Human failings can compromise the best IT security configuration

Even the best IT security can be let down by people's shortcomings and the processes surrounding systems. That was a key message...

Even the best IT security can be let down by people's shortcomings and the processes surrounding systems. That was a key message from last month's annual Turing Lecture, organised by the BCS and the Institution of Electrical Engineers.

The most complex cryptography or data scrambling can be let down if system operators assume that this technology alone is the answer to their data security, said Fred Piper, director of the Information Security Group and professor of mathematics at London University's Royal Holloway College.

He recalled a university which was concerned about students breaking into its system and changing their grades, so it encrypted the grades.

"A hacker could not read the grades but what they were actually worried about was someone changing the grades," Piper said. "You can still change the grades, even though they are encrypted. You find the name of someone you know is a good student. You cannot read his grade but you can copy his grade to yours: encryption does not stop this."

Failure to look beyond the encrypted parts of a system raised other security issues, Piper said.

A message is put through an encryption program, transmitted and unscrambled by a program at the other end. It does not stop someone intercepting the message but it prevents them from reading it without masses of computing resources and time.

But, Piper said, "The message only has protection between the encryption and decryption algorithms.

"If the environments in which the encryption or decryption take place are insecure, there may be no point encrypting it, because people can get the information before you encrypt it or at the other end after decryption. There is no point having encryption to protect the link if you do not protect the end points as well."

Another security method, biometrics, which is being considered by the UK government for passports and identity cards and by the US for visas, can also be let down by the surrounding systems, Piper said.

Security using biometrics is based on automated recognition of a fingerprint, iris, hand geometry or other apparently unique physical characteristic.

"Identity fraud, where someone assumes your identity, is prevalent, and people are really frightened of it," he said.

"Issues arise around registration of the biometric: how do you identify yourself? Your birth certificate? It has no relation to you whatsoever. It is just a piece of paper signed by someone who thinks you might exist. There is no link between identity and event.

"With biometric security you give the biometric and it is registered to you. If someone can impersonate you in that process, they impersonate you forever. They have stolen your identity.

"It does not matter how good the biometric is, how good the cryptography is: if they can deceive at the registration process, then they are you. All the biometric does is confirm that the person registered for that biometric is the person using it."

Read more on IT risk management