Trust But Verify:
December 2001
The White House recently announced that the Friendship Through Education organization (www.friendshipthrougheducation.org) established an e-mail pen pal program with school children in the United States, Bahrain, Pakistan, and Egypt. The goal is to promote peace and understanding between the citizens of the United States and Islamic nations. In support of this initiative the National Infrastructure Protection Center (NIPC) is providing some recommended security practices so that U.S. school children may participate safely, protecting the computer systems they use at home, school, or library. The program has excellent potential to build a peace bridge between cultures. Our recommendations are designed to assist teachers and parents to guide the participating students to practice good computer security habits, not only for this program, but always. "Trust but verify" is a slogan that is appropriate for securing computers from malicious code passed as an e-mail attachment. It is very difficult to know exactly who is on the other end of an e-mail or chat session, as passwords do get lost and stolen. Most computer users know that they should beware of opening e-mail from strangers. But countless viruses have continued to spread and re-spread, because they were sent via e-mail from someone who appeared to be trusted. Individual computer users can drastically reduce the spread of viruses and other malicious computer code with a few simple steps including verifying the authenticity of an attachment before opening it. Developers of computer viruses have been successful using social engineering to victimize the typical computer user. We have witnessed many viruses spread by e-mail attachments, masked by subject lines that are designed to be enticing to the recipient. The computer virus developer�s goal is to manipulate authorized trusted users to unwittingly circumvent computer defenses and allow a malicious code infection. Even users who exercise disciplined adherence to security policies have been lured to open attachments titled "Anna Kournikova," "I Love You," and recently "Peace between America and Islam" which exploited human emotion about the violent acts of September 11, 2001. We may have difficulty understanding the motivations of virus developers, but we must recognize that it is consistent with their methodology to exploit curiosity. We should expect to see viruses designed to proliferate by association with popular themes or ideas. As headlines develop regarding news events or issues popular with the audience, expect to see those used as e-mail subject lines to mask a malicious attachment. NIPC and computer industry partners publish advisories to educate computer users of best security practices. Many of these publications recommend consideration of the following steps to reduce the chance of computer virus infections:
|