In my previous two blog posts, we looked at the insights and interesting findings contained within the latest Microsoft Security Intelligence Report. The report is now getting some press in the tech community, and one article in particular caught my attention. A report published by H Security notes, with some surprise, that "users are responsible for nearly half of all infections." This doesn't surprise me at all, though.
Humans are (largely) by nature trusting creatures that crave community, for both protection and intellectual stimulation. This is why social engineering works so well and will continue to do so until we've learned to be highly suspicious of everything our computer does. If our computer pops up a properly worded box warning that it is infected with a virus and offers to run a program to fix it, most of us will run that program. Technology and the Internet reached into all of our lives so rapidly that the trusting nature in-grained within us was unable to adapt quickly enough to the notion that a significant minority of people do not have our best interests at heart and would like to exploit us.
From time to time, TRUE is asked by clients to conduct social engineering exercises against the client's employees. Even in the rare case where a client has engaged in educating its users against phishing attacks, we usually experience a 25% success rate. USB drives and CD-Rs left lying around usually get inserted into corporate machines, too. These exercises have great value because users see firsthand how susceptible they are to social engineering attacks, while reinforcing they should think twice before automatically trusting their emails or computers.
I've said it before, and I'll keep saying it: users are the weakest link in security.