itb-nz logo
Story image

You are the weakest link

01 Dec 2009

Users are the weakest point in your security network.In an increasingly connected digital world, network security has had to evolve as the nature of threats has changed. The old hard exterior/soft interior model has long been outmoded and vendors now provide layered security solutions in the enterprise, integrating right down to the desktop level. These layered solutions guard against, as well as respond to, automated hacking, viruses, malware, phishing – you name it. Yet with all the ‘intelligent’ network security being deployed these days, I can’t help but feel some organisations are overlooking one important resource that complements this investment – their staff.In 2003, I remember keenly awaiting Kevin Mitnick’s book The Art of Deception. Here was the most high-profile and controversial hacker of my generation publishing a book detailing how he’d done it. (Although Mitnick’s book was presented as fiction, it discussed methods uncannily similar to those he was accused of using during his trial.) So what was his secret? How had he come to be regarded as a genius who hacked his way into the history books? Simple: he’d realised that the human element will always be a vulnerable point and taken full advantage of it – it’s called social engineering.Recently, four of our users had their Gmail accounts compromised; it was a simple case of phishing. It occurred at home and someone else was using their Gmail accounts to send the same phishing message to their friends – nice. Playing devil’s advocate, let’s say this was a targeted attack and the attacker had done a little homework. Using the compromised Gmail account, the attacker could contact the email administrator requesting a password reset (why wouldn’t they use their Gmail account – they can’t use their work account), the email administrator resets their password and emails it to the Gmail account. Bingo, the hackers are in! What if that organisation used the same password directory for VPN access and the targeted user had authority to modify the payroll system, and also had authority to transmit electronic payments… you get the idea.Resisting the urge to argue the technicalities of this scenario, the point I’m making is that the above did not need to occur on an organisation’s computers or network. It negated the protection of any network security countermeasures until too late, and once compromised there would have been no suspicious activity to detect, as it would have looked legitimate. It was social engineering; people were the weak point. Your only real defence is to make your staff more aware of network security.The key to success is to inform, educate and remind (especially if you’re trying to raise the positive internal profile of your IT department, as discussed last month). As always, this will vary wildly depending on your organisation, but the common challenge will be how to make it engaging. Luckily there’s a mutual synergy in this.Network security isn’t exactly a riveting subject for the average user, but you’d be surprised how people will suddenly be very interested in how they can spot phishing, malware and virus activity if it will ensure they can keep their LinkedIn, Facebook, Twitter, Gmail and online bank accounts safe. When you give a presentation,it in a way that demonstrates the maximum benefit to them and let it drift into the context of your organisation. The goal isn’t to bombard your users with technical details; it’s about raising awareness to a point that they will spot anything ‘phishy’ when outside the safety of the organisation’s protective systems (or if anything gets through).When raising awareness within your organisation, do not forget about your IT staff. It’s easy to make the assumption that IT staff know about security, but the cold, hard truth is that any monkey can run an anti-virus cleaner after the fact, and that doing so does not constitute knowing anything!Security will only become more important in the future, and I personally think it’s more about mindset than technical ability.