Feeds

Social engineering - where the user is the weakest link

Human nature causes security holes

  • alert
  • submit to reddit

Website security in corporate America

Anyone who has been hit by a computer virus will be doubly wary of unexpected emails in the future that may contain viruses. So why do people still keep clicking on attachments? However much security technology a company deploys, human nature will always be the weakest link in the chain.

With the problem of spam growing daily, accounting for around 90 per cent of email traffic in the US by some estimates, companies are fighting an uphill battle to purge spam from their networks. But what is spam to one user is a legitimate communication to another. For example, a low-price mortgage offer might be just what one user had been waiting for, whereas another will find this an unwanted intrusion.

Many vendors offer technology that looks at emails to see if they contain code associated with known attacks and will block these from entering the system. However, many companies have a policy of quarantining suspicious emails so that users can decide for themselves whether or not to open them.

This situation grows worse considering that most of us have private email accounts and a great many people work at least some of the time from home, often connecting directly to the internet, bypassing the security controls put in place by companies. This leads to the phenomenon of walk-in worms, where viruses are picked up on unprotected computers and propagate rapidly when they are reconnected to the corporate network.

With the security technologies that are available today, this sounds like a problem that companies should be on top of. But they are fighting a tough battle as the number and type of communications devices, such as instant messaging systems and wireless networks, expands, increasing the number of ways that users can be targeted.

Technology is not enough. For security technologies to be effective, users must be trained as to what the dangers are and what standard of behaviour is expected from them. For example, strict sanctions should be applied to individuals who bypass security controls by plugging their computer modems directly into a network connection or to those who store their account names and passwords in clear text on their computer or on a note left next to the computer.

Most people today would realise that such behaviour would leave them vulnerable to attack, but hackers are adept at finding new vulnerabilities in human nature. This is what people call social engineering and it is nothing new. People have long tried to con unsuspecting members of the public into giving away personal information that can be used to steal their identity. But the widespread use of computers ups the ante. This is something that can be seen in the exponential rise in identity theft, where computer users are tricked into giving away personal information via emails or spoofed web sites, as well as the number of people tricked into opening email attachments from messages that appear to be interesting and relevant to them.

Deploying security technology is a good start, but hackers are becoming increasingly sophisticated in the way that they target users and virus writers are focusing their efforts on designing messages so that they appear to be relevant and from trusted sources. For example, they are starting to use more benign attachment types, such as the recent virus that was contained in JPEG files. Many users are used to receiving images in email messages from their friends and colleagues and will not think twice about opening up such attachments. Increasingly they are spoofing email addresses to make them appear to come from a trusted source, such as from their ISP.

Technology vendors are bringing out increasingly sophisticated solutions, but hackers and virus writers are staying one step ahead in their efforts to con users. This is something that will not go away any time soon, with social engineering predicted to be one of the most important and fast growing trends over the next few years. In order to prevent the problem growing, users need to be educated about the value of the information contained in computer networks, the measures they should take to protect it from being compromised and of how social engineers operate.

Copyright © 2004, IT-Analysis.com

Related stories

Yahoo! - the thinking corporate's email solution
Fraudsters recruit phishing middlemen
Sober worm speaks with forked tongue

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.