Feeds

Social engineering - where the user is the weakest link

Human nature causes security holes

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Anyone who has been hit by a computer virus will be doubly wary of unexpected emails in the future that may contain viruses. So why do people still keep clicking on attachments? However much security technology a company deploys, human nature will always be the weakest link in the chain.

With the problem of spam growing daily, accounting for around 90 per cent of email traffic in the US by some estimates, companies are fighting an uphill battle to purge spam from their networks. But what is spam to one user is a legitimate communication to another. For example, a low-price mortgage offer might be just what one user had been waiting for, whereas another will find this an unwanted intrusion.

Many vendors offer technology that looks at emails to see if they contain code associated with known attacks and will block these from entering the system. However, many companies have a policy of quarantining suspicious emails so that users can decide for themselves whether or not to open them.

This situation grows worse considering that most of us have private email accounts and a great many people work at least some of the time from home, often connecting directly to the internet, bypassing the security controls put in place by companies. This leads to the phenomenon of walk-in worms, where viruses are picked up on unprotected computers and propagate rapidly when they are reconnected to the corporate network.

With the security technologies that are available today, this sounds like a problem that companies should be on top of. But they are fighting a tough battle as the number and type of communications devices, such as instant messaging systems and wireless networks, expands, increasing the number of ways that users can be targeted.

Technology is not enough. For security technologies to be effective, users must be trained as to what the dangers are and what standard of behaviour is expected from them. For example, strict sanctions should be applied to individuals who bypass security controls by plugging their computer modems directly into a network connection or to those who store their account names and passwords in clear text on their computer or on a note left next to the computer.

Most people today would realise that such behaviour would leave them vulnerable to attack, but hackers are adept at finding new vulnerabilities in human nature. This is what people call social engineering and it is nothing new. People have long tried to con unsuspecting members of the public into giving away personal information that can be used to steal their identity. But the widespread use of computers ups the ante. This is something that can be seen in the exponential rise in identity theft, where computer users are tricked into giving away personal information via emails or spoofed web sites, as well as the number of people tricked into opening email attachments from messages that appear to be interesting and relevant to them.

Deploying security technology is a good start, but hackers are becoming increasingly sophisticated in the way that they target users and virus writers are focusing their efforts on designing messages so that they appear to be relevant and from trusted sources. For example, they are starting to use more benign attachment types, such as the recent virus that was contained in JPEG files. Many users are used to receiving images in email messages from their friends and colleagues and will not think twice about opening up such attachments. Increasingly they are spoofing email addresses to make them appear to come from a trusted source, such as from their ISP.

Technology vendors are bringing out increasingly sophisticated solutions, but hackers and virus writers are staying one step ahead in their efforts to con users. This is something that will not go away any time soon, with social engineering predicted to be one of the most important and fast growing trends over the next few years. In order to prevent the problem growing, users need to be educated about the value of the information contained in computer networks, the measures they should take to protect it from being compromised and of how social engineers operate.

Copyright © 2004, IT-Analysis.com

Related stories

Yahoo! - the thinking corporate's email solution
Fraudsters recruit phishing middlemen
Sober worm speaks with forked tongue

Remote control for virtualized desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.