itb-nz logo
Story image

You are the weakest link

01 Dec 2009

Users are the weakest point in your security network.In an increasingly connected digital world, network security has had to evolve as the nature of threats has changed. The old hard exterior/soft interior model has long been outmoded and vendors now provide layered security solutions in the enterprise, integrating right down to the desktop level. These layered solutions guard against, as well as respond to, automated hacking, viruses, malware, phishing – you name it. Yet with all the ‘intelligent’ network security being deployed these days, I can’t help but feel some organisations are overlooking one important resource that complements this investment – their staff.In 2003, I remember keenly awaiting Kevin Mitnick’s book The Art of Deception. Here was the most high-profile and controversial hacker of my generation publishing a book detailing how he’d done it. (Although Mitnick’s book was presented as fiction, it discussed methods uncannily similar to those he was accused of using during his trial.) So what was his secret? How had he come to be regarded as a genius who hacked his way into the history books? Simple: he’d realised that the human element will always be a vulnerable point and taken full advantage of it – it’s called social engineering.Recently, four of our users had their Gmail accounts compromised; it was a simple case of phishing. It occurred at home and someone else was using their Gmail accounts to send the same phishing message to their friends – nice. Playing devil’s advocate, let’s say this was a targeted attack and the attacker had done a little homework. Using the compromised Gmail account, the attacker could contact the email administrator requesting a password reset (why wouldn’t they use their Gmail account – they can’t use their work account), the email administrator resets their password and emails it to the Gmail account. Bingo, the hackers are in! What if that organisation used the same password directory for VPN access and the targeted user had authority to modify the payroll system, and also had authority to transmit electronic payments… you get the idea.Resisting the urge to argue the technicalities of this scenario, the point I’m making is that the above did not need to occur on an organisation’s computers or network. It negated the protection of any network security countermeasures until too late, and once compromised there would have been no suspicious activity to detect, as it would have looked legitimate. It was social engineering; people were the weak point. Your only real defence is to make your staff more aware of network security.The key to success is to inform, educate and remind (especially if you’re trying to raise the positive internal profile of your IT department, as discussed last month). As always, this will vary wildly depending on your organisation, but the common challenge will be how to make it engaging. Luckily there’s a mutual synergy in this.Network security isn’t exactly a riveting subject for the average user, but you’d be surprised how people will suddenly be very interested in how they can spot phishing, malware and virus activity if it will ensure they can keep their LinkedIn, Facebook, Twitter, Gmail and online bank accounts safe. When you give a presentation,it in a way that demonstrates the maximum benefit to them and let it drift into the context of your organisation. The goal isn’t to bombard your users with technical details; it’s about raising awareness to a point that they will spot anything ‘phishy’ when outside the safety of the organisation’s protective systems (or if anything gets through).When raising awareness within your organisation, do not forget about your IT staff. It’s easy to make the assumption that IT staff know about security, but the cold, hard truth is that any monkey can run an anti-virus cleaner after the fact, and that doing so does not constitute knowing anything!Security will only become more important in the future, and I personally think it’s more about mindset than technical ability.

Story image
LF AI & Data Foundation to support open source AI, data & analytics
"This joint foundation will enable the key open source projects our industry depends on to have a sustainable home, which will drive further innovation and collaboration."More
Story image
Cognizant invests in IIoT with Bright Wolf acquisition
“Companies are increasingly embracing IIoT, and Bright Wolf’s team of senior IIoT architects have delivered the business value others have struggled to achieve. We look forward to this talented team joining Cognizant.”More
Story image
HPE awarded $160 million contract to build supercomputer in Finland
The supercomputer, which is referred to as ‘LUMI’ by EuroHPC JU, will help European researchers and private and public organisations significantly advance R&D and drive innovation in areas such as healthcare, weather forecasting, and AI-enabled products.More
Story image
How 'data gravity' centres can spell trouble for enterprises
In the not-too-distant past, data was created in a much more centralised place, and users and systems had far less access to it. Now, with digital data from social, analytics, mobile, cloud, IoT and more being created with both simultaneity and omnipresence, so much information is being collected that it’s forming a ‘centre of gravity’.More
Story image
Open Compute Foundation certifies first China data center as OCP Ready
Chayora Limited develops and operates data center campuses in China, including the TJ1 facility that serves the Greater Beijing region in Tianjin.More
Story image
ANZ Bank named winner of Red Hat awards for APAC region
ANZ Bank has been named the winner for the A/NZ region in the digital transformation and cloud-native development categories at the Red Hat APAC Innovation Awards 2020.More