The greatest security vulnerability: You

The greatest security vulnerability: You

Summary: You are the weakest security link but you can be fixed. The fix is simple to say out loud but not so simple to do.

SHARE:
TOPICS: Security
38

Believe it or not, the greatest threat to your personal or corporate computing environment is you. You put your personal and collective corporate security at risk every day by just being you. It's not a particular personality flaw with you as an individual but rather it is your innate human response to other humans. You want to be open, helpful and kind but those attributes are also your security Achilles' heel. The quote, "A little kindness goes a long way," is no less true when speaking of computer security. That wee bit of kindness that you show a stranger could put your personal and corporate security at significant risk and could result in very high remedial costs.

The Background

Attackers who want into your network or who want your data will take the path of least resistance to attain their goals. If your systems aren't patched, they'll attack and compromise them. If your network security lacks the proper defenses, they'll trot through that open gate with ease. If your physical security is a joke, the joke will soon be on you, when an attacker can make his way into your offices to drop a USB drive, to grab information from a desk or to have a 'look see' on an unlocked computer. Finally, if your people aren't prepared for social engineering attacks, all your other defenses are useless.

The Problem

From a corporate standpoint, your network security team and system administrators can maintain patches, apply updates and install security software but they can't fix you. There's no patch available for your vulnerabilities. Social engineering is the most effective attack mode on any computer system or network. It is 100 percent effective. It also leaves the fewest traces and always involves someone on the inside doing something or saying something that gives an attacker the surface he needs to gain access to systems, data and information.

The Solution

The solution, simply put, is education.

An expanded version of my terse answer can be found in Christopher Hadnagy's, Social Engineering: The Art of Human Hacking, final chapter.

"Security through education cannot be a simple catch phrase; it has to become a mission statement. Until companies and the people who make up those companies take security personally and seriously, this problem won’t be fixed completely. In the meantime, those who were serious enough to read this book and to have a desire to peer into the dark corners of society can enhance their skills enough to keep their families, selves, and companies a little more secure.

Until companies begin to realize their vulnerability to social engineering attacks, individuals will have to educate themselves about attack methods and stay vigilant, as well as spread the word to others. Only then do we have hope of staying if not one step ahead of an attack, then not too far behind."

One of the biggest hurdles to overcome is your own self-conceit in thinking that it can't happen to you. When I interviewed Christopher, I was shocked by the percentage of successful social engineering attacks he's performed over the years. It's very disheartening to know that he has a 100 percent success rate at social engineering attacks. That number should alarm you as well.

How do we protect ourselves, when it seems that the situation is hopeless?

It isn't hopeless but social engineering attacks, as successful as they are, can be made so difficult that an attacker will seek easier prey elsewhere. Your job is to make the attacker's job very difficult. Learn the paths that your enemy will take to attack you and lower his attack surface.

How can you do this?

It requires a high-level of constant vigilance and perhaps scripted responses to "harmless" questions from strangers. It also requires 100 percent compliance from every employee, including maintenance and housekeeping staff. Education is the key to prevention but you must also have a disaster recovery plan. Knowing how successful social engineering is, you have to construct a recovery plan should you fall victim to an attack.

Unfortunately, good information with which to educate yourself is scarce. Much of what you'll find is generic information, misleading information, incorrect information or information that will make you more vulnerable to an attack.

Have you ever been the victim of a social engineering attack? What was the outcome? Talk back and let me know.

Topic: Security

About

Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

38 comments
Log in or register to join the discussion
  • In other words...

    ...you're asking for a perfect defense. This is a recipe for failure.

    One bad day and an social engineering attack can succeed where it wouldn't normally.

    Education *helps*, but relying on every individual to be perfect every time is stupid. Just as stupid as any other single-layer defense--and that's what you're advocating here.

    Since the weak link is *every person in the organization* your attack surface is enormous. If education fails at least once (and it certainly will) what's the second layer?

    Seems to me there isn't one...
    wolf_z
    • RE: The greatest security vulnerability: You

      @wolf_z

      I think you misunderstood. Education is a great deterrent to social engineering. As I said, you have to have physical security, network security and system security too. It is the education part that is lacking, not the others.
      khess
      • No, I didn't misunderstand

        @khess

        The thrust of your argument is that all other layers of the security onion have *NO EFFECT* if social engineering is successful.

        Which means for a social engineering attack to succeed only requires a momentary lack of judgement on the part of Joe Random User. If that happens there is no second layer of defense because social engineering bypasses all other layers by definition--or it wouldn't be used.

        And if the user's judgement fails (education or not) because the attack is just that good, it's game over.

