Thứ Hai, 31 tháng 10, 2011

Security: Humans are always the weakest link

Good article in today's Wall Street Journal describing the weakest link in the information security chain. The summary? You can have your firewalls, your intrusion prevention systems, your endpoint security systems, your anti-virus, your spam filters, your zero-day detection appliances, your application-aware firewalls, and the rest.

But then there's this:

Chris Patten called a large investment-management firm to report that he was going through a divorce and was worried that his wife had set up an account under a false name.

And with that story—entirely plausible but in this case a lie—a customer-service representative turned over customer account numbers and other details with a readiness that makes banks and other companies cringe.

Mr. Patten, a 35-year-old cybersecurity expert who was with the U.S. Air Force before he started working for a consulting firm in Kansas City, Mo., didn't actually use or sell the data, which he gathered in running a test for the investment firm of its security arrangements. But the ease with which the employee was persuaded to divulge the information points to a troubling trend, security experts and law enforcement officials say.

As banks and other large companies spend large amounts of money on building firewalls and using complex technology to fortify their systems, it is often their own employees who are letting identity thieves in the door...

User education and awareness are good starting points. And solid browsers that can help point out phishing attempts certainly help.

But the fact remains: social engineering is just too damn easy and there's no silver bullet. What's that old quote? "Make it idiot-proof, and someone will make a better idiot."


Không có nhận xét nào:

Đăng nhận xét