http://online.wsj.com/article/SB10001424053111904836104576556421692299218.html

SEPTEMBER 26, 2011

What's a Company's Biggest Security Risk? You.

Employees don't mean to be the primary entry point for hackers. But they are.

By GEOFFREY A. FOWLER

We are the weakest link.

Hacking attacks against companies are growing bigger and bolder--witness a string of high-profile breaches this year at Sony Corp., Citigroup Inc. and others. But gone are the days when hackers would simply find holes in corporate networks to steal valuable data. Large companies have grown wise to the threat of hacking, and have spent the past 30 years hardening the perimeters of their networks with upgraded technology.

These days, criminals aren't just hacking networks. They're hacking us, the employees.

"The security gap is end users," says Kevin Mandia, chief executive of security firm Mandiant Corp. The majority of corporate security breaches his firm is currently investigating involve hackers who gained access to company networks by exploiting well-intentioned employees.

Consider what happened in March at EMC Corp.'s RSA security unit, the maker of computer login devices used by thousands of other companies. A hacker sent emails to two small groups of employees that looked innocent enough, including a spreadsheet titled "2011 Recruitment plan." The message was so convincing that one employee retrieved it from the "junk mail" folder and then opened the attachment. Doing so introduced a virus inside RSA's network that eventually gave the hacker access to sensitive company data and enabled later attacks against RSA's customers.

Employees have more opportunities than ever to compromise company information. We not only screw up by clicking on emails from hackers that download viruses, letting them bypass corporate firewalls. We also open a Pandora's Box of security problems by circumventing company tech-support rules and doing work with personal gadgets and consumer-grade online services like Web email and cloud storage services.

Closing these holes is proving very difficult, security experts say. But companies keep fighting. To stop potentially dangerous employee habits, they're testing new tools to keep track of what's happening on their networks and rolling out employee education programs.

Here's a look at what employees are doing wrong and how companies are trying to fight our bad habits.

We Help Hackers Target Us

Spies, fraudsters and confidence men have long engaged in what's called social engineering to manipulate people into divulging confidential information, often after completing thorough reconnaissance on their victims. Now those tricks have been adapted for the Internet era.

Today, we make ourselves easy targets by posting troves of information about ourselves and our jobs online, say security experts. Blogs and professional networks such as LinkedIn are particularly useful sources for criminals, since many people share details about their roles at work, which can be used to help determine corporate hierarchies, among other things. That makes it easy for a hacker to whip up, for example, a message that is purportedly from the target's boss.

With LinkedIn profile information in hand, hackers "craft cunningly believable emails that users will have a high probability of clicking on," says Dave Jevans, chairman of security company IronKey Inc.

Hackers include dangerous traps in these targeted emails, such as links leading to malware or a Web page designed to dupe the employee into entering passwords. In the RSA attack, the emails included an attachment that took advantage of a previously unknown chink in Adobe Flash software to inject a virus into the company's systems.

These attacks are a more precise version of the practice known as phishing, those often oddly worded emails that purport to be from a bank or the IRS that we have learned to ignore. This new generation of emails, called spear phishing, are harder to spot: They not only lack telltale errors like typos, but often also include the names of colleagues and company-specific lingo, and they may be sent from colleagues' email accounts without their knowledge.

The risk of spear-phishing attacks grew considerably this spring, after a massive breach at Alliance Data Systems Corp.'s Epsilon Data Management unit, which manages online marketing for a slew of major retailers, hotels and banks. The breach exposed email addresses for customers at about 2% of the companies that were Epsilon clients, putting those customers at risk of receiving spear-phishing emails that look convincing because they appear to come from their own bank or favorite shop.

Even the savviest companies fall victim. The loosely organized hacker group Anonymous broke into security firm HBGary Inc. earlier this year, in part thanks to emails it sent to a Gary executive from a colleague's stolen email account, cleverly asking for usernames and passwords.

In a recent test, KnowBe4, a firm that provides security-awareness training, set out to find what percentage of a group of companies would be susceptible to phishing attacks. It sent phishing emails to employees at 81 companies from a reputable and trusted server; 43% of them had one or more employee click on the link in the emails. In a second test, using unknown and untrusted servers that were filtered out by many corporate email systems, still at least one person in 15% of the companies clicked on the emails.

"While this might only be one person out of a thousand, from the point of malware, all it takes is one person to fall for the trick and the damage is done," says Daimon Geopfert, the leader of the security consulting practice at RSM McGladrey Inc.

We Try to Outsmart Tech Support

As we become more adept with personal technology, our expectations for how we can use it at work have multiplied. But some steps we take to be more productive, such as setting up a team account on a cloud storage service, or bringing a personal tablet into the office, can inadvertently open holes in corporate defenses.

In particular, hackers looking for corporate data are targeting personal email. Some employees prefer the ease and features of private email accounts such as Gmail and Yahoo Mail, so they forward some work email to them--or even have all their work email automatically forwarded. That's a bad idea: Many personal email services do not offer the same sort of protection against malware and phishing that employees get at work.

In 2009, Twitter Inc. had hundreds of pages of confidential plans exposed after a hacker accessed the Gmail account of an employee by resetting the employee's password.

In June of this year, Google Inc. shut down a phishing attack that targeted the personal Gmail accounts of what it described as "senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists." Had those officials been using their official, secure email accounts for communications, they might have been at less risk, say security experts.

A Google spokesman says the company's systems "take advantage of the cloud to help us detect patterns of abuse more effectively and protect our users' information."

Companies frequently face data breaches when employees lose laptops and disks, but sharing and storing company documents on third-party cloud services carry their own risks, including phishing attacks. Moreover, sometimes those services themselves drop the ball. In June, a programming error at Internet-based storage firm Dropbox Inc. temporarily allowed any password to be used to access any user account on its website, though Dropbox says fewer than 100 accounts were affected.

The proliferation of social-media services, too, has the potential to amplify our bad decisions. In May, a Hewlett-Packard Co. executive accidentally exposed the company's cloud-computing strategic plans on LinkedIn by updating his profile with details about what the company was building. Bloggers (and likely competitors) noticed it before the employee had a chance to pull it back.

Rogue employees could do even more damage, says Clara Shih, the founder of Hearsay Social Inc., which makes software to help companies set policies for the use of social media by employees and track that use. "Companies are wising up to the fact that, left unchecked, social media's inherently decentralized nature poses a threat to everything from leaking announcements and trade secrets to brand and regulatory violations," she says.

The rise of consumer gadgets such as smartphones and tablets also carries the risk of introducing unknown security holes inside corporate networks. Top-level executives are among the most guilty of leaping on the latest gadget, says Chris McKie, the director of analyst and public relations at security firm Watchguard Technologies Inc. "How do you ensure that whatever device coming in isn't already infected or isn't going to expose other resources?" he says.

Human Solutions

Security problems that originate with humans don't have easy technical solutions.

As older systems that are focused on firewalls fail, corporate IT "needs a new defense doctrine," says RSA's head of identity protection, Uri Rivner. "You need to have security cover inside your organization, rather than your perimeter. You need to understand what your users are doing, and then spot any type of suspicious activity inside."

After the spear-phishing attack at RSA this spring, his firm finalized existing plans to purchase a firm called Netwitness that monitors network traffic to look for suspicious patterns. Others have invested in technology that tries to segregate employee-generated network activity (such as that from a personal iPad) into a separate network, so that employees are less likely to inadvertently introduce viruses into mission-critical systems. And Dropbox says it is trying to work with corporate security departments to develop better controls and visibility into how people use its services for work.

None of these solutions can replace employee vigilance about the ways fraudsters might try to social engineer us, say security experts. Some firms send employees regular reminder emails about best practices, such as never emailing a company username and password--even if the request appears to come from a superior or somebody in the IT department.

Others run regular spear-phishing attacks against their own employees to teach them to be more aware. Former hacker Kevin Mitnick has built a new career out of offering training on social engineering and hacking techniques, and running test attacks on companies to help executives and employees understand how vulnerable they are. "There is always a way to manipulate somebody by changing their perception of what is reality," says Mr. Mitnick.

At a recent lecture for a financial-services company, Mr. Mitnick detailed how he convinced many of the company's employees to open up an email attachment sent from outside of the company by appealing to their desire to be helpful to an employee at another office.

"Some people were ducking their head and saying 'That was me,' " says the company's chief security officer, who declined to be named. "It was not just somebody talking about something that was not applicable to them. It was something they could really sink their teeth into."

Mr. Fowler is a senior special writer in The Wall Street Journal's San Francisco bureau. He can be reached at geoffrey.fowler@wsj.com.