Monday, October 31, 2011

Security: Humans are always the weakest link

Good article in today's Wall Street Journal describing the weakest link in the information security chain. The summary? You can have your firewalls, your intrusion prevention systems, your endpoint security systems, your anti-virus, your spam filters, your zero-day detection appliances, your application-aware firewalls, and the rest.

But then there's this:

Chris Patten called a large investment-management firm to report that he was going through a divorce and was worried that his wife had set up an account under a false name.

And with that story—entirely plausible but in this case a lie—a customer-service representative turned over customer account numbers and other details with a readiness that makes banks and other companies cringe.

Mr. Patten, a 35-year-old cybersecurity expert who was with the U.S. Air Force before he started working for a consulting firm in Kansas City, Mo., didn't actually use or sell the data, which he gathered in running a test for the investment firm of its security arrangements. But the ease with which the employee was persuaded to divulge the information points to a troubling trend, security experts and law enforcement officials say.

As banks and other large companies spend large amounts of money on building firewalls and using complex technology to fortify their systems, it is often their own employees who are letting identity thieves in the door...

User education and awareness are good starting points. And solid browsers that can help point out phishing attempts certainly help.

But the fact remains: social engineering is just too damn easy and there's no silver bullet. What's that old quote? "Make it idiot-proof, and someone will make a better idiot."


Monkey King said...

If you want to really know, read "The Art of Intrusion" and "The Art of Deception". Kevin Mitnick is the one who mainly used social engineering as his main hacking tool. Of all the weak links in information security, the human element is the only one that will continued to be the ultimate exploit for hackers.

Chaz said...

Idiot proofing is like an arms race between bomb makers and bomb shelter makers.

IT takes a lot of expertise to make a better bomb shelter that won't collapse on itself while still protecting you from a bomb that's big.

It's very easy to make a bigger bomb.

Anonymous said...

I remember a study in England that placed usb drives by the entrances to a business. They held a program that would call home when plugged it. Half of them made it in.