OCTOBER 19, 2006 | End users -- god bless `em. You canīt live with
`em -- but without them, you wouldnīt have a job. Theyīre the reason
you have an IT infrastructure; theyīre also the single greatest
threat to the security of that infrastructure.
Because, in the end, most users have no idea how dangerous their
online behavior is.
No matter how many times they train them, no matter how many classes
they hold, most IT professionals still watch helplessly as end users
introduce new malware because they "just couldnīt resist looking at
the attachment." Security pros cringe as their users download
software for personal use, turn off firewalls to speed up a
connection, or leave their passwords stuck to their laptops.
Wouldnīt it be nice if you could give end users a list of the most
dangerous things they do online every day, and then tell them why
those activities are particularly risky?
We thought so, too. The following is our list of "The Ten Most
Dangerous Things Users Do Online," along with some explanation of the
risks -- and solutions -- associated with each. This list was
generated directly from input weīve received from IT people like you,
and is arranged in descending order of danger, based on votes
received from the experts and analysts who make up Dark Readingīs
editorial advisory board.
Stick this up on the door to your office. Better yet, stick it up on
the company bulletin board -- or post it directly to each of your
users. If it keeps one user from making a big mistake, then weīll
have done our job -- and so will you.
(Editor's note: If there are other behaviors you'd like to flag, we'd
love to hear about them. Please send comments via the message board
associated with this story, not by email. All postings are completely
anonymous. Enjoy.)
Contents:
Page 2: Clicking on email attachments from unknown senders
Page 3: Installing unauthorized applications
Page 4: Turning off or disabling automated security tools
Page 5: Opening HTML or plain-text messages from unknown senders
Page 6: Surfing gambling, porn, or other legally-risky Websites
Page 7: Giving out passwords, tokens, or smart cards
Page 8: Random surfing of unknown, untrusted Websites
Page 9: Attaching to an unknown, untrustworthy WiFi network
Page 10: Filling out Web scripts, forms, or registration pages
Page 11: Participating in chat rooms or social networking sites
1. Clicking on email attachments from unknown senders
We know, we know. Havenīt we beaten this one to death already? With
all the computer training courses, news reports, magazine articles,
and memos from the IT department, are there any users left out there
who donīt know they arenīt supposed to open email attachments from
strangers?
Apparently, there are. IT managers, consultants, and other experts
maintain that of all the dangerous things corporate end users do,
opening email attachments is still the most potentially damaging.
Even with todayīs new range of exploits, email attachments are still
the most likely means of contracting viruses, worms, Trojan horses,
and other infections. And because these attachments usually contain
applications or executable files, they have the greatest potential to
instigate the complete takeover -- or destruction -- of an enterprise
PC.
But shouldnīt end users know this by now? An August survey by
security software vendor Finjan offers an interesting perspective. In
a straw poll of 142 U.K. office workers, Finjan found that 93 percent
of respondents knew that attachments and links found in email
messages could contain spyware or other forms of malicious code
embedded in them.
The problem isnīt that users donīt know the risks -- itīs that they
canīt help themselves, Finjan said. In the survey, 86 percent of the
workers admitted they open attachments and click on links without
being sure if itīs safe to do so. And despite frequent warnings, 76
percent of those surveyed said they routinely open what they assume
to be viral marketing files, such as funny videos, jokes, or
Websites.
"Itīs still the most dangerous thing end users do," says Richard
Stiennon, founder of IT-Harvest, an IT consulting firm.
2. Installing unauthorized applications
What do you mean, "no IM?"
If you're like many organizations today, prohibiting instant
messaging is out of the question. IM is rapidly becoming a standard
corporate communication tool, even as the number of IM exploits
rises. Like any other peer-to-peer application, instant messaging
comes with some serious risks, but once your users are hooked on IM,
they are hooked.
"IM is too useful to completely restrict. If you try to lock it down,
but don't provide any outlet for employees to stay in touch with the
outside world, users will find a way around your security policy,"
says Thomas Ptacek, a researcher with Matasano Security. "It's 2006.
Your users are going to use IM."
IM isn't the only peer-to-peer app your users may be installing on
their desktops. There's Kazaa and other free file-sharing utilities
that let users share documents, software, and music. But this freedom
has its cost. "These applications can increasingly be the source of
new viruses," says Rob Enderle, principal analyst with the Enderle
Group, an IT consultancy.
And like other unauthorized or unregulated communication, P2P apps
create the risk of bad stuff coming in and sensitive corporate or
personal stuff going out.
It's safest to standardize on one of the popular IM platforms, such
as AIM and MSN, for instance, says Ptacek. "The only question is
whether you're going to be able to monitor and control it or not."
The best defense is to ensure users have only user -- not admin --
privileges on their machines, says Daniel Peck, a security researcher
with SecureWorks. And have a written corporate policy about what
users can and can't do with these apps.
"And never install programs unless you know what they do, whether
they are 'comm' programs or otherwise," says Gary McGraw, CTO of
Cigital.
Your desktop firewalls can block specific ports, for instance, and a
host-based IPS can also help you lock down your desktops. "But that's
not foolproof," warns Peck. If your organization can't live without
instant messaging, you can require IM sessions to be encrypted, he
says.
3. Turning off or disabling automated security tools
It still happens: A user, frustrated by the slow performance of an
ISP link or the constant exclusion of specific types of files, finds
a way to turn off the firewall on his remote PC -- or even at a
branch office. Then, as if thatīs not bad enough, he "forgets" to
turn the firewall back on, leaving that site open to all sorts of
attacks until someone from IT finally recognizes the problem and
reactivates the barrier.
And it isnīt just firewalls: Every day, users reschedule automated
virus updates, remote security patch installations, or requests to
change their passwords. Security stuff, they say, is an
administrative hassle and keeps them from doing their "important"
work.
The disabling of carefully-evaluated, state-of-the-art security
technology might be the most dangerous thing that users regularly do,
according to the Enderle Group's Enderle. "This is what keeps many of
us [IT and security professionals] up at night," he says. "Security
applications take some overhead and may lower performance [of the end
station]. Folks will turn them off as a result."
Cigital's McGraw agrees. "Sometimes you just have to postpone the old
monolithic virus scan so you can get some work done," he notes.
"There's always a tradeoff -- make sure you make the right one."
Most enterprise firewalls and antivirus applications now contain
configuration options that enable IT to eliminate the "turn it off"
option from the userīs desktop, McGraw observes. In many cases, it
may be better to force the user to accept a patch or a slow ISP
connection -- and deal with the complaints -- than to leave the
companyīs systems open to remote attack, experts say.
4. Opening HTML or plain-text messages from unknown senders
While most end users today are aware, if not respectful, of the
dangers associated with opening email attachments from strangers,
many are not aware of the threats that may lie in a normal, everyday
text or HTML message that contains no enclosure. Most of these users
are those who have not updated their computer training lately, and
still labor under the illusion that only email attachments can
contain malware.
Many experts now believe that HTML mail poses a threat that may
eventually be as serious as the traditional email attachment. HTML
text -- and increasingly, images -- can be infected with spyware, and
in some cases, executable code. In July, experts at iDefense Labs,
the security research arm of Verisign, discovered a new, relatively
simple method of embedding shell code into commonly-loaded Web
images, such as computer graphics, online photos, or PDF documents.
(See Lethal Shell Game.)
HTML files may contain Java Scripts, ActiveX controls, or macros that
can allow an attacker to gain control of a PC or turn into a botnet
zombie, noted Finjan, in a White Paper issued last month. "The vast
majority of Web pages contain one or more types of active content,
with an unmistakable trend toward increasing use of active content in
Web pages," the company said.
In a study of the Web surfing habits of some 15,000 business users,
Finjan found that about 6.9 percent of HTML traffic contained at
least one content type that violated the security policy of the
enterprise involved. Studies such as these have caused some
enterprises to restrict the use of HTML email, or even disallow it
altogether.
"There is plenty of active-content spam out there, and phishers use
it, too," says Cigital's McGraw. "When in doubt, delete it without
looking at it. If it's important, real mail, the sender will try
again -- or maybe even pick up the phone."
5. Surfing gambling, porn, or other legally-risky sites
One of the oldest abuses of corporate Internet links, the downloading
of porn, gambling and other objectionable data is another still-
popular activity that falls into the "I thought we had that fixed"
category.
Most companies today have established that such content, even when
technically legal for consumers, could create a hostile working
environment for employees, subjecting the company to legal or
punitive action. Any human resources department will tell you that
these pursuits are a major no-no, and most IT professionals will tell
you that they have deployed some sort of content filter to restrict
access to objectionable content.
However, the problem still runs rampant in some organizations. In
fact, an investigation of the U.S. Department of the Interior
published last month turned up some alarming data regarding the
online surfing habits of its 80,000 employees.
In a study of one weekīs worth of computer logs, the U.S. Office of
the Inspector General (OIG) discovered over one million log entries
in which 7,763 DOI computer users spent more than 2,004 hours
accessing game and auction sites. Extrapolated over the course of a
year, these shopping and gaming binges could account for 104,221
hours of lost productivity -- more than $2,027,887 in lost costs, the
OIG said.
The OIG found that a significant number of employees were accessing
pornographic sites, many for periods of 30 minutes to an hour. Four
employees were found to have downloaded egregious volumes of
pornography, including child pornography, and each was prosecuted and
sentenced for anywhere from 10 months to eight years in jail.
The DOI had implemented Website monitoring and blocking software, but
users were still able to get around it, the OIG said. In a final spot
check of the DOI systems in August, OIG investigators were able to
access both pornographic and gambling sites on three of the
departmentīs four main computer systems, despite the presence of
content filtering and blocking tools.
Online gambling and pornographic sites also are "becoming a frequent
source of infection via drive-by downloads and zero-day exploits,"
observes Richard Stiennon, president of IT-Harvest.
6. Giving out passwords, tokens, or smart cards
The password problem is as old as computers themselves. Despite years
of trying, however, no one has come up with a workable solution.
In a study published just this week by global research firms Nucleus
Research and KnowledgeStorm, companiesī attempts to tighten IT
security by regularly changing and increasing the complexity of
passwords is having no impact on security.
Despite years of IT warnings to the contrary, about one in three
people still write down their computer passwords somewhere near the
machine, either on a piece of paper or in a text file on a PC or
mobile device, the researchers said.
"This is really a lot like Mom and Dad buying a great new security
system for the house, and Junior leaving the combination under the
doormat," said David OīConnell, senior analyst at Nucleus Research,
in a published interview. "Passwords are high maintenance. People
forget them, people lose them, they have to be reset."
Some experts also say that employees can be too trusting of
acquaintances, colleagues, and family members who may "borrow" their
passwords or authentication tokens, exposing them even more broadly
to loss or theft. This is a particular risk among telecommuters or
road warriors who may give out their passwords to help a friend or
relative. "You might trust the employee, but you have to draw the
line at friends and family," says one expert.
The researchers at Nucleus Research and KnowledgeStorm suggested that
enterprises should look to increasingly improving authentication
technologies, such as single sign-on and biometrics, as potential
answers to the age-old problem of password management. Online payment
vendors Pay By Touch and UPEK earlier this month unveiled a finger-
sensor payment service, TrueMe, which lets users access account
information through a biometric fingerprint scanner. (See Power Pay.)
7. Random surfing of unknown, untrusted Websites
Browser-based vulnerabilities are becoming one of the most popular
targets of attackers on the Web. Just ask Microsoft and Mozilla,
which have been busy patching new vulnerabilities the past few
months. If your organization gives users free reign to surf the Web
during or after business hours from the corporate network, beware.
In addition to the well-documented cross-site scripting (XSS)
vulnerabilities floating around, there's also a lot of adware and
spyware. (See Hackers Reveal Vulnerable Websites .) You shouldn't put
it past that 20-something intern to download some free music, for
instance, and inadvertently contract some malware as a result.
Even if your corporate policy restricts Web access, the 20-somethings
may not honor it. "This is something that young employees, bored
security guards, and interns are more likely to do," says the Enderle
Group's Enderle. "It's an attractive nuisance, and one of the reasons
for a proxy server."
Internet Explorer 7.0, which was released by Microsoft yesterday, and
the new upcoming Firefox 2.0 are expected to help browser security --
at least until attackers start cracking them. But that may be wishful
thinking: IE7's first bug was reported just hours after it went live
last night, although Microsoft says the issue is a component in
Outlook Express rather than in IE7.
"Attackers have started to compromise enterprises through the use of
browser-based and other client-side vulnerabilities," says David
Goldsmith, president of Matasano Security. "This also applies to home
users who are becoming increasingly more security-savvy. Hopefully,
the releases of Internet Explorer 7.0 and Firefox 2.0 will make it
even more challenging for attackers to compromise the browser."
So if you're going to restrict Web access, how do you determine what
sites you can trust or not? "If you're really paranoid, surf with
active content disabled, use Opera or Firefox, and run your browser
with very little permission," says Cigital's McGraw.
8. Attaching to an unknown, untrustworthy WiFi network
There's nothing more soothing than a good cup of java (lower-case)
and a free WiFi connection at your local coffee shop. But watch that
guy at the booth next door -- he may be hacking into your laptop over
that very same WiFi link.
Your users are even more at risk if their wireless card uses the
Wireless Access Protocol (WAP), which is notoriously simple to hack.
A hacker can use a sniffer and grab your corporate user name and
password, for instance, or infect you with a worm, says Daniel Peck,
a security researcher with SecureWorks.
Even if they're only sipping coffee and working offline, an attacker
could use your employee's wireless card to access his machine -- and
eventually, your corporate network.
It's tempting for a user on the road to jump on the closest WiFi
connection they pick up while waiting at the airport or some other
public place. "There is no way of ensuring that the networks they
connect to aren't run by a malicious attacker," says Matasano
Security's Goldsmith. "While the unsuspecting user surfs the Web, an
attacker could be using a man-in-the-middle attack to monitor their
traffic -- or even worse, use a client side attack toolkit to
compromise their machine."
A personal firewall can help, says the Enderle Group's Enderle -- as
long as your users keep it turned on, that is.
"Attach away. Just tunnel through with SSH or a VPN client," says
Cigital's McGraw. "Also be aware of low-level attacks, and don't do
anything too sensitive."
But the only way to ensure that your users won't get hacked via WiFi
is to have them disable their wireless card altogether while they
work from public places, says Matasano Security's Ptacek. "The safest
reasonable attitude right now is that even browsing available
wireless networks is risky."
9. Filling out Web scripts, forms, or registration pages
If your users could actually see a hacker looking over their shoulder
as they logged onto a Website or typed sensitive data into a
registration page, maybe then they would think twice. But since
keyloggers and XSS don't have a human face, you'd better hope your
users are hanging out on SSL-secured sites -- and know just what
constitutes sensitive corporate data.
"Most Websites handling sensitive info use SSL to protect the data in
transit -- check for that," says Cigital's McGraw.
Users are more likely to get hacked if they use the same username and
password for most every site they visit -- a habit that puts their
personal data in jeopardy, as well as the company's.
And even a trusted site can have an XSS exploit embedded in it. All
it takes is for a user to read a message on a bulletin board post
that contains malware, and an attacker could gain control of the
user's browser session.
Remote sessions should be encrypted using SSL. But SSL isn't
foolproof -- it has its own litany of problems and weaknesses, such
as its susceptibility to man-in-the-middle attacks and keystroke
loggers. "SSL has had some issues, but it's the best thing out
there," says SecureWorks' Peck.
But the bottom line is that consumers are more likely to enter
sensitive data into Web scripts or registration pages than enterprise
users, says the Enderle Group's Enderle. "Employees seldom have the
opportunity to do this," he says. "Of course, we probably don't know
about it when they do, suggesting this problem could be vastly worse
than it looks."
10. Participating in chat rooms or social networking sites
The very same parents who frantically try to keep their kids off of
MySpace are now flocking to business social networking sites like
LinkedIn, either from home or at the office. They join a colleague's
"network" on LinkedIn, post messages, and maintain their own presence
on the site. That's much safer than MySpace, because it's just like a
professional organization, right?
Wrong. Social networking sites are a social engineer's dream come
true.
"The biggest security challenges businesses face with business social
networking like LinkedIn is the sheer amount of information that a
social engineer can learn by doing simple searches," says Matasano
Security's Goldsmith. "Attackers can find out who your business
partners, vendors, and clients are simply by viewing your shared
connections."
There's simply no way for LinkedIn and other sites to validate a
member's employment record, so an attacker can claim to work at
Matasano and find out which current and past employees are on the
site. "Services like LinkedIn try to guard sensitive employment
information by restricting it to colleagues --- you have to have
worked with Dave Goldsmith before to be able to click on him and see
his work history, or have him come up in a search for 'Matasano,'"
says Matasano's Ptacek. "But anyone can sign up to LinkedIn and claim
to have worked for Matasano."
Users can also inadvertently leak sensitive company data in a message
board post with a buddy, for instance. It may reach eyes for which it
wasn't intended, or they may not realize that chatting about what
they're doing at work today may lead to a corporate data breach.
"It's different than having drinks with a buddy after work," says
SecureWorks' Peck.
Aside from a chatty user, a browser can also be a weak link. "ActiveX
controls and their browser can be used by an attacker to get into the
corporate network," Peck says. "There are a lot of Web app
vulnerabilities we've seen."
Even if you have a "closed circle," that doesn't mean you don't touch
the outside world. Just clicking onto the site of a buddy's buddy can
get you into security trouble. "Every subpage you go to in LinkedIn
or MySpace is like going to a whole different Website," Peck says.
"It's most risky when you're going to the sites of people you don't
know."
Aside from the social engineering threat, there's also the very real
threat of getting infected with XSS, keyloggers, worms, and spyware
(just ask MySpace users). "There's going to be vulnerabilities in the
software," Peck says.
If an enterprise allows access to social networking sites, it must
ensure that users are wary of who they're communicating with and what
type of sensitive information they may be exposing. The bad news is
you may not know until it's too late.
"You should assume that anything you post to a social networking site
is public," says Matasano's Ptacek.
- The Staff of Dark Reading
Copyright Đ 2000-2006 Light Reading Inc. - All rights reserved.
