The greatest threat - employees

The US Department of State Security plans to unite with two institutions: SANS Institute and Miter to release a document aimed at familiarizing the general public with the vulnerabilities of the software on which most of the web is working, thus making it less susceptible to recent attacks. not without the help of LulzSec and Anonymous.

According to The New York Times - this will be a list of the 25 most common software errors that can lead to serious and critical hacks of various systems. The idea is simple and is to teach private companies and government organizations to work with channels and tools that hackers use to obtain confidential information or access to servers. As a rule, similar attacks or software bugs are used for such attacks.

According to NYT, the first on the list is an error that makes the server unstable against SQL injections, which used the two already mentioned hacker groups to get data.
')
The manual will include specific recommendations for various rigid-vertical structures, such as banks or factories, talking about which vulnerabilities are most critical in various types of software and how they are used by attackers.

And although LulzSec (dissolving, and maybe not), and Anonymous differed with intelligence and ingenuity in their methods, the greatest danger both for the state and for corporations are not program errors, but their own employees.

This week, Bloomberg published a wonderful article: “ Human errors, idiocy feeding hacking ” where the human factor that affects the leakage of valuable data is considered quite deeply (after all, the system itself does not cause damage to the hacking system). And although at first glance this may seem like a groundless accusation, let's not forget that the biggest leak in modern history, WikiLeaks , was solely due to the access of one person with the data carrier to confidential information. According to people well acquainted with the situation, all Bradley Manning needed to do (Bradley Manning) was to insert the disc into the computer and start downloading.

The most remarkable thing in history with the US Department of State. Security is the artistry with which they approached the test of their conjectures about idiocy as such. Agents scattered CDs and USB drives in the public institution's parking lot to check how many of them will be picked up and eventually uploaded to the computer. It is not reported what percentage of the total mass eventually migrated to the pockets of the employees who came to work (I suppose that it is considerable), but in the end, ordinary flash drives and disks were loaded in 6 out of 10 cases, and those that had the official logo (SIC!) - in more than 90% of cases.

It's one thing when an average citizen picks up a flash drive or a disk with the abbreviation " DHS " from the ground and is completely different when it is done by an employee of a state organization who is specially taught possible risks and security threats, including with such specific examples. The story itself with scattered discs is very similar to the events described in the movie "Burn after reading", when Brad Pitt finds a CD with the banking information of another person and thinks that this is top-secret information.

Another interesting "fad", described in the publication Bloomberg, concerns attacks based on social engineering, which in recent years have become increasingly complex and effective. According to the Symantec State of Spam and Phishing report (released monthly), the number of phishing attacks has increased by 6.7% over the past year. I personally, I confess, are particularly pleased with the names of some subspecies of such “fishing”: for example, “fishing with a spear” or “spear phishing” is highly targeted and focuses on individual individuals or their group, as well as “whale phishing” on representatives of middle management.

The words of Mark Rasch from Computer Science Corporation are quoted in all its glory: “Rule No. 1 - do not open suspicious links, rule No. 2 — see rule No. 1, rule No. 3 — see rules 1 and 2”.

As soon as the phishing target follows a link containing one of the 25 possible threats, most likely everything that DHS will write in its message “to the people” will immediately be compromised. When it comes to security (not just informational), the essence is that the greatest threat to any organization and structure is the people working in it, and not some esoteric group of hackers living on the Internet.

Thanks for the material Bloomberg , The New York Times , ReadWriteWeb