You Can Trust Our Reviews
Deeper Dive: Our Top Tested Picks
Buying Guide: This Man Has a Virus
If a respectable-looking person handing out sample CDs on the street offered you one, would you take it home and run it? If he handed it to you on your commute to the office, would you run it at work? If someone called and said she was with IT and needed your computer's password, would you give it? If you said yes to any of these questions, you're a prime target for social engineering.
Social engineering tries to bypass security altogether by fooling the user. As operating systems and apps become more secure, online attackers can still rely on social engineering to compromise systems and access high-value data. Phishing attacks, Trojan horses, and many viruses use social-engineering tactics to trick users into compromising their own computer systems.
The stakes are higher than just losing data on a compromised system: A single PC can become a springboard within a company's network from which enemies can launch further attacks. Insider attacks—whether executed by malicious employees or workers ignorant of the risks—are the most expensive class of cyber threats. Companies' need to let their employees work free from stringent security measures can help insiders do extensive damage before being detected.
A year ago, law enforcement agencies announced that Sumitomo Mitsui Bank had foiled an attempt to steal $423 million after detecting suspicious money transfers. An investigation revealed a key-logger—a program that records keystrokes—installed on an employee's system.
Many workers aren't aware of the risks. In a recent study, The Training Camp, a U.K. firm focused on training workers in information technology, handed out CDs with a simple Trojan horse program to people at a subway station. The CDs didn't do anything malicious, but phoned home when run on a computer, the company said. Employees at banks, insurance companies, and other businesses obligingly put the CDs into their work computers and ran the program. A few years ago, a similar study found that as many as 90 percent of people gave their passwords to a person conducting a survey.
Education is critical for defanging social engineering. Though many users know to be wary of questionable e-mail attachments, a person handing out official-looking CDs adds a layer of trust to the equation. The Sony BMG copy protection system is an extreme example of that: People trusted the brand to such an extent that no one thought to check for questionable code.
The necessity of protecting users from themselves has Microsoft and other software makers adding components to turn their software into expert security systems. Microsoft's next browser, IE 7, will switch to a green address bar when the user is on a trusted site. And its personal firewall will protect systems against applications that attempt to connect to the Internet.
The threat will only worsen. Security professionals have noticed evidence of better social-engineering attacks, frequently targeted at just a few people within an organization. Computer security incident-response groups in the U.K., Canada, and Australia have confirmed such attacks.
Security is only as good as the weakest link. And most often, the weakest link is the human one.
Robert Lemos is a freelance technology journalist and the editor-at-large for SecurityFocus.