This document specifies the User Awareness Factor (UAF) - a new standard for security measurements. The User Awareness Factor is based on one, simple principle, which is believed to hold for an infinite time: most users are lame.

Although such RFC does not yet exist, I wish it did. Perhaps more attention would be directed to this major threat source, which seems to be quietly ignored. We're creating new protocols, new tools, new security measures, leaving a hole the size of the Vredefort Dome wide open. What's worst, one must be blind not to see, that the latest trend amongst 'net criminals is clearly founded on exploiting just this vulnerability. No wonder. There's nothing easier to exploit.

Want some examples? Here we go. Just a couple of weeks ago, a worm has infected a couple of company machines, due to the fact that the manufacturer of the antivirus used in the network had not yet prepared a suitable signature. The worm has entered the network via a single mail account and would not have infected the target workstation, if not for its user. The worm was contained in a .rar archive, and the user did not have a suitable unpacker available. So... the user forwarded the file to everyone in the company, asking them to open the archive and check what's in it. Well, as you can probably imagine, many of the recipients did just that.

Did you ever notice, that most e-mail worms are not based on exploiting holes in, say, Outlook Express, but aim for the user instead? They take the sender and recipient addresses from the same address book or domain, they use persuasive subjects and contents. Well, let's have a look at one of the most successful worms - the legendary LoveLetter. Did it exploit a hole? Duh, no. It made the user believe the attachment was interesting enough to open. Millions did.

Another example. What are attacks such as phishing or pharming based on? Mostly on user gullibility. Do trojans use vulnerabilities? No - they impersonate known applications. Does spyware use security holes to spread? No, it is based on the fact that most users seem to enjoy visiting pr0n sites.

If a stranger walks up to you on the street and gives you a cup of coffee, do you drink it? If someone calls you up on the phone, and tells you that you've just won a million bucks, but they need to charge your credit card for 99 cents (processing charges), do you blindly believe them and give them your credit card number? If someone knocks on the door, covering up the peephole, and tells you they're an old aged lady from downstairs, and she needs your help because a fire has started in her apartment, do you run out of the door leaving it wide open? Then why do you open an unknown attachment? What's the difference? I see none.

The key to security lies, in my opinion, not in the computer, but in our own brain. This will probably be taken as bragging, but for all the twenty years of using computers every day, for over fifteen years of being connected to various networks (first the BBS-s, then FidoNet, then the Internet), I have never yet had a virus infect my computer. Never. And I still use no antivirus, no firewall and no anti-spyware tools on my workstation. What's the secret? The secret is in awareness. In avoiding most popular applications. In thinking, before I click. And you know what? It works!

So stop spending all your time on implementing technical security measures in your networks. Start allocating a major part of your time to educating your users instead. It's more efficient. The security measures will sooner or later be broken. The user awareness, once implemented, stays. For good.

 

sum:

0 €