        No second layer. And that problem, of course, has no solution.
        wolf_z
      • RE: The greatest security vulnerability: You

        @khess, you do n fact misunderstand and purposely. You need to take a look at real life as I alluded ro earlier. You're not it.
        tom@...
    • RE: The greatest security vulnerability: You

      @wolf_z
      An educated user is very very very unlikely to have a security breach whereas an uneducated one most certainly will. I don't think the author is expecting everyone to be perfect users but advocating everyone to be smarter and not rely on a product to help you when you are on that girls gone pole dancing site. I have friends who never get viruses because they know what site to avoid. I also have friends who get viruses every other month because they insist on going to the same site downloading "stuff". And when they get a virus "how come my virus didn't block it". You can lock your front door everyday but if its in a bad neighborhood its only a matter of time before it gets broken in.
      rengek
    • RE: The greatest security vulnerability: You

      @wolf_z ... go get another drink; you make no sense w/r to the real world and seem to live in perfecto-land whch does not exst.
      tom@...
    • Perfection vs. Imperfection

      @wolf_z

      Your only partly on base. While you do have a point, its overstated.

      Some simple points to start with. While education isn't a perfect solution to social engineering tricks, social engineering tricks are not perfect themselves. The closer to perfection education on social engineering is, the more the imperfection in social engineering tricks will cause social engineering to fail.

      The following point is both disheartening and hopeful at the same time. The point being, the level of awareness many people have about social engineering hacks and tricks is abysmal to none existent. While that is a terrible thing on one hand, it also goes to show how even a little education on the issue could go a long way.

      It also breeds some hope that a thorough education on social engineering may well go a long way toward perfection. Maybe even close enough that only the wiliest of social engineering tricks would have any chance of success.

      And yes, where you are right is that on a bad day, people are often more likely to slip up. But the idea behind giving a good education to people on social engineering tricks is that if they are educated well and take it to heart you may get a situation where everyone is at least good enough that the only way they will get caught up in such a trick is on a bad day by the wiliest of tricksters. And those stars do not line up in any kind of regular basis.

      The end result can actually be that while on the theoretical side it isn't a perfect solution because it simply isn't perfect, but on the practical side it may actually work perfectly if nobody is unlucky enough to be caught on a really bad day by a very wily hacker.

      While it takes some hard work and very commited people, strongly educating people on social engineering is not a recipe for failure, its actually a path that could potentialy lead to a perfect record despite the imperfections of education.

      In any event, whats your point? We should all just give up and roll over simply because nothing is perfect?
      Cayble
  • RE: The greatest security vulnerability: You

    <I>"The solution, simply put, is education."</I>

    I have been saying this for a long time now. Ideally, I think it's time to have security education as part of the Education System here in the States.

    Make it a required course to pass in order to advance on. Maybe have an intro class in elementary, than again in the middle grades, but finally in high school and college have it a required course to pass in order to graduate.
    The one and only, Cylon Centurion
    • RE: The greatest security vulnerability: You

      @Cylon Centurion

      Good ideas. I like that.
      khess
    • RE: The greatest security vulnerability: You

      @Cylon Centurion
      Agreed - these things should be taught in school, but then, it's saddening how many students managed to finish high school barely able to read or speak the English language properly (or, in some cases, that the language is even CALLED English, not American or something equally silly), or with no concept of why it's a bad idea to, say, cut raw meat on a cutting board and then put the cooked meat back on the cutting board later. There isn't even a decent health/sex ed class anymore (though that's less the fault of the schools and more the fault of the crazies). The school system is dead set on avoiding any education that has a true real-world application. They focus on pure academia which, while valuable, fails our children entirely when they don't have the ability to figure out the simplest of every day tasks anymore. There are A LOT of things students should learn in school. Security like this is only one of many things. I'd even say that maybe we should focus on teaching students how to use the computers properly before we start teaching them how to protect the information on them.
      Caggles
    • Agreed, although it sounds like &quot;disclosure&quot; to me.

      @Cylon Centurion

      Working in a government tax agency, we have to worry about "disclosure" issues. That is, there's certain information about the business taxpayers that's available to the general public over the phone; aside from perhaps a particular license number, it's the same information they could find by looking in the phonebook or on the Internet, were they to actually take the time to look it up.

      The rest of the information, like filing information, payments, etc.? They have to verify their identity, either as the business owner or a rep, in order for us to provide it over the phone. Our disclosure training -- which we have to repeat every year -- specifies what information we have to get to meet it, what we can request from them if we're uncomfortable (i.e. signed form from the owner saying they're an authorized rep, or a letter on company letterhead stating they're authorized), & reiterates to us that if we break disclosure it's not only the agency on the hook, but we're *personally* liable.
      spdragoo@...
    • RE: The greatest security vulnerability: You

      @Cylon Centurion It is. Ever heard of Computer Tech? That's one of the parts of the course, at least where I had school.
      willrandship
      • RE: The greatest security vulnerability: You

        @willrandship

        My school district only ever had Microsoft Office classes at the higher level. We had typing at the 6th grade level, but that's it as far as anything computer related.
        The one and only, Cylon Centurion
    • Ha! You hardly need a whole course.

      @Cylon Centurion

      As I have said before, many people computer/network security knowledge is terrible. I see otherwise very smart people doing the dumbest of things on a computer because they simply don't have any clue about the way most security risks even come up. How many people still know people out there who will open an attachment in an unsolicited email just because there is something very interesting or familiar about the email. Way too many, thats how many.

      For most people to sit down for a couple hours and have a good solid tutorial on some security education would make an absolute world of difference for most. For typical computer users at home and at the workplace any security concerns that would take more then a couple of hours to explain are very much more then likely concerns beyond the scope of a non IT person for one thing.
      Cayble
      • Worst type of attack.

        @Cayble ... Misspell your banks' URL by one (adjacent keyboard) character and see what comes up. You most likely will be transported to a parallel universe where the fraudulent site copies the color, layout, and login input boxes of the legitimate site. Type in you account login information and you are toast.<br><br>With Windows, I suspect this could happen with browser hi-jacking, even it you type in the correct URL. I've done it myself and usually checked the URL before proceeding and noticed it was not genuine because my typing was incorrect. I'm sure the same is true for Investment, Retirement, Online savings, etc.

        Sometimes it's just a nuisance like when you misspell Google. There's probably several hundred variations out there.
        Joe.Smetona
  • Assuming too much

    You assume Microsoft Windows, well, then I can sympathize with you standing on your toes. If the industry could finally learn and adapt, free themselves from the chains of the Microsoft echo system then the worst is over.

    I think the biggest problem is IT staffs thinking too much about themselves and their jobs, so of course they???ll never tell you what kind of nightmare Microsoft and their second rate software is, and how much they???re to blame for the lousy security through the years.
    Mikael_z
    • Microsoft has improved greatly in security

      @Mikael_z
      And talk to an average IT
      business is slow
      zmud
      • My post was a reply and is no longer displayed

        @spdragoo@...

        Your points have absolutely nothing to do with the points in my post. In fact, they have nothing to do with this entire topic.

        BTW thanks ZDNet. What a pointless destination this site is. Nothing fair or balanced here. so keep up the rotten work. I won't be back.
        Splork
    • Sure, sure.

      @Mikael_z <br><br>Wasn't Apple hit pretty hard this past summer with Mac Guard and Mac Defender? Now, who do you think caused that? <br><br>Oh, and doesn't Lion have a password bug too? Where's Apple's security? Eh?

      how easy do you think it would be to fool an inept user into installing crap on Linux too? "Hey, buddy, you computer is out of date... Download this, and when you go to install it, type 'sudo....' in the command line, then you'll be all set!"


      Security isn't a Windows only thing. Enough of the FUD.
      The one and only, Cylon Centurion
      • &quot;...who do you think caused that?&quot;

        @Cylon Centurion <br><br>Maybe it was the Windows users that defected to the Mac because they were sick of the relentless stream of exploits targeting Windows and incessant patching and upgrading?<br><br>It was not the Mac users that started with OS alternatives to Windows. These people were smart enough to know that their Mac was not compromised and dismissed the social engineered exploit without much thought. Fortunately, a lot of intelligent Windows defectors did so as well. It is the Windows user base that is taught to be so afraid of malware that they become easy to compromise with social engineering. <br><br>Just FYI, in 25 years of using Windows, the only successful exploit that I have seen was Blaster that took out the entire corporate enterprise. In almost 5 years of Mac and 12 years of Linux usage, I have never seen or detected a single malware incident. <br><br>And no I do not run AV with anything but Windows, which must be totally locked down and crippled by malware protection. How many times have you been working on Windows and have it slow to a crawl, just to find that the McAffee, Symantic or other AV "product" had initiated a scan? Or booted your laptop to check something real fast and have it immediately start a virus scan because it was off when the scan was scheduled? Just gotta love that, uh?

        "[i]how easy do you think it would be to fool an inept user into installing crap on Linux too? [/i]"

        Actually, most people don't have enough skill to install anything that isn't in their Linux distro's repository and accessed with their package manager. Those packages are well vetted and quite reliable. I am probably not the only person to suggest that you use Linux before trying to criticize it. Also, to quote you and your colleagues, "why would anyone bother to create malware for an OS that no one uses?"

        Really, I do love hearing people try to declare the tripe over and over hoping that everyone will eventually believe in it. It sooo funny! LOL :)
        Splork