Employees, Not Hackers, Are the Biggest Threat to Security

Dan Rowinski
July 11, 2011 | COMMENTS

The Department of Homeland Security will release a new guidance system today intended to make the software that runs the Web less susceptible to malicious hacks.

DHS has teamed with security and technology experts at the SANS Institute and Mitre to create a list of the top 25 programming errors that lead to the most serious hacks, according to The New York Times. The idea is to educate companies and organizations about the channels that criminal hackers use to gain access to confidential information and servers. These are often common software errors that can lead to "zero day" exploits.

According to the Times, the No. 1 error on the list is a programming error that leads to SQL-injection attacks against servers that groups like LulzSec and Anonymous have used to access supposedly secure information.

The guidance framework will include "vignettes" for various industry verticals, like banking and manufacturing, according to the Times, and will highlight which vulnerabilities are most frequent in the types of software is used.

Not Always a Tech Issue

While groups like Anonymous and LulzSec (which reportedly is disbanding) use sophisticated hacking methods (like SQL-injections), the greatest threat to security within the government and large corporations does not come from programming vulnerabilities.

It is their employees.

Bloomberg wrote an in-depth article June 27 titled "Human Errors, Idiocy Fuel Hacking." That may seem like an outrageous accusation but remember that one of the biggest security leaks in recent history (WikiLeaks) was the result of one person with physical storage (a CD) and access to confidential files. All Ryan Manning needed to do was put the disc into a computer and start downloading.

Bloomberg reports that DHS staff secretly dropped CDs and USB drives into the parking lot of government buildings to see if they were picked up and put into a computer. The ones that were picked up were plugged in 60% of the time and ones with official logos 90% of the time.

It is one thing for an average citizen to pick up a USB drive marked "DHS" and put it into a computer but another entirely for government workers supposedly trained on security risks to do so. It is reminiscent of the movie "Burn After Reading" where Brad Pitt finds a CD filled with another character's bank records and thinks it is top-secret information.

Bloomberg also notes that social engineering attacks are growing more sophisticated and are on the rise. According to security company Symantec's State of Spam and Phishing monthly report, phishing attempts rose 6.7% between June 2010 and May 2011. Phishing has become more targeted with "spear phishing" aimed at specific groups of individuals and "whale phishing" aimed at C-level executives.

"Rule No. 1 is, don't open suspicious links," Mark Rasch of Computer Sciences Corporation to Bloomberg. "Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2."

Once a phishing target clicks on a malicious link, it is likely that one of the top 25 software errors listed in the DHS guidance are being exploited. When it comes to security, the fact of the matter is an organizations' own people is the biggest threat, not some esoteric group of hackers living in the Internet ether.

ReadWriteWeb (www.readwriteweb.com) is a weblog created by Richard McManus that provides Internet technology news, reviews, and analysis covering web apps, web technology trends, and social networking. Reprinted with permission.