Chris Mosby at myITforum.com

To Open or Not to Open

Go on any security Web site and their best practices state that you should “never view, open, or execute any email attachment unless the attachment is expected and the purpose of the attachment is known.” But what if it’s your job to open attachments?

In this day and age, human resources (HR) managers post job openings online to get the widest possible distribution. Gone are the days of newspaper ads and window postings; managers want to attract as many qualified applicants as possible and Web postings are inexpensive and effective. This may be one reason why HR is a weak link in the security of a company. Many companies prompt applicants to email their resume and cover letter directly to the HR department or a specific manager. I went to a dozen international company sites and found that half of them had the same application process.

To apply for positions on our team, respond by email to jane.doe@xxxxx-jobs.com. Please attach your resume in Microsoft Word (*.doc), Rich Text (*.rtf) or PDF (*.pdf) format and include the name of the position you are applying for in the subject line.

Depending on the size of the company, HR managers receive dozens of applications a day and are expected to filter though them to find the most qualified person for the positions. But in order to filter through the emails, managers are required to open the resume attachments and often do so without taking precautions. This turns out to be a convenient entry point where attackers can gain access to company servers and sensitive information since HR usually stores all employee personal information, including social security numbers and bank account information for direct deposit. Attackers can conduct targeted attacks on these companies by sending malicious attachments that once opened, allows them to gain control of the user’s computer.

The main problem here is that best practices inform people not to open attachments if it’s not expected. This reminds me of when I was growing up, my parents and teachers told me not to talk to strangers. They described strangers as shadowy, sinister creatures, lurking in dark alleys and not to approach them no matter what they offered (I often pictured them looking like Snidely Whiplash). But what about strangers that come to the front door asking for Mr. or Mrs. Low? Are they still strangers since they know my parents’ names? Not all malicious emails come in the form of anonymous addresses sending flashy adverts written in broken English asking for your credit card information. Some may appear as legitimate and valid, such as a job application to a Web posting.

One method to overcome this vulnerability is to use an online application system where applicants are required to cut and paste their resume into the Web application. This removes the step of having to open potentially malicious documents. Now, if HR could just automate the hiring process.

Posted by M.K. Low on January 29, 2008 05:00 AM

Source: Symantec Security Response Weblog: To Open or Not to Open