back to article Software exploits overrated - it's the humans you need to be watching

Weak passwords and phishing offer far easier mechanisms for breaking into most organizations than exploiting software vulnerabilities. A study by US cybersecurity firm Praetorian based on 100 penetration tests and 450 real-world attacks discovered that stolen credentials offer the best way into enterprise networks. Software …

  1. Anonymous Coward
    Anonymous Coward

    Well duh.

    Anti-malware is a multi-billion dollar industry. They didn't get to this point by telling the customers that their software can be circumvented by putting an idiot in front of the keyboard. They lied and told us that our data would be safe as long as we pay the protection money.

    The truth is that humans are fallible and security has to be taught on an individualized level. But since software licenses are far cheaper in the short term, the bean counters made the logical choice for their narrow world view, and so ensues the perpetual cat and mouse game of security.

    1. Anonymous Coward
      Anonymous Coward

      Re: Well duh.

      "The truth is that humans are fallible and security has to be taught on an individualized level."

      And the truth to the truth is that some people CAN'T learn, yet you won't figure out who's who until it's already too late.

  2. Pascal Monett Silver badge

    "Organizations should put controls and processes in place"

    Indeed they should. Most companies of more than 100 employees do, because they have enough money to get an IT department in place that will properly prepare and configure the network to allow for it. Of course, sometimes said big companies will still spectacularly fail (eh, Target ?) and then everybody will point and laugh because everyone knows they had the means, they just didn't put the proper effort into it.

    Nonetheless, most companies are less than 50 people, and most of those companies do not have an IT department because not enough budget. Or worse, the CEO thinks it's a good idea to appoint a family member as IT manager because various stupid reasons, so an incompetent twat is in charge, backed by the might of family ties.

    Those companies are really at risk, because either the CEO is convinced he knows what to do because he can program an Excel formula, or his nephew knows all because of all those hours on Playstation instead of getting a degree. Either way, the only thing that actually saves them is their obscurity, until the day it doesn't because some PEBCAK downloaded a Locker and ended up encrypting the companies' sole file server (that has no usable backup, because obviously).

    In the end, I think it's just Capitalism at work. The healthiest companies survive, those that cannot identify threats and define mitigations fail. Isn't that what Capitalism is all about ?

    1. Charles 9

      Re: "Organizations should put controls and processes in place"

      "In the end, I think it's just Capitalism at work. The healthiest companies survive, those that cannot identify threats and define mitigations fail. Isn't that what Capitalism is all about ?"

      Trouble is, capitalism doesn't take collateral damage into consideration, and that tends to have very innocent victims.

    2. Tony S

      Re: "Organizations should put controls and processes in place"

      "Most companies of more than 100 employees do, because they have enough money to get an IT department in place that will properly prepare and configure the network to allow for it.

      Unfortunately, in too many cases, said IT team tell them what they need, but are then overruled by the beancounters, or other head honchos.

      It also has to be said, that sometimes, the IT staff themselves get into bad habits; and can easily do things for speed and keeping the suits off their backs, rather than doing what they know is right.

  3. Anonymous Coward
    Anonymous Coward

    What makes it worse

    I recall reading that it was very often management types who are most vulnerable to social engineering, phishing and 419 scams. I have no trouble believing that. It's one of those management geniuses who got us hit with Cryptolocker here. (Fortunately, we had backups.)

    AC for obvious reasons.

    1. Anonymous Coward
      Anonymous Coward

      Re: What makes it worse

      Just mail the management team a USB stick "freebie" and you own them.

  4. Dave Wray

    "Software vulnerabilities fail to make it into Praetorian's top five"

    Erm, 2-5 on the top five list ARE software vulnerabilities.... Or at least software/protocol design flaws...

  5. Anonymous Coward
    Anonymous Coward

    WPAD is just the best

    WPAD is indeed one of the best recipes...

    Connect to any wi-fi

    Fire up burpsuite, tick 'passthrough on SSL negotiation failure', run on port 8080

    echo 1 > proc/sys/net/ipv4/ip_forward

    iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8080

    iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-port 8080

    Fire up metasploit auxiliary WPAD module - tell it to serve your IP address as proxy.

    Watch the traffic come rolling in....

    Sniff, inject BEEF hooks, enjoy...

  6. Anonymous Coward
    Anonymous Coward

    how would you get into an actual LAN rather than a webserver or something ?

    even if you know a users logon & password you'd have to be there?

    A normal user would struggle to give their VPN credentials with token even if they wanted to

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like