backtop


Print 42 comment(s) - last by MattCoz.. on Feb 7 at 1:34 PM

Even the world's most secure systems can be compromised, thanks to user nincompoopery

Every year Deloitte releases an in-depth study on the state of IT security.  And every year it returns with the same predictable result.  Systems are most vulnerable not necessarily due to clever attacks or weaker than necessary defenses, but rather due to the carelessness of their users.

Adel Melek, global leader of security and privacy services at Deloitte Touche Tohmatsu notes, "People continue to be an organization's greatest asset as well as its greatest worry.  That has not changed from 2007. What has changed is the environment. The economic meltdown was not at its peak when respondents took this survey. If there was ever an environment more likely to facilitate an organization's people being distracted, nervous, fearful, or disgruntled, this is it. To state that security vigilance is even more important at a time like this is an understatement."

While much of the study falls into the realm of the painfully obvious (such as that robots are unlikely to replace humans in security in our lifetimes) it does raise some interesting points.  The obvious solution to the problem -- denial of access -- just doesn't work, it states.  The result is that productivity necessitates connectivity, raising security dangers.  The report states, "
Human error is overwhelmingly stated as the greatest weakness this year (86%), followed by technology (a distant 63%)."

Social networking and new technologies are cited as critical threats to security.  The good news, according to a separate research firm,
Identity Theft Resource Center, is that data breaches due to human error declined slightly in 2008.  Still, such breaches encompass 35.2 percent of the cases studied which had a reported cause.

In Deloitte's Global Security Survey, it showed more positive signs as well.  External breaches arising from viruses and worms dropped from affecting 43 percent of respondents in 2007 to 15 percent in 2008.  Email attacks likewise fell from 57 percent to 24 percent.  Phishing attacks also fell greatly, down to 7 percent from 38 percent the previous year.

Of the respondents, 80 percent reported being on the receiving end of an external attack which succeeded in breaching their systems.  And 70 percent reported internal attacks breaching their systems.  The biggest cause for internal breaches was found to be viruses and worms, which hit the systems of 11 percent of respondents.

The study states that the industry, while successful in greatly cutting email and phishing attacks, is having trouble stamping them out entirely.  This is due largely to their diverse nature.  Still, the study states that firms are getting better prepared to prevent repeated attacks from viruses or worms.

As to the threats posed by user error, recent studies have shown that many users will click on windows that are obviously malware-loaded, in a misguided effort to make them disappear.  These studies and others show that you