The biggest threat is company employees

The U.S. Department of Homeland Security plans to join forces with two institutions: the SANS Institute and Miter, in order to release a document aimed at familiarizing the general public with the vulnerabilities of software that runs most of the web, making it less susceptible to recent attacks. not without the help of LulzSec and Anonymous.

According to The New York Times- This will be a list of the 25 most common software errors that can lead to serious and critical hacks of various systems. The idea is simple and is to teach private companies and government organizations to work with channels and tools that are used by crackers to obtain confidential information or access to servers. Typically, such holes use common holes or software bugs.

According to NYT, the first in the list is an error that makes the server unstable against SQL injections, which used the two hacker groups already mentioned to receive data.

The instruction will include specific recommendations for various rigid vertical structures, such as banks or factories, talking about which vulnerabilities are most critical in various types of software and how they are used by attackers.

And although LulzSec (blooming, or maybe not) and Anonymous differed in intelligence and quick wisdom in their methods, the greatest danger for both the state and corporations is not software errors, but their own employees.

This week, Bloomberg published a wonderful article: " Human errors, idiocy nourishing hacking“where the human factor that influences the leak of valuable data is considered rather deeply (after all, hacking the system, without consequences, does not damage the organization). And although at first glance this may seem like a baseless accusation, let's not forget that the largest leak in modern history, WikiLeaks , occurred solely because one person with the data carrier had access to confidential information, and people who knew the situation well said that all Bradley Manning had to do (Bra dley Manning) - insert the disk into the computer and start downloading.

The most remarkable thing in history with the US Department of State. Security is what kind of artistry they came to test their hunch about idiocy per se. Agents scattered CDs and USB drives in the parking lot of the government office in order to check how many of them would be picked up and eventually downloaded to the computer. It is not reported what percentage of the total mass eventually migrated into the pockets of employees who came to work (I assume that it is considerable), but in the end ordinary flash drives and disks were loaded in 6 out of 10 cases, and those on which the official logo was applied (SIC!) - in more than 90% of cases.

It's one thing when an average citizen picks up a USB flash drive or drive with the abbreviation " DHS ""and it’s completely different when it is done by an employee of a state organization who is specially taught about possible risks and threats to security, including using such specific examples. The story with scattered disks is very similar to the events described in the movie“ Burn after reading ”, when Brad Pitt finds a CD with another person’s banking information and thinks it’s top-secret information

Another interesting “fad” described in Bloomberg’s publication concerns social engineering attacks, which are becoming more complex and efficient. According to the State of Spam and Phishing report"from Symantec (issued monthly) - over the past year the number of phishing attacks has increased by 6.7%. I personally admit that I am particularly pleased with the names of some subspecies of such" fishing ": for example," spear fishing "or" spear phishing "is highly targeted and focuses on individuals or their groups, as well as “whale phishing” aimed at middle management.

The words of Mark Rasch from Computer Science Corporation are quoted in all its glory: “Rule number 1 - not open suspicious links, rule 2 - see Rule №1, usually №3 - see Rules 1 and 2 ".

As soon as the target of phishing follows a link containing one of the 25 possible threats, it is most likely that everything that DHS writes in his message "to the people" will be immediately compromised. When it comes to security (not just information), the bottom line is that the greatest threat to any organization and structure is the people working in it, and not some esoteric group of hackers living on the Internet.

Thank you for the material Bloomberg , The New York Times , ReadWriteWeb