Sophos: The Biggest Security Risk Is You

Spam, malware, phishing and clickjacking are all high on the security agenda, but the main cause of security breaches is still human error, says Sophos’s Graham Cluley

This week, Sophos published its mid-year 2010 Security Threat Report, detailing trends and developments in IT security for the first half of 2010. The headlines focused what the survey revealed about peoples’ attitudes towards cyber warfare, or “state-sponsored cyber crime”, as Cluley describes it.

In Sophos’s survey of 1077 computer users, 63 percent said they thought it was acceptable for their country to spy on other nations by hacking or installing malware. Nearly a quarter said this was acceptable even in peace time.

“In a way I can kind of understand that, because there’s always been one rule for your country and another rule for your citizens,” said senior technology consultant at Sophos, Graham Cluley. “There’s obviously horrible things that happen in the name of a country that aren’t allowed on an individual level.”

Cyber Warfare

But it goes one stage further when you begin to ask whether it is all right to launch attacks against communication systems and financial systems, said Cluley. “We still found an astonishing percentage of people who said, well that’s all right during peace time as well. You can image the chaos that would ensue if there were organised denial of service attacks on a regular basis, purely to give your country and economic advantage.”

One of the biggest problems, according to Cluley, is the lack of any sort of international agreement on the rules of cyber warfare. In June it was reported that General Keith Alexander, head of the US Cyber Command, had called for the establishment of clear rules of engagement for cyberspace, as the country dealt with the prospect of “remote sabotage”. However, as yet, no such rules have been drawn up.

According to Cluley, it is often difficult to prove that a cyber attack is state-endorsed, as opposed to activists or politically-minded people taking a pot shot for their own reasons. “It’s possible to disguise an attack, to for instance make it look as though it’s come from China, and in fact it came from Belgium,” he said.

Another interesting aspect of the Sophos report was the suggestion that more and more people are being lured into the world of crime, and programmers who cannot find jobs in legitimate software houses are more easily recruited by criminal gangs. Cluley explains that people with technological expertise are increasingly in demand in criminal circles.

Organised Crime

“I think we are seeing more evidence of organised criminals getting onto the Internet crime bandwagon, without necessarily doing the coding themselves,” he said. “They are looking for other people to do the technological bit. It’s a bit like when you used to rob banks, you wouldn’t necessarily be the person who drove the car. You’d get someone who’s really quick at driving cars to do the getaway. You bring in the specialists.”

The economic recession has seen lots of technically-skilled people being laid off, and those who still have jobs are not necessarily getting the same kind of rewards as those in Silicon Valley. “There may be chips on some of those guys’ shoulders,” suggested Cluley. “As more people are struggling financially, the temptation to go down the cyber crime route becomes even greater.”

However, Cluley stressed that it is important not to scare people about this. “If you’re sensible about computers and the information you share on social networks and which programmes you use, you can manage this threat,” he said.