|
Page 1 of 3
By Rodney J. Johnson, Prescient Consulting, Inc.
Originally published in AMCHAM Korea Magazine, 2005
We've all learned to ignore emails from Sani Abacha or anyone else
purporting to have come into large sums of Nigerian cash. If this was
the worst that online or email threats aimed at separating unwary
computer users from their money could offer the internet would be a
comparatively friendly place. It is not, however. New, more virulent
threats are constantly emerging. New or old, the one common denominator
with all highly successful attacks is that they focus on the weakest
link in the security chain - people. Hackers have denoted this method
of attacking a system "social engineering". Social engineering is so
successful because it works so well. No matter what the goal of the
attacker is it is simply the easiest way to gain access to a computer
system or confidential information.
Security systems made to protect
computers and networks from assault are designed by PhDs, coded by
security experts with master’s degrees, and integrated into
business computing environments by skilled technicians trained
specifically for that purpose. In this specialized security process
the users are often forgotten at the end. The simple sad facts are
that the chances of breaking a code built by a math professor are
worse than the chances of talking the boss's secretary into revealing
her password. If you were an attacker, where would you put your
energy?
Predictably, the bad guys put their
energy on attacking people. Technologically attacking a computer or
network user requires special skills, knowledge, brains, time, and
perseverance. Psychologically attacking the same requires just a
little fancy footwork. We've all installed virus checkers, firewalls,
and other security software aimed at protecting against technological
attacks. No firewall available, indeed, no software available can
protect against a people attack. There is no magic bullet. Rather,
training and awareness are the only real ways to harden the weakest
link.
"Amateurs hack systems.
Professionals hack people."
A computer security industry joke has
it that the definition of an unsecure computer is one that is turned
on. We might as well give up on a technological solution to turn
cyberspace into a Utopia where the unsuspecting computer user can
roam freely without fear of assault - it will never come. Technology
itself doesn't wear a white hat, or a black hat. The advances that
serve the good guys are just as easily employed by those with bad
intentions. The technological race between those who would attack and
those would protect is a never ending one, with one side's advance
often being met with a reply from the other side within hours.
Too many organizations, scared off by
the scope of the problem have delegated authority and responsibility
to the propeller-heads. They then sit back in the false belief
they've done all that can be done. In reality, no one can depend on
technology to batten down the hatches. No software 'solution' can
solve all the computer security problems that haunt us, no matter
what the software salesman may say. We can only depend on ourselves.
At the end of the day, a computer is as secure as the person using it
is aware of and ready to meet the dangers facing him or her.
|
Knowledgebase 
