Infosecurity preview: Cautionary security tales

Not all security risks require a high-tech solution, and protecting your systems from internet-borne attacks will not guarantee that you remain safe.

Not all security risks require a high-tech solution, and protecting your systems from internet-borne attacks will not guarantee that you remain safe.

People, as we are so often told, are almost always the weakest link in the security chain. Which is why social engineering attacks work so well, and why viruses that  rely on ignorant users clicking URLs in e-mail attachments are able to spread so rapidly.

But low-tech security can fail just as dangerously as high-tech solutions. I was once visiting the offices of a high-profile company that was assisting me with a magazine article that I was writing. In the bin next to me was a spreadsheet containing personal details of every employee, including salary.

Although the document had been put through a shredder and cut into strips, each strip was a perfectly readable row of the spreadsheet as the sheets had been put into the machine the wrong way round by an untrained operator. Remember – a firewall will never stop this sort of thing happening in your company.

Another time, I was meeting a client at a hotel in London. After our meeting the client was due to see his accountant and had therefore brought along the previous year’s invoices, receipts and bank statements. They were all stored safely in carrier bags, under the desk in his hotel room. By the time our meeting was over and he returned to his room to pick up the bags, they were on their way to the local dump, having been mistaken for rubbish by the person who cleaned his room.

High-tech solutions sometimes fail in fascinating ways. Last year, ITV was criticised after it inadvertently broadcast details of a pornographic website on a news bulletin.  The address of the site was intended to be a fictional example and the journalist who compiled the report checked that it did not exist by typing the URL into his web browser. The resulting error message led the journalist to assume that no site by that name was in operation. In truth, the site did indeed exist, but had been blocked by the in-house firewall.

Sometimes, of course, the technology lives up to the marketing hype and you will quickly come to appreciate it. I was once delivering a presentation at a seminar on behalf of a company that wanted to highlight the importance of choosing strong passwords. We set up a server in the foyer and logged it in with an administrator account that allowed the creation of new user accounts.

As delegates arrived, we invited each of them to create a new user account and assign what they considered to be a sufficiently strong password. I then fired up a password cracker that managed to break 80% of the passwords by the time my presentation was due to start.

One delegate did not hang around to listen to my presentation. He went straight back to the office to devise and to enforce a new password policy for all employees. Having seen what the cracker could do, he felt that immediate action was required and that it could not even wait another hour. He looked incredibly annoyed as he left. I wonder if he has forgiven me yet?

Robert Schifreen is the author of Defeating The Hacker, published earlier this month by John Wiley & Sons. Robert is chairing the hacking keynote at Infosecurity Europe


Read more on IT risk management