Social engineering: the art of persuasion
GCN's network held up just fine during the early hours of the Goner worm's December onslaught. Although antivirus vendors had not yet updated their signature files, the firewall did its job of stripping executable attachments and other files with troublesome extensions from incoming e-mail.
Then someone opened an e-mail message through a personal Web account.
Our e-mail servers were down for more than a day to be scrubbed and disinfected. When it was over, the network administrator issued a stern warning that anyone using a Web e-mail account in the future would have Internet access withdrawn.
Hypertext Transfer Protocol traffic bypassing a firewall leaves a serious hole in network defenses'one that can't be closed without user cooperation. Technology alone cannot do the job.
Gateway products from companies such as eSoft Inc. of Broomfield, Colo., and Clearswift Corp. of Waltham, Mass., can look at HTTP traffic and block malicious code, but they must filter virtually all Web traffic. That's a lot of packets.
'There are performance considerations,' which means many administrators simply turn off the filtering, said Chris Wraight, technical director of Sophos Anti-Virus Inc. of Wakefield, Mass.
Another problem is encrypted traffic. If a session between a Web server and browser is protected by Secure HTTP or Secure Sockets Layer, the gateway scanner can't do its job.
Firewalls, filters and updated antivirus software are all important to a layered defense, but don't forget what the bad guys call social engineering: conning someone into giving out information that permits inappropriate access.
To the good guys, social engineering means convincing users to be more careful.
The simplest move, the one GCN took, is prohibiting use of Web e-mail accounts or Web access to outside accounts. Blocking the offending sites with a filter can enforce this. If such a blanket prohibition is too severe, workers need to be convinced to use common sense: Don't open e-mail from strangers.
'Even if it's from a friend, scrutinize it,' Wraight said. 'Let it set for a while.' If it contains a new virus, the wait will give antivirus vendors a chance to act.
If there is still doubt, 'pick up the phone and ask your friend,' Wraight said.