Feeds

Social engineering - where the user is the weakest link

Human nature causes security holes

  • alert
  • submit to reddit

High performance access to file storage

Anyone who has been hit by a computer virus will be doubly wary of unexpected emails in the future that may contain viruses. So why do people still keep clicking on attachments? However much security technology a company deploys, human nature will always be the weakest link in the chain.

With the problem of spam growing daily, accounting for around 90 per cent of email traffic in the US by some estimates, companies are fighting an uphill battle to purge spam from their networks. But what is spam to one user is a legitimate communication to another. For example, a low-price mortgage offer might be just what one user had been waiting for, whereas another will find this an unwanted intrusion.

Many vendors offer technology that looks at emails to see if they contain code associated with known attacks and will block these from entering the system. However, many companies have a policy of quarantining suspicious emails so that users can decide for themselves whether or not to open them.

This situation grows worse considering that most of us have private email accounts and a great many people work at least some of the time from home, often connecting directly to the internet, bypassing the security controls put in place by companies. This leads to the phenomenon of walk-in worms, where viruses are picked up on unprotected computers and propagate rapidly when they are reconnected to the corporate network.

With the security technologies that are available today, this sounds like a problem that companies should be on top of. But they are fighting a tough battle as the number and type of communications devices, such as instant messaging systems and wireless networks, expands, increasing the number of ways that users can be targeted.

Technology is not enough. For security technologies to be effective, users must be trained as to what the dangers are and what standard of behaviour is expected from them. For example, strict sanctions should be applied to individuals who bypass security controls by plugging their computer modems directly into a network connection or to those who store their account names and passwords in clear text on their computer or on a note left next to the computer.

Most people today would realise that such behaviour would leave them vulnerable to attack, but hackers are adept at finding new vulnerabilities in human nature. This is what people call social engineering and it is nothing new. People have long tried to con unsuspecting members of the public into giving away personal information that can be used to steal their identity. But the widespread use of computers ups the ante. This is something that can be seen in the exponential rise in identity theft, where computer users are tricked into giving away personal information via emails or spoofed web sites, as well as the number of people tricked into opening email attachments from messages that appear to be interesting and relevant to them.

Deploying security technology is a good start, but hackers are becoming increasingly sophisticated in the way that they target users and virus writers are focusing their efforts on designing messages so that they appear to be relevant and from trusted sources. For example, they are starting to use more benign attachment types, such as the recent virus that was contained in JPEG files. Many users are used to receiving images in email messages from their friends and colleagues and will not think twice about opening up such attachments. Increasingly they are spoofing email addresses to make them appear to come from a trusted source, such as from their ISP.

Technology vendors are bringing out increasingly sophisticated solutions, but hackers and virus writers are staying one step ahead in their efforts to con users. This is something that will not go away any time soon, with social engineering predicted to be one of the most important and fast growing trends over the next few years. In order to prevent the problem growing, users need to be educated about the value of the information contained in computer networks, the measures they should take to protect it from being compromised and of how social engineers operate.

Copyright © 2004, IT-Analysis.com

Related stories

Yahoo! - the thinking corporate's email solution
Fraudsters recruit phishing middlemen
Sober worm speaks with forked tongue

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.