The Dark Side of the Moon.03/09/2007 Written by tripwire
Latest reports indicate that in the first half of 2007 spam reached 59% of all the monitored email traffic, a substantial increase compared to the 54% of q4-2006.
A scaring 0,68% of these emails had a security threatening payload, in the form of a malicious attachment, which corresponds to a malware-based attack every 140 spam messages sent.
Since a few years now, crackers and criminal organizations that operate in the digital domain have been using a mix of social engineering and software exploiting techniques.
This mix has become more and more effective, aggressive and dangerous over time, and very lucrative too, so that we now see a flourishing global market of pre-made malware and crime-dedicated tools, growing stronger every day.
Sending malicious attachments by email is by large the most common vector of infection, since it’s quite easy to exploit the weaknesses of the most spread email clients, and also because the end-users are not cooperating, seeming incapable of preventing and managing these kind of attacks.
In the last months, statistics showed the growing diffusion of modified PDF attachments used as a vector to execute and deploy trojan horses: these attacks were quite successful, overall, due to the overlapping and reinforcing consequences of different causes:
– acrobat reader is typically considered a harmless and necessary application , therefore it’s allowed by default even on corporate PCs
– acrobat reader is exploited by taking advantage of vulnerabilies which are usually 0-day, undisclosed, or unpatched by the vendor
– users “believe” in PDF files, and are so used to them, coming from trustable sources all the time, that easily fall victim of the “PDF = good, official stuff” impression
– a PDF based attack can also exploit the users on a semantic level, and can reinforce a social engineering based scam, because of the trust that people have in them, especially when they look official (well written, professionally looking documents, discussing serious /interesting topics)
Protection against these kind of attacks can be obtained and enforced only if, or better when, end users will become part of the security chain, actively cooperating in all the countermeasures, from prevention to reaction. The only way to achieve this goal is to make them responsible in some way if something bad happens, or could have happened because of their wrong behaviour.
If we want to rise the security bar substantially, we must go beyond the obsolete idea that the end users are dummy, helpless, passive members of their organizations. Like every car driver knows, it doesn’t take to be a mechanic to be able to drive safely: by respecting some basic rules which can save money, lives, and troubles, everyone behaves in a safer way, for his/her own interest.
So it’s necessary to transfer some costs and responsabilities of the security process toward the end-user, by introducing proper regulations, sanctions, and reinforcing their personal interest in the secure flow of operations, at every level. ICT Security will never achieve better security than we already have, if we do not actively involve the end users in the loop. Problems arise not because of a lack of awareness and education, but because of a lack of involvement and responsability.
It’s a huge, delicate, hot topic, which will be debated for years, so that we can just bring it to your attention for further discussion: but denying it would be like denying the existence of the dark side of the moon.