What can do more damage?
Identified exploit found in a system not patched.
Zero day exploit.
Personal information obtained by social engineering.
We’ve all heard to keep your software up-to-date, keep your virus definitions current, patch known vulnerabilities promptly. These strategies are very important and certainly should be followed. While important they’re also not the silver bullet some folks believe.
Imagine outfitting your home with the latest and greatest locks to insure no one without a key gains access without an alarm or some other notification. Then because one of your house mates is highly forgetful you hide a key under the door mat.
Just how and where would a prospective burglar gain entry? Do you suppose they might use their super high tech lock pick kit? Or might they have cased your home for week or so and noticed the hidden key being retrieved and immediately replaced? My guess is the latter!
Purchasing a new lock is important just as is keeping up with your computer’s software. Many hackers today aren’t all that high tech at all. They use social engineering to discover personal information that quite possibly will lead to passwords. Using the cyber attack [data breach first discovered April 2015] on the United States Government’s Office of Personnel Management [OPM] site as an example … the intrusion was caused by compromised credentials according to USA’s story. The payout for the perpetrators was 32 million individuals personal identifiable information.
Another “big number” cyber attack reported by the on line publication CIO the hacker used high tech in the first step of an 11 step process. The first step installed malware that stole credentials. This step was accomplished by infecting an intermediate HVAC company using a phishing camp that resulted in Target’s data breach [70 million customers and 40 million credit cards] The entire 11 step process is outlined in detail in this link to CIO.
Social engineering is common place around the world. Often it involves compromising individuals without their knowledge. Occasionally the deception is a bit more sinister as in this incident where a fake news website [Newscaster] was established to entice US military and government officials to participate. This was reported by iSIGHTPARTNERS May 28, 2014.
A story in Computerworld details the use of high tech only to gain access and then to use system administration software already installed on internal computers.
Safe computing is greater than technology. Preventing physical access, while probably not overly important to home computers, is one of the first tenants in business computing. “If I can touch it I own it!”
Considering these stories one might conclude that as an individual there’s nothing to really with which to be concerned. Please consider that many hackers don’t wish to use their own computers, or for that matter obtain your personal information, but rather use your computer nefariously to gain access to other computers. Security by obscurity is not something on which to rely.
Read more about safe computing at US-CERT.gov