Who's the Weakest Link?

This posting discusses the findings of an online survey carried out by Sophos.

"The research shows that 31 percent of companies believe remote or mobile users expose their networks to the greatest threat, compared to 25 percent that consider guests or external contractors the greater danger. In contrast, an additional 44 percent of companies believe standard employees are actually more likely to expose the network."

The problem is somewhat more fundamental than this survey would have you believe; the problem isn't just that employees [whichever group they fall into] are a risk, the real root of the problem is that people are the weakest link in security[1]...let me explain how I know this:


You only have to look around to see people that are taking risks either with their personal and/or computer security.

It's even worse when they behave the same way on their employers computers or network. Whether it is ignoring security policy/rules; opening attachments they shouldn't, visiting websites to retrieve e-cards or view questionable or illegal material, disable security tools to speed up the computer, giving away personal or proprietary information, or possibly hacking into systems for either fun or profit.

The worst of it all is when 'good' people fall for the tricks used by the bad guys and girls, such as social engineering. [I've included links to a number of the risks mentioned, in the material below.]

The bad guys and girls have long known that social engineering is the most effective way to get their malware installed on a victims computer, just as the scammers know that social engineering makes them the most money; as more victims fall for this approach than any other. I have already blogged about the 'human element' in security [or should that be insecurity?;-)] a number of times before; be it 'click-a-holics', e-cards, lottery/grant notifications, 419 and Phishing scams, lost friends or relatives and hoaxes, in fact the whole enchilada.

This year has seen the bad guys and girls use social engineering as their number one infection vector; rarely do they now include a coded infection routine in their malware, they just get the recipient to infect their own computer, it works very well and means they have less work to do to create new malware.

Here's a good and timely example:
Adobe Acrobat [PDF] vulnerability which was first disclosed on September 20th, 2007. Here's some data from Symantec about what the bad guys and girls did with it:

"One day later, we have discovered a new Trojan named Trojan.Pidief.A that actually exploits this vulnerability to compromise an unpatched computer. So far we have seen a fair number of emails containing this new Trojan in the wild. It is likely that Trojan.Pidief.A has been spammed out in targeted attacks on specific business organizations.

The Trojan will most likely arrive through email with a subject such as "invoice", "statement" or "bill" of some description, and just containing the .pdf file. So far we have seen the following file names used:

- INVOICE.pdf
- YOUR_BILL.pdf
- BILL.pdf
- STATEMET.pdf

If the .pdf file is opened and the vulnerability exploited, it will run code that will download an executable named ldr.exe."

In other words, once you have been socially engineered and you've opened the PDF, the exploit code will execute and your system will get infected unless you have other mitigating technologies/methodologies in place to stop it. From then on your computer is no longer yours, it belongs to the bad guys and girls.

So, what can you do to stop this particular threat [not social engineering in general]?

You can install the 'official' patch for Acrobat Reader from here or the 'official 'Acrobat Reader update from here here. Trust me I'm a security specialist ;-)

Maybe humans need to learn from the mistakes of others; history is littered with such material, so that they are less likely to repeat them, ad nauseum. Although I wouldn't bet on it happening anytime soon!

What do you think is the best way to stop people falling for social engineering?

Links to other stories/surveys on Social Engineering:

• Firms warned they are failing to block social engineering attacks


• Office workers give away passwords for a cheap pen


• What's the greatest security risk?


• You are the Weakest Link, Goodbye! - Passwords, Malware and You


• You are the Weakest Link, Goodbye! - Malware Social Engineering Comes of Age

[1] In security, computer or otherwise, a system is only considered to be as strong as its weakest link; as that is the place where it is most likely to fail. Just like a real chain