June 07, 2002, 12:00 AM — Believing that security begins and ends with technology is tempting;
unfortunately, nothing could be farther from the truth. If security
begins and ends with anything (an arguable assumption), then it begins
and ends with people. People use (and misuse) the technology. People
create (and exploit) vulnerabilities.
One common thread (other than Microsoft) behind the email based virus
and Trojan attacks of the last twenty-four months is the clever social
engineering accompanying the code. Using clever subject lines and
information from personal address books, the sender encouraged users to
open infected email, thereby spreading the virus. The social engineering
was sometimes effective, even in cases where the virus was not or where
the virus was nonexistent.
As a case in point, consider one of the latest virus "announcements"
targeting a Microsoft product. The email announcement warned users of a
virus in a file named "jdbgmgr.exe" that would damage a user's system if
it were not deleted. The file in question is a component of the Java
debugger and is not malicious. Unfortunately, duped individuals deleted
the file and forwarded the email to friends and family. Versions of the
email have been found translated into English, Spanish, French,
Portuguese, and Italian.
If there's a lesson to learn from this, then it's that losing sight of
the impact people have on a security solution is unwise. Remember,
people behave in ways that few software engineers would ever anticipate.