Social engineering - where the user is the weakest link

Anyone who has been hit by a computer virus will be doubly wary of unexpected e-mails in the future that may contain viruses. So why do people still keep clicking on attachments? Whatever security technology a company deploys, human nature will always be the weakest link in the chain.

With the problem of spam growing daily, accounting for around 90% of e-mail traffic in the US by some estimates, companies are fighting an uphill battle to purge spam from their networks. But what is spam to one user is a legitimate communication to another. For example, a low-price mortgage offer might be just what one user had been waiting for, whereas another will find this an unwanted intrusion.

Many vendors offer technology that looks at e-mails to see if they contain code associated with known attacks and will block these from entering the system. However, many companies have a policy of quarantining suspicious e-mails so that users can decide for themselves whether or not to open them.

This situation grows worse considering that most of us have private e-mail accounts and a great many people work at least some of the time from home, often connecting directly to the internet, bypassing the security controls put in place by companies. This leads to the phenomenon of walk-in worms, where viruses are picked up on unprotected computers and propagate rapidly when they are reconnected to the corporate network.

With the security technologies that are available today, this sounds like a problem that companies should be on top of. But they are fighting a tough battle as the number and type of communications devices, such as instant messaging systems and wireless networks, expands, increasing the number of ways that users can be targeted.

Technology is not enough. For security technologies to be effective, users must be trained as to what the dangers are and what standard of behaviour is expected from them. For example, strict sanctions should be applied to individuals who bypass security controls by plugging their computer modems directly into a network connection or to those who store their account names and passwords in clear text on their computer or on a note left next to the computer.

Most people today would realise that such behaviour would leave them vulnerable to attack, but hackers are adept at finding new vulnerabilities in human nature. This is what people call social engineering and it is nothing new. People have long tried to con unsuspecting members of the public into giving away personal information that can be used to steal their identity. But the widespread use of computers ups the ante. This is something that can be seen in the exponential rise in identity theft, where computer users are tricked into giving away personal information via e-mails or spoofed web sites, as well as the number of people tricked into opening e-mail attachments from messages that appear to be interesting and relevant to them.

Deploying security technology is a good start, but hackers are becoming increasingly sophisticated in the way that they target users and virus writers are focusing their efforts on designing messages so that they appear to be relevant and from trusted sources. For example, they are starting to use more benign attachment types, such as the recent virus that was contained in JPEG files. Many users are used to receiving images in e-mail messages from their friends and colleagues and will not think twice about opening up such attachments. Increasingly they are spoofing e-mail addresses to make them appear to come from a trusted source, such as from their ISP.

Technology vendors are bringing out increasingly sophisticated solutions, but hackers and virus writers are staying one step ahead in their efforts to con users. This is something that will not go away any time soon, with social engineering predicted to be one of the most important and fast growing trends over the next few years. In order to prevent the problem growing, users need to be educated about the value of the information contained in computer networks, the measures they should take to protect it from being compromised and of how social engineers operate.

By Fran Howarth, Bloor Research. Copywrite © 2004, www.IT-Analysis.com