cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Quireboy
Newcomer I

Looking for a case study

I'm looking for a case study on why 'you' should bookmark your bank, investment company and other important sites you use, and never use a Google or similar search engine to 'look up' your important sites, i.e., preaching about why not to type in the URL and to always use your bookmark.

 

If anyone has links, please share!

 

Thanks,

Q.

17 Replies
rslade
Influencer II

> Quireboy (Viewer) posted a new topic in Tech Talk on 07-02-2019 06:38 PM

 

> I'm looking for a case study on why 'you' should bookmark your bank, investment
> company and other important sites you use, and never use a Google or similar
> search engine to 'look up' your important sites, i.e., preaching about why not
> to type in the URL and to always use your bookmark.

 

I'm not sure I could find a resource to support that contention.

 

In fact, I'm not sure I agree with that position ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Shannon
Community Champion

 


@Quireboy wrote:

I'm looking for a case study on why 'you' should bookmark your bank, investment company and other important sites you use, and never use a Google or similar search engine to 'look up' your important sites, i.e., preaching about why not to type in the URL and to always use your bookmark.

 

@Quireboy, a bookmark is essentially a pointer to a web page. What benefit does it offer --- other than saving you the trouble of remembering the pages & typing out the URLs?

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
dcontesti
Community Champion

 


@Shannon wrote:

 


@Quireboy wrote:

I'm looking for a case study on why 'you' should bookmark your bank, investment company and other important sites you use, and never use a Google or similar search engine to 'look up' your important sites, i.e., preaching about why not to type in the URL and to always use your bookmark.

 

@Quireboy, a bookmark is essentially a pointer to a web page. What benefit does it offer --- other than saving you the trouble of remembering the pages & typing out the URLs?

 

 


I have to agree with @rslade and @Shannon on this one.

 

I see limited benefit to bookmarking unless folks cannot remember the URL.  I can understand not wanting to do a google search based on bogus sites that are one or two characters off.

 

I suspect my question is what is wrong with typing in the URL?

 

Regards

 

denbesten
Community Champion

I think you need to start with the problem you are trying to solve.  The prototypical problem statement is a URL embedded in a seemingly trustworthy, but easily-compromisable source, such as unsolicited email.  The real trick here is that users need training to better identify the risky scenario and to know the mitigation. Specifically, that URLs used to access important sites should come from sources you trust , rather than blindly clicking the link. 

 

I can remember "www.discover.com", so there is no harm in me typing that one in, and when I type "mellon bank" into Google, pagerank and anti-fraud departments do a great job at ensuring that the first answer is trustworthy.  Other viable options are to use browser history and as you suggest, bookmarks.

 

Another great trick is to use a password manager (lastpass is my personal choice) and to use random passwords for each site.  If it does not auto-fill, the natural response is to say WTF, which will quickly expose a fraudulent URL.  Plus it is "harder" to get tricked because one need to find the password and then copy/paste.  In addition to being a PITA, it gives one more time to consider if there might be a reason it did not auto-fill.

 

Finally, don't get fooled by MFA.  It is a great tool to combat a wide variety of attacks, but MFA is insufficient to combat URL fraud.  Introducing MFA  forces the bad-actor to work real-time, but it does not preclude them obtaining a complete set of valid credentials.

 

In direct answer to your request, I concur with @rslade that a case study recommending bookmarks is unlikely because it is far from the only way to skin this cat.

Get_In_The_Robo
Viewer II

So there's two things:

 

1) SEO Poisoning / spamdexing is a thing, though I don't think I've ever seen it posted about in a long time... anywhere...

 

2) Interestingly enough, the Chrome STIG from DISA has an item related to disabling search suggestions so it doesn't auto-fill something bad or unintended. This would fall under the "use your bookmark" suggestion to combat if that setting didn't exist.

 

Those are the 2 cases I can think of. But honestly I'd rather be focusing on bigger fish to fry than to create procedural docs or whatever. Would rather dive into website whitelisting if it's a concern

CraginS
Defender I


@Quireboy wrote:

I'm looking for a case study on why 'you' should bookmark your bank, investment company and other important sites you use, and never use a Google or similar search engine to 'look up' your important sites, i.e., preaching about why not to type in the URL and to always use your bookmark.

 


 

@Quireboy please provide us the theoretical framework or risk discussion, or the actual evidence you have, that tells you this is solid advice. I, and many others, see no particular reason fo avoid Google searches, except for the fundamental Google privacy-invading records Google keeps on all of our searches.If you have such information, that might lead you to case studies you are seeking.

Thanks,

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
JoePete
Advocate I


@Quireboy wrote:

I'm looking for a case study on why 'you' should bookmark your bank, investment company and other important sites you use, and never use a Google or similar search engine to 'look up' your important sites, i.e., preaching about why not to type in the URL and to always use your bookmark.


I think, maybe, what you are trying to get at is that people often type the servername (www.example.com) and not the protocol (i.e. https://www.example.com). Typing the https protocol gives a slightly better chance of guarding against some sort of impersonation (provided someone knows enough to recognize a missing or self signed certificate).

 

The other issue is the vomit-laden nemesis of security HTML email. Never click a link in HTML email. More directly the age old advice when dealing with impersonation is "Always initiate the conversation." Whether it is a phone call from your bank, an email from your college, or a text from your nephew - never respond directly. Instead hang up, etc., and then call the published customer service number, etc. But back to HTML email, it really is the worst sort of garbage, and yet it has become "standard" in today's workplace.

Shannon
Community Champion

 

There've been 7 replies here, with some of us stating that there's no point in this, while others have interpreted the requirement differently. 

 

@Quireboy, please clarify what you're looking for.

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Quireboy
Newcomer I

I gave you an exact precis of what I’m asking for, and instead of saying “I have no CASE STUDIES I can refer you to, you all argued the premise. Doesn’t anyone here know how to just answer the question that was asked? I thought y’’all were professionals.