Re: [WhitehatAfrica] Security - The Human Factor.
ca...@calkis.co.za
You are so correct, that is why most organisations rather spend thousands of Rands on technology and policy documents to try and ease their conscience simply because they do not know how to even start approaching the "Human Factor ".
I believe that if we go back to the old school, which is still absolutely relevant even today, one need to address people, processes and technologies - the one cannot exist without the other. Picture a well informed user, the best anti-virus policy, but no anti-virus product installed - won't work. What about an informed user, a very good policy, one of the best anti-virus products, but no technical capable person to maintain, update, manage, call it what you like, the product. Off course these products can almost function by themselves in today's environment, but will there be a suitable person to interpret the logs and implement better strategies. The point I'm trying to make is simply that any organisation needs to look at the holistic picture (People, Processes and Technology), and most of them seem to neglect the people aspect due to the lack of knowledge or simply because they feel it won't help - as soon as you train a person, he becomes more marketable and leaves the
organisation for greener pastures.
To add to this frustration, companies that do pursue the awareness effort seem to lack a bit of creativeness, the old story of killing the audience by PowerPoint presentation or technical meaningless jargon. My advice is simple, you need to address the human factor, remember - "technology doesn't work unless people decide to make it work" and "organisations don't change, people change and then people change organisations".
I'm going to leave you with a quote from Bruce Schneier, he says -
" The Coming Third Wave of Internet Attacks: The first wave of attacks targeted the physical electronics. The second wave - syntactic attacks - targets the network's operating logic. The coming third wave of attacks - semantic attacks - will target data and it's meaning. This includes fake press releases, false rumors, manipulated databases. The most severe semantic attacks will be against automatic systems, such as intelligent agents, remote-control devices, etc., that rigidly accept input and have limited ability to evaluate. Semantic attacks are much harder to defend against because they target meaning rather than software flaws. They play on security flaws in people, not in systems. Always remember: amateurs hack systems, professionals hack people. "
Kind Regards
Carel van Vuuren
-----Original message-----
From: "Kipsang" kips...@gmail.com
Date: Sat, 16 Jun 2007 21:58:19 +0200
To: "WhitehatAfrica" Whiteha...@googlegroups.com
Subject: [WhitehatAfrica] Security - The Human Factor.
>
> Currently, I've been reading this book called "The Art of Deception"
> by Kevin D. Mitnick & I find it fascinating. It got me thinking: Is
> the human factor truly security's weakest link? For example, a
> corporation may purchase the best security solutions that money can
> buy and train its employees in the use of these solutions, moreover,
> follow every best-security practice recommended by the experts yet the
> company's still vulnerable because security attacks today are now
> being targeted at the employees of these corporations. This because as
> developers come up with better security technologies, it's becoming
> increasingly difficult to exploit technical vulnerabilities so
> attackers will tend to try cracking the human element. A simple
> illustration can be an attacker deceiving a trusted user into
> revealing information e.g. setting up a counterfeit log in page for an
> e-mail site thus stealing the user's ID & password hence gaining
> unlimited access to their e-mail account. This is a way spammers
> unscrupulously obtain e-mail addresses for marketing purposes. My
> personal question is: What are we as African corporations doing to
> strengthen the human factor in our day-to-day operations?
>
> Food for thought: Is security a technological problem or a people &
> management problem?
>
>
> >
>
>
>