Expert shows dark side of the web and warns users are weakest link

Becoming a computer criminal or exposing an organisation to risk - maliciously or inadvertently - is as easy as making a few...

Becoming a computer criminal or exposing an organisation to risk - maliciously or inadvertently - is as easy as making a few mouse clicks. This was demonstrated at the annual lecture organised by the BCS and the Royal Signals Institution.

"Systems would run perfectly if we did not have users," said Colin Rose, a security, legal and business management expert who is consulted by government agencies and companies. "We show them how to do things but they do it their way. They change things. They install their own programs and games."

He pointed to surveys which have shown that 60% of IT security breaches come from inside organisations. Although these breaches are not necessarily malicious, their impact can be far-reaching.

"If someone is accessing lewd images, there is a productivity issue: that person is not doing their job. If it is child pornography, it is a criminal issue. The police could knock on the door because of one individual, bringing bad publicity and lost reputation," said Rose.

"Another user could see the images and feel harassed; they might leave and claim compensation, costing the organisation money and again, reputation - and the organisation loses the wrong person, the one actually doing their job."

Information can be disclosed inadvertently, Rose said. He highlighted a feature in Microsoft Word which saves deleted text and document owner information in the final version of a file. The information can be viewed with a simple software utility, potentially causing embarrassment or worse if the file is sent to a customer or supplier.

Public PCs in hotel rooms can reveal information about their previous users. Rose mentioned cases of public PCs revealing details of online chat between married lovers, access to pornography websites, and e-mails relating to business deals.

Information on everything from making bombs to robbing bank cash machines and killing people is readily available online, Rose showed. Instructions on how to pick locks are provided by an online guide posted by the Massachusetts Institute of Technology. Rose demonstrated online utilities to crack passwords, run denial of service attacks, create valid credit card numbers, and create viruses to order.

"Clearly it is easy to get up to all kinds of no good on the web," Rose said. "You can do it accidentally, deliberately, maliciously or by being careless.

"Security is not a technology issue or a techie responsibility; it is the responsibility of everyone. Think about information systems rather than IT; or person-machine-machine-person: think about how the whole system can be corrupted, from the inside and the outside.

"Be aware of the dark side of the web but do not run away from it: manage the risks and the users. There are some sociopaths, but most risks are from people who do not know what they are doing."

He added, "Security is a process, not a goal. It is a never-ending merry-go-round."

Read more on IT risk management