via Seeking Address: Why Cyber Attacks Are So Difficult to Trace Back to Hackers: Scientific American:
One of the primary methods of creating zombies is by getting computer users to unwittingly infect their computers by opening e-mails and Web pages containing malware. “If you look at the way RSA was penetrated, it was not terribly sophisticated, nothing on the order of Stuxnet, which was probably the most sophisticated attack we’ve seen in recent memory,” says Anup Ghosh, a research professor and chief scientist at George Mason University’s Center for Secure Information Systems. “Most of these attacks are executed using conventional exploits. What’s different is they’re using these exploits in new ways.”
And, unfortunately, they are also quite successful when using the same old attacks in the same old way.
Start with a good security policy, and educate your users so that they follow it. People can work around any technological hurdle to compromise a system and get their jobs done.
Policies and procedures are useless if no one is aware of them. But even better than satisfying mandatory training requirements is setting up systems so that users cannot violate policy, while still being able to perform their jobs.
“Often employees think someone at a higher level is taking care of their data security when in fact the employees are really a major part of the security processes,” he said.
“While on the surface this doesn’t affect the company, the lapse in judgment shows that employees don’t even know how to secure their own information, let alone the company’s data,” Spinosa said. “It also illustrates a problem where employees may be assuming that protections are in place when they aren’t.”
via Computer security awareness training could prevent some data loss, experts say.