For all the complexity of security, the most common security dangers are downright mundane. They're not due to the arcane arts of the most skilled hackers or some cunning exploit; they're out there in plain sight.
"A successful attack depends on a combination of four things that don't have a lot to do with the attacker," says Forrester Research analyst Paul Stamp. "It's usually something like social engineering, a breakdown in process or the absence of process. It could have something to do with a simple technical vulnerability or insider abuse. But it's usually a combination of two or more of those four factors."
The thing that should send chills up the spine of anyone who manages a network open to the Internet -- which is to say, virtually all networks -- is the fact that all of these vulnerabilities can be easily caught and fixed. Because they're so common, obvious, or at least mundane, however, they are often the last place you'll look for danger.
Social Engineering: It's humbling to remember that superstar hacker Kevin Mitnick wasn't much of a code warrior. However, he was a first-rate social engineer who raised the "Hi, how are you, what's your password?" approach to network delinquency to the level of a black art.
With the constant warnings about protecting passwords and not opening unsolicited attachments, you'd think that network users would be wise to what is, after all, the oldest trick in the hacker's book. But they aren't. Stamp says, "You'd be surprised how often social engineering succeeds."
Just this summer, the British Department of Defence -- which should be on the list of people who should be wise to this -- was subjected to a targeted Trojan attack. "People were sent CDs with marketing material," Stamp says. "In fact, it installed a targeted Trojan that collected confidential information."
The bottom line is that even smart people can be sucked-in by social engineering. The first step toward protection, Stamp says, is as basic as education. "It truly is a boring recommendation, but we have to educate users and back that up with action," he says. "The time has passed for us to tolerate fools. We have to be serious about this and take disciplinary action against people who don't do what they're supposed to do. The stakes are too high."