Today, TrendMicro [announced their discovery of Emmental](http://housecall.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf), proof that “…online banking may be full of holes.” The focus of the attack is on users of online banking, and it, like many of the current attacks, starts with a phishing attack on consumers. The [New York Times Bits Blog covered the report](http://bits.blogs.nytimes.com/2014/07/22/hackers-find-way-to-outwit-tough-security-at-banking-sites/?_php=true&_type=blogs&_php=true&_type=blogs&_r=1), as well, providing a high-level view of the attack on two-factor authentication used by many online financial sites.
This attack underscores two vital truths:
- The weakest link in security is the human factor, and
- Trust is the key to security
In Emmental, the cyber-criminals used the combination of fear for their finances and trust of consumer brands to convince consumers to open attachments and visit financial sites that had been created to capture their usernames, passwords, and PINs. The holes exploited in this process are many, including email systems, operating systems, web browsers, and the wide variety of multi-factor authentication in use.
It can be easy for enterprise technology specialists to write this off as simple error on the part of the unwashed consumer masses. Yet, these issues and truths exist within enterprise environments, and we see this consistently: simple typos and conceptual errors in device configurations lead to violations of security policy and potential breach paths, misunderstandings of policy intentions result in open access, and IT organizations trust more widely than is prudent.
How do you protect your enterprise from these risks while recognizing these two vital truths?