In a test to evaluate how easy it would be for hackers to social-engineer employees and gain access to computer systems, the Department of Homeland Security found the human factor to be the weakest link in cybersecurity, Bloomberg reports.
DHS staff secretly dropped computer discs and USB drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into work computers to see what they contained. If the drive or CD case had an official logo, 90 percent were installed.
While costly firewalls often succeed in blocking viruses and other malware, Rasch said human error can quickly nullify those efforts.
“Rule No. 1 is, don’t open suspicious links,” he said. “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.”
Methods such as spear phishing rely on human weaknesses like trust, laziness or even hubris. In the RSA hack earlier this spring, hackers sent employees phishing emails with attached Excel spreadsheets titled “2011 Recruitment Plan.” The file contained malware that exploited a zero-day flaw in Adobe’s Flash software to install a backdoor that gave hackers an entry point to sensitive information
Rasch said spear phishing is evolving into what he calls whale phishing: Targeting senior-level executives whose computers may have access to far more sensitive information than rank-and-file workers.
Hackers often target technology executives because they have access to large amounts of information and they tend to believe they are better protected from hackers than their staff, Rasch said.
A full report on the DHS study will be published this year, said Sean McGurk, director of the department’s National Cybersecurity and Communications Integration Center.