Securing Software, Securing People

Believing that security begins and ends with technology is tempting;

unfortunately, nothing could be farther from the truth. If security

begins and ends with anything (an arguable assumption), then it begins

and ends with people. People use (and misuse) the technology. People

create (and exploit) vulnerabilities.

One common thread (other than Microsoft) behind the email based virus

and Trojan attacks of the last twenty-four months is the clever social

engineering accompanying the code. Using clever subject lines and

information from personal address books, the sender encouraged users to

open infected email, thereby spreading the virus. The social engineering

was sometimes effective, even in cases where the virus was not or where

the virus was nonexistent.

As a case in point, consider one of the latest virus "announcements"

targeting a Microsoft product. The email announcement warned users of a

virus in a file named "jdbgmgr.exe" that would damage a user's system if

it were not deleted. The file in question is a component of the Java

debugger and is not malicious. Unfortunately, duped individuals deleted

the file and forwarded the email to friends and family. Versions of the

email have been found translated into English, Spanish, French,

Portuguese, and Italian.

If there's a lesson to learn from this, then it's that losing sight of

the impact people have on a security solution is unwise. Remember,

people behave in ways that few software engineers would ever anticipate.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon