Social engineering, not simply technology flaws, drives the success of current generation Internet worms. The social engineering aspect of being directed to a website or link by a friend is generating millions in profits for cyber criminals. Our traditional defensive technologies are simply overwhelmed.  The updated AV signatures required annually to defend against known bad malware in the wild have grown from under 200,000 to over a million in the recent past - it’s no wonder AV vendors are struggling to keep up. Clearly it is time to rethink our security defenses.

I have always been amazed at how we seem to automatically become more cautious when dealing with a person we do not know but repeatedly drop our guard when being told “what to do” by a “machine” on a “website”  we do not know.

The training we historically have provided to our users to not open an email or click on a URL from a person you do not know perhaps today needs to be augmented to include “Even if you do know them do not click or open it unless you were explicitly expecting to receive it”.

Social engineering is the hacking of a normal human process and we regularly are sent messages containing URLs by our friends….. it is this normal practice that cyber criminals are taking advantage of. This is what made email-based viruses so successful in their day - the email is from a friend so it must be safe…. and now the use of social networks and its messaging component are taking advantage of the very same and very “human” weaknesses perhaps aided by the fact that with social websites, the users literally handpicked the “friends” that can communicate with them in the first place.

Users fear is becoming cynical but a degree of cynicism has become a necessary layer of defense on today’s Internet.

Looking at our current defenses:

  • Antivirus has become almost useless as a defense in an age where runtime packing, polymorphism and junk code injection easily allow malware to hide its true intentions.
  • Simply put, cyber criminals understand that the majority of our popular defenses rely upon the creation of a signature for a given piece of malware in order to afford a defense - so they simply automatically alter a few bytes in the malicious payload and whala - no more defense.
  • Our traditional “blacklist” approach of allowing all traffic to flow freely and attempting to block all the bad with a signature was effective in the early days of the Internet, but has been overwhelmed and is effectively obsolete today.

In the early days of the Internet, a “whitelist” approach of only allowing what was explicitly known to be good and denying everything else by default was dismissed as it very often broke things and was considered administratively burdensome.  It was easier to classify the smaller number of “known bad” packets we received. Because of the explosive growth in the use of obfuscation today, the sheer amount of “bad” clearly has tipped the scales and easily out numbers the amount of “good” and requires a different approach - perhaps it is time to revisit the “whitelist” methodology.