The end-user, God bless him, is the most vulnerable spot in a system. Even so, you can't live without him. What would a corporation do without the average Joe to type in numbers and letters of items and values sold or purchased? Probably run out of business.
So an average Joe is necessary. However, network security is necessary as well. But the average Joe doesn't know jack about network security. And he works on computers connected to your local file or mail server, having access to sensitive information which he works with day in, day out.
How does our average Joe do it?
Anyone interested in putting their hands on that information will certainly not start attacking the main servers, since IT specialists do their best in securing them. They will target our friend Joe, making use of his curiosity, arousal or economic state. Securing hundreds of workstations is a pain without a centralised management infrastructure and is likely to be disregarded in small and medium business networks.
And this is the point where problems emerge. Joe delights in opening links and attachments of spam e-mail. If he finds a USB stick lying around, he will certainly take it. Guess where he will use it first? The computer at work. Sometimes Joe also likes to post comments on the most recent photos added by his friends to their albums on Facebook or MySpace. Maybe he likes a small game that much that he will burn it on a CD and bring it to work from home. I bet Joe is not using any security suite at home and is not frequently updating his system.
So Joe, our curious individual, will open that, through mail spreading worm thinking it's another breathtaking power point presentation about cute kittens, sea mammals or friends that love him so much. If the place is not too crowded, he will certainly open links to websites that are supposed to show adult-rated materials about various celebrities. What Joe doesn't know is that the special codec requested by the fake Web player is in fact a Trojan.
If Joe happens to find a USB stick on his way to work or during a coffee break, he will happily use it with the first computer he has access to (obviously the workstation in his office). Let's say Joe is a bank employee. Lets presume the bank wanted a security assessment of its network. The hired company would loose about 20 USB devices around the parking lot of the bank. Out of those 20, 15 get picked up by the bank employees and all of them are plugged into work computers. The devices are prepared beforehand with a Trojan horse that send vital information about the computer and the network back to the assessing company. Based on that info, further penetration of the network was possible and access to sensitive information was granted.
Sign up for Computerworld eNewsletters.