IT Brief New Zealand - Technology news for CIOs & IT decision-makers
New Zealand
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
internet of things
#
work from home
Search
Story image
#
Cybersecurity
#
Email Security
#
Phishing
You are the weakest link
Tue, 1st Dec 2009
FYI, this story is more than a year old
By Staff Writer
Follow us

Users are the weakest point in your security network.In an increasingly connected digital world, network security has had to evolve as the nature of threats has changed. The old hard exterior/soft interior model has long been outmoded and vendors now provide layered security solutions in the enterprise, integrating right down to the desktop level.

These layered solutions guard against, as well as respond to, automated hacking, viruses, malware, phishing – you name it. Yet with all the ‘intelligent' network security being deployed these days, I can't help but feel some organisations are overlooking one important resource that complements this investment – their staff.

In 2003, I remember keenly awaiting Kevin Mitnick's book The Art of Deception. Here was the most high-profile and controversial hacker of my generation publishing a book detailing how he'd done it. (Although Mitnick's book was presented as fiction, it discussed methods uncannily similar to those he was accused of using during his trial.)

So what was his secret? How had he come to be regarded as a genius who hacked his way into the history books? Simple: he'd realised that the human element will always be a vulnerable point and taken full advantage of it – it's called social engineering.

Recently, four of our users had their Gmail accounts compromised; it was a simple case of phishing. It occurred at home and someone else was using their Gmail accounts to send the same phishing message to their friends – nice. Playing devil's advocate, let's say this was a targeted attack and the attacker had done a little homework. Using the compromised Gmail account, the attacker could contact the email administrator requesting a password reset (why wouldn't they use their Gmail account – they can't use their work account), the email administrator resets their password and emails it to the Gmail account. Bingo, the hackers are in! What if that organisation used the same password directory for VPN access and the targeted user had authority to modify the payroll system, and also had authority to transmit electronic payments… you get the idea.

Resisting the urge to argue the technicalities of this scenario, the point I'm making is that the above did not need to occur on an organisation's computers or network. It negated the protection of any network security countermeasures until too late, and once compromised there would have been no suspicious activity to detect, as it would have looked legitimate. It was social engineering; people were the weak point. Your only real defence is to make your staff more aware of network security.

The key to success is to inform, educate and remind (especially if you're trying to raise the positive internal profile of your IT department, as discussed last month). As always, this will vary wildly depending on your organisation, but the common challenge will be how to make it engaging. Luckily there's a mutual synergy in this.

Network security isn't exactly a riveting subject for the average user, but you'd be surprised how people will suddenly be very interested in how they can spot phishing, malware and virus activity if it will ensure they can keep their LinkedIn, Facebook, Twitter, Gmail and online bank accounts safe. When you give a presentation,it in a way that demonstrates the maximum benefit to them and let it drift into the context of your organisation. The goal isn't to bombard your users with technical details; it's about raising awareness to a point that they will spot anything ‘phishy' when outside the safety of the organisation's protective systems (or if anything gets through).

When raising awareness within your organisation, do not forget about your IT staff. It's easy to make the assumption that IT staff know about security, but the cold, hard truth is that any monkey can run an anti-virus cleaner after the fact, and that doing so does not constitute knowing anything!

Security will only become more important in the future, and I personally think it's more about mindset than technical ability.

Related stories
GitHub's 2FA initiative helps secure software supply chain
AI tools linked to data exposure in 1 in 5 UK organisations
Firms outsource new email security measures implementation
Gen AI optimism high in ANZ but cybersecurity concerns loom
NetApp 2024 report uncovers 'disrupt or die' era powered by AI
Top stories
Zscaler introduces enhanced ZDX service for improved IT operations
HID acknowledged as Leader in Gartner Magic Quadrant for Indoor Location Services
Exclusive: How Darktrace is tackling AI-driven cybersecurity
Dropbox unveils new features for remote work, enhances Microsoft integration
Top tips for renovating your revenue management function in FY2025