofed unless there is something obviously wrong or they yell over the cube wall to ask. Should the users even see these emails?
If one user accidentally clicks the link, will their browser be susceptible? Their OS? Their administrative/user level on the system?
Would they know something happened and say something? What if they don’t, can you run a history search to see who in your company visited those bad sites?
Will the OS scream bloody hell if a trojan is found? If a trojan is detected by AV but no analysts are around to check the logs, does it do damage?
There’s a lot of breakdowns here that I would not be the least surprised are breakdowns in 95% of companies. And guess what…I bet Fark isn’t a Fortune 500 and not a huge employer, and they were still the victim of a targeted attack. And no, I don’t think user education is a guarantee of protection.
As a side note, I think user education is valuable, but I also think it has some dangers. It shouldn’t be used to reassign blame, for instance to some user who clicked on a link when they should have known better from their training. That’s not productive punishment or assignment of accountability or blame. Likewise, can you detect when they break down? If not, why bother training? If so, then likely you have the technological means to compensate for less user training. I’m not anti-user training, but I am against viewing at as more than an augment to a company’s security posture and culture.