How to toughen the weakest link in the security chain

Computerworld - The guiding tenet of computer security is that an organization's overall security is only as strong as its weakest link. While organizations around the globe routinely employ the use of powerful firewalls, antivirus software and sophisticated intrusion-detection systems to guard precious information assets, they often neglect the most important and vulnerable security component: the human element.

Without a license, we are not allowed to drive a car, fly a plane or practice medicine, yet we are free to surf the Internet and send and receive e-mail. While the use of the Internet doesn't have the same potential for causing harm as flying a plane without a license, the use of the Internet nevertheless has the potential to wreak havoc on an organization's networked PCs. Anyone with access to any part of the system, physically or electronically, is a potential security risk. Security is about trust, and trust is generally considered the weakest link in the security chain.

Social engineering is the science of getting people to comply with your wishes and concentrates on the weakest link of the computer security chain. When it comes to defense against malicious code, social engineering is one factor of virus delivery that's certain to improve over time and become harder to detect.

Because e-mail messages can include file attachments, malicious individuals will send infected files incorporated as attachments with a catchy subject line in the hope that recipients will open them. This was precisely the case with the infamous AnnaKournikova worm, the Melissa virus and the Naked Wife Trojan horse. Using the psychology of temptation, the creators of both AnnaKournikova and Naked Wife enticed a large segment of the Internet population into opening the attachment, thereby activating the virus. Even the famous "I Love You" virus spread rapidly because the e-mail message it was attached to appeared to be a genuine sign of affection from someone the recipient knew.

How to defend the organization

	Douglas Schweitzer is an Internet security specialist with a focus on malicious code. He is the author of Internet Security Made Easy: A Plain English Guide to Protecting Yourself and Your Company Online (Amacom Books, 2001) and Securing the Network from Malicious Code: A Complete Guide to Defending Against Viruses, Worms, and Trojans (John Wiley & Sons, 2002).

Social engineering has employed a number of ways to entice unsuspecting users into opening e-mail attachments, from pornography to phony security warnings and advice. So how do organizations defend against such attacks? The only protection against social engineering attacks is through education of your employees.

Network defenses will certainly be enhanced when employees are motivated (but not scared) to adopt a common-sense approach to security and are trained to recognize possible security problems. This can be accomplished through an awareness and education program. The best training doesn't present IT security as just another policy of the organization, but highlights the consequences of poor security practices. To diminish the risks posed by malicious code, the National Infrastructure Protection Agency offers the following tips to mitigate these types of threats:

1. Close the preview pane of your e-mail program. The preview pane is the feature that shows you the contents of an e-mail before you choose to open it. It's often displayed below the pane that displays a list of e-mails, their titles and time of receipt or transmission.
   1

   2

   Next »