Who would have thought the best way to confirm the validity of an attachment sent from a colleague or business contact is to pick up the phone and call? What a novel idea!
While e-mail attachments always make me squirm, it's unrealistic to assume we won't pass them back-and-fourth in an office setting. So, the question is how do we do so safely?
Confirming the validity of shared docs is less tricky within a corporation where there is usually some sort of shared office drive. It's those external documents from outside sources, or even the unsolicited documents from vendors, that should raise red flags. It's not uncommon in my line of work for a vendor to send an invoice contained within an Excel spreadsheet and pdf attachment. And if you've been following this blog, you'll know that two of the most common attack vectors are executed by downloading malicious e-mail attachments that masquerade as legitimate pdfs.
There are only two main ways to combat, and/or confirm the validity of these attachments. The first is to rely on antivirus, and the second is to do careful manual analysis. It's unrealistic to ask an office worker to know if something is malicious or not, nor is particularly easy or time sensitive to automate antivirus scanners. The SANS Internet Storm Center has seen some corporations delay the downloading of attachments to give antivirus programs some advantage of catching up on digital signatures. But at the end of the day, the very best solution is to pick up the darn phone and make a phone call. It's not hard to ask the person who sent you the document if they meant to include an attachment. Who knew 20th Century technology could be so handy.
NEXT STORY: NARA shows gaps in cybersecurity, GAO says