Home Employees, Not Hackers, Are The Biggest Threat to Security

Employees, Not Hackers, Are The Biggest Threat to Security

The Department of Homeland Security will release a new guidance document today intended to make the software that runs the Web less susceptible to malicious hacks.

DHS has teamed with security and technology experts at the SANS Institute and Mitre to create a list of the top 25 programming errors that lead to the most serious hacks, according to The New York Times. The idea is to educate companies and organizations about the channels that criminal hackers use to gain access to confidential information and servers. These are often common software errors that can lead to “zero day” exploits.

According to the Times, the number one error on the list is a programming mistake that can leave a server vulnerable to SQL-injection attacks like those LulzSec and Anonymous have used to access supposedly secure information.

The guidance framework will include “vignettes” for various industry verticals, like banking and manufacturing, and will highlight which vulnerabilities are most frequent in the types of software is used.

Not Always A Tech Issue

While groups like Anonymous and LulzSec (which reportedly is disbanding) use sophisticated hacking methods (like SQL-injections), the greatest threat to security within the government and large corporations does not come from programming vulnerabilities.

It is their employees.

Bloomberg published an in-depth article June 27 titled “Human Errors, Idiocy Fuel Hacking.” That may seem like an outrageous accusation but remember that one of the biggest security leaks in recent history – WikiLeaks – was the result of one person with physical storage (a CD) and access to confidential files. All Bradley Manning allegedly needed to do was put the disc into a computer and start downloading.

Bloomberg reports that DHS staff secretly dropped CDs and USB drives into the parking lot of government buildings to see if they were picked up and put into a computer. The ones that were picked up were plugged in 60% of the time and ones with official logos 90% of the time.

It is one thing for an average citizen to pick up a USB drive marked “DHS” and put it into a computer but another entirely for government workers supposedly trained on security risks to do so. It is reminiscent of the movie “Burn After Reading” where Brad Pitt finds a CD filled with another character’s bank records and thinks it is top-secret information.

Bloomberg also notes that social engineering attacks are growing more sophisticated and are on the rise. According to security company Symantec’s State of Spam and Phishing monthly report, phishing attempts rose 6.7% between June 2010 and May 2011. Phishing has become more targeted with “spear phishing” aimed at specific groups of individuals and “whale phishing” aimed at C-level executives.

“Rule No. 1 is, don’t open suspicious links,” Mark Rasch of Computer Sciences Corporation told Bloomberg. “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.”

Once a phishing target clicks on a malicious link, it is likely that one of the top 25 software errors listed in the DHS guidance are being exploited. When it comes to security, the fact of the matter is that an organizations’ own people are the biggest threat, not some esoteric group of hackers living in the Internet ether.

Correction: The original version of this post referred to the Wikileaks suspect as Ryan Manning. The post has been updated to reflect his actual name, Bradley Manning. 6/28/11 – 9:40 a.m. EST.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.