Forget about attacks through your firewall. What about the guy who phones up the IT helpdesk, pretends to be a senior manager and gains access to your information that way? This is social engineering - exploiting human vulnerabilities rather than technical ones.
Most security professionals agree that people are your weakest link - so why do we continue to ignore this area of security? Or at best give it lip service through half-hearted security awareness programmes?
We all know that attackers will focus on your weakest link. For example, they do not target on-line banking directly. Instead, they attack the bank's customers, using phishing techniques to trick them into giving away their credentials.
Alternatively, an attacker may simply phone and ask for security details. Even an "advanced" security countermeasure, such as not asking for all of your secret information at one time when contacting you, is being circumvented by fraudsters who have discovered that it is possible to call someone more than once. Ingenious!
So who is to blame for systematically ignoring human security? I would start with typical IT specialists they do not like users very much, and addressing human weaknesses is not on their agenda.
HR (conveniently) thinks information security is an IT issue. With the UK's poor record of investment in training, finding a slice of the training budget to address human security can be a real challenge.
The information security industry likes to sell expensive hardware and software "solutions". IT people love their technology, so suppliers queue up to satisfy this need and make a fine living in the process.
Perhaps the security experts can save the day. But with the CISSP exam guide telling us that it is easier to prepare employees to withstand social engineering attacks than it is to set up a firewall, then maybe not.
Can the ISO 27001 (BS 7799) standard help? After all, it is about information security management systems. Maybe not. Only one of the 133 controls addresses the issue of human vulnerabilities, and that simply focuses on general staff awareness.
The answer starts with bringing IT, physical and human security together under a true information security management system. To be fair, this is something that the ISO 27001 can deliver, if addressed properly, by building on a proper assessment of risk.
You can also think about how you allocate your security budget. Is it balanced in proportion to the threats you face and the spread of vulnerabilities within your organisation?
You can think about human security in the same way as you would secure a web server. Develop a thorough understanding of human vulnerabilities, with an appropriate balance between systemic improvements to shield human weaknesses, and effectively targeted training and awareness building.
● Ian Mann is a senior systems consultant at ECSC
Related article: RSA launches financial Trojan killer
Related article: Shops in rush to meet card security rules
Comment on this article: firstname.lastname@example.org
This was first published in April 2007