In-Depth

In Brief

Human error and security; AOL's two-factor authentication; September viruses

• By Mathew Schwartz
• 10/13/2004

Dealing with Human Error, Root of Security Breaches

When organizations secure their networks, they might think about spending on another kind of security: training. According to information security training company New Horizons Computer Learning Centers, 80 percent of identified information security breaches are due to human error.

Human error, in the information security realm, often manifests financially. For example, with MyDoom causing a reported $22.6 billion in damages just in its first 72 hours, how much of that could have been saved if companies had more thorough antivirus procedures in place?

“The single biggest weakness in the nation’s critical infrastructure is people,” notes Martin Bean, chief operating officer of New Horizons. The solution, he says, to many security issues is simply “the training and re-training of every person in an organization that touches a computer,” Bean says.

According to a Computing Technology Industry Association (CompTIA) conducted this year, training just one in four IT employees can reduce an organization’s chance of a security breach by 20 percent.

The government already started down the training path in late 2002 when Congress passed the Federal Information Security Management Act (FISMA), which mandates security training for “all full time and part time military, civilian, contractors and foreign nationals with access to networks,” says Bean. The specific amounts of training are tailored to the risk level of a person’s job.

Yet roughly 85 percent of the nation’s critical Internet infrastructure is privately owned.

“IT security threats that were once infrequent occurrences now happen on a daily basis; and the potential for damage caused by these threats is magnified as never before,” says Brian McCarthy, CompTIA’s chief operating officer. “That is why more organizations are investing increasing amounts of their budget in IT security generally, and training and certification specifically.”

Many organizations are discovering investments in technology don’t necessarily translate to immediate reductions in vulnerability levels or breaches. “In the past, IT security was thought of in terms of securing hardware and software, but now the focus must be on training people to stop breaches before they happen,” says Bean.

Related Article

Human Error Tops List of Vulnerabilities
http://esj.com/news/article.aspx?EditorialsID=920

- - -

Watching AOL’s Two-Factor Authentication Rollout

AOL and RSA have teamed up to offer AOL’s customers two-factor authentication. Dubbed AOL PassCode, the RSA SecurID token generates a unique, six-digit number, which changes every 60 seconds. The service is part of AOL’s Premium Services, available for a flat fee, plus a monthly maintenance fee that varies depending upon the number of AOL screen names PassCode will protect.

Will consumers bite? Even a small fraction of AOL's 23 million customers represents a marked increase in two-factor use by consumers. In addition, experts say consumers and ISPs alike worry attackers may escalate from phishing and identity theft to stealing consumers’ online accounts and e-mail addresses.

Gartner Research analyst Avivah Litan recommends businesses with consumer-security-related concerns, such as banks and e-commerce companies, “keep a close eye on AOL's implementation, which should prove that as many as 20 percent of consumers are predisposed to pay for added security.” He also recommends such organizations quickly move to offer their own such service.

- - -

Charting Top September Viruses

Kaspersky Labs says September virus activity strongly paralleled that of August. NetSky variants led overall numbers of infections, and Bagle and Mydoom continued to infect PCs via new variants. Thankfully, no malware to exploit the JPEG vulnerability in Windows appeared, “despite dire predictions by some analysts that an outbreak was inevitable,” says the firm.

New attack methods, however, are emerging. During the summer of 2004, attackers often used Web sites to store malicious code, then attempted to lure users there to initiative a drive-by download. Last month, however, saw the rise of a new trend: “using spammer techniques to mass-mail malicious programs,” says Kaspersky. Instead of luring users to a site, why not just send the attack code directly?

One such attack, TrojanDownloader.JS.Gen—“a catch-all name for a huge number of Trojans written in JavaScript”—also broke into the September top 10. “We group them together because they all have only one function—to download other malware from the Internet,” notes Kaspersky.