Skip to content


Employees, Not Hackers, Are The Biggest Threat to Security

DHS_Logo_150x150.jpgThe Department of Homeland Security will release a new guidance system today intended to make the software that runs the Web less susceptible to malicious hacks.

DHS has teamed with security and technology experts at the SANS Institute and Mitre to create a list of the top 25 programming errors that lead to the most serious hacks, according to the New York Times. The idea is to educate companies and organizations of the channels that criminal hackers use to gain access to confidential information and servers that are based in common software errors that lead to “zero day” exploits.

Sponsor

According to the Times, the No. 1 error on the list is a programming error that leads to SQL-injection attacks against servers that groups like LulzSec and Anonymous have used against databases to access supposedly secure information.

The guidance framework will include “vignettes” for various industry verticals, like banking and manufacturing, according to the Times and will highlight which vulnerabilities are most frequent in the types of software they use.

Not Always A Tech Issue

While groups like Anonymous and LulzSec (which reportedly is disbanding) use sophisticated hacking methods (like SQL-injections), the greatest threat to security within the government and large corporations does not come from a list of programming vulnerabilities.

It is their employees.

Bloomberg wrote an in-depth article June 27 titled “Human Errors, Idiocy Fuel Hacking.” That may seem like an outrageous accusation but remember that one of the biggest security leaks in recent history – WikiLeaks – was the result of one person with physical storage (a CD) and access to confidential files. All Ryan Manning needed to do was put in the disc in to a computer and start downloading.

Bloomberg reports that DHS staff secretly dropped CDs and USB drives into the parking lot of government buildings to see if they were picked up and put into a computer. The ones that were picked up were plugged in 60% of the time and ones with official logos 90% of the time.

It is one thing for an average citizen to pick up a USB drive marked “DHS” and put it into a computer but another entirely for government workers supposedly trained on security risks to do so. It is reminiscent of the movie “Burn After Reading” when Brad Pitt finds a CD of another character’s bank records and thinks it is top-secret information.

Yet, Bloomberg also notes that social engineering attacks are growing more sophisticated and are on the rise. According to security company Symantec’s State of Spam and Phishing monthly report, phishing attempts rose 6.7% between June 2010 and May 2011. As such, phishing has become more targeted with “spear phishing” aimed at a specific group of individuals and “whale phishing” aimed at C-level executives.

“Rule No. 1 is, don’t open suspicious links,” Mark Rasch of Computer Sciences Corporation to Bloomberg. “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.”

Once a phishing target clicks on a malicious link, it is likely that one of the top 25 software errors listed in the DHS guidance are being exploited. Yet, when it comes to security, the fact of the matter is that an organizations’ own people are the biggest threat, not some esoteric group of hackers living in the Internet ether.

Discuss


Posted in General, Technology, Web.

Tagged with .


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.