Forget about attacks through your firewall. What about
the guy who phones up the IT helpdesk, pretends to be a senior
manager and gains access to your information that way? This is
social engineering - exploiting human vulnerabilities rather than
technical ones.
Most security professionals agree that people are your weakest
link - so why do we continue to ignore this area of security? Or at
best give it lip service through half-hearted security awareness
programmes?
We all know that attackers will focus on your weakest link. For
example, they do not target on-line banking directly. Instead, they
attack the bank's customers, using
phishing techniques to trick them into giving
away their credentials.
Alternatively, an attacker may simply phone and ask for security
details. Even an "advanced" security countermeasure, such as not
asking for all of your secret information at one time when
contacting you, is being circumvented by fraudsters who have
discovered that it is possible to call someone more than once.
Ingenious!
So who is to blame for systematically ignoring human security? I
would start with typical IT specialists they do not like users very
much, and addressing human weaknesses is not on their agenda.
HR (conveniently) thinks information security is an IT issue.
With the UK's poor record of investment in training, finding a
slice of the training budget to address human security can be a
real challenge.
The information security industry likes to sell expensive
hardware and software "solutions". IT people love their technology,
so suppliers queue up to satisfy this need and make a fine living
in the process.
Perhaps the security experts can save the day. But with the
CISSP exam guide telling us that it is easier to
prepare employees to withstand social engineering attacks than it
is to set up a firewall, then maybe not.
Can the ISO 27001 (BS 7799) standard help? After all, it
is about information security management systems. Maybe not. Only
one of the 133 controls addresses the issue of human
vulnerabilities, and that simply focuses on general staff
awareness.
The answer starts with bringing IT, physical and human security
together under a true information security management system. To be
fair, this is something that the ISO 27001 can deliver, if
addressed properly, by building on a proper assessment of risk.
You can also think about how you allocate your security budget.
Is it balanced in proportion to the threats you face and the spread
of vulnerabilities within your organisation?
You can think about human security in the same way as you would
secure a web server. Develop a thorough understanding of human
vulnerabilities, with an appropriate balance between systemic
improvements to shield human weaknesses, and effectively targeted
training and awareness building.
● Ian Mann is a senior systems consultant at
ECSC
Related article:
RSA launches financial Trojan killer
Related article:
Shops in rush to meet card security rules
Comment on this article:
computer.weekly@rbi.co.uk