Threat Research & Response Blog
When it comes to attacking a system, and compromising its data and/or resources, there are several different methods that an attacker can choose. One of the more effective ways to make a successful compromise is to take advantage of perceived vulnerabilities in the targeted system. A vulnerability refers to a characteristic of a system that renders it susceptible to some form of attack. Kind of like a weakness, but a weakness that does not necessarily indicate a problem with the system’s design.
Vulnerabilities may be present in any component of the targeted system. You can have vulnerabilities in the hardware that supports the system, or vulnerabilities in the software that runs on the system, but you can also have vulnerabilities that occur as people use the system, or in the people themselves. People, both literally and figuratively, can be soft targets and attackers often try to compromise systems by attempting to exploit how people behave.
This type of attack is known as social engineering. Essentially, in social engineering, attackers attempt to exploit vulnerabilities in human behavior in order to make the victim being targeted act in a manner of the attacker’s choosing, even though that is unlikely to be in the victim’s best interest. So rather than exploiting vulnerabilities in hardware or software, social engineering attempts to exploit vulnerabilities in the ‘wetware’ (i.e. the people).
Examples of social engineering techniques used by malware for distribution or other purposes can range from the simple yet effective ("Install this codec in order to watch this amusing video"), to the elaborate and complex (most Rogue security software), to the targeted (by taking advantage of existing trust relationships using specially compromised accounts or services).
So, you can upgrade your hardware and update your software (and we absolutely recommend that you do), but how do you upgrade/update people to make them less vulnerable to attack? It’s a classic question in computer security but there are measures you can take that will make the people in your organization less likely to be compromised in this manner.
The latest issue of the Microsoft Security Intelligence Report (SIRv11) contains detailed advice for IT professionals and organizations on how to limit exposure to social engineering attacks. The section 'Advice to IT Professionals on Social Engineering' (p42) provides a number of tangible steps that can be taken to protect an organization from this most nefarious of attacks.
Highly recommended reading for any organizations that contain people...
Heather Goudey MMPC Melbourne