Interesting article out of CIO magazine about Vista, and that while it is a highly secure operating system, with some neat things it can do, it still is not invulnerable to those programs that require social engineering to get the user to do something.
For as long as there have been people, there have been people who will do crazy things. PT Barnum stated that “there is a sucker born every minute” and the social engineering aspects of cyber crime are not something that is so easily dismissed. Is there any operating system out there that is invulnerable to the person sitting behind the keyboard?
We joke about the end user, ID-10-T errors. However the reality is that social engineering works, and works really well.
People, including experienced information security folks will click on that link, fall for a phishing scam, and not look to make sure that the web site they are dealing with is really the one that they need to be dealing with.
“Remarkably, with the new operating system (Vista) just released to business, the software giant said in effect that there is nothing it can do about the threats in question — Stratio-Zip, Netsky-D and MyDoom-O — because they rely on social engineering to invade systems. The three threats together account for 39.7 percent of currently circulating malware, according to Sophos. “Based on our initial investigation, Microsoft can confirm that these variants do not take advantage of a security vulnerability, rather they rely on social engineering to infect a user’s system,” Microsoft said in a statement”. (CIO Magazine).
Acknowledging the human condition, and our ability to be fooled, we still have an up hill road to work with in the longer run. While we must love our users, the issue is that point of human frailty when someone we know clicks on something we know that they shouldn’t have.
While we develop more secure operating systems, more secure web applications, and in general learn how to develop software so that it is harder to shatter, we are still rounding on the same issue that we have had for many years.
We still need to educate our users, if not annually then quarterly on the dynamics of social engineering, and while it is ok to trust, no one should be trusted equally on the internet.
The answer is still no, you did not win the European Lottery that you didn’t enter, you do not have an unknown relative who lives in Nigeria with 10 million dollars to send you, you did not win any prize, there is no reward, no, people do not really send you random love notes, and if someone wants you to cash their payroll check for them, you should really be wary of that.
Tag:
Add to Del.icio.us | Digg | Reddit | Furl
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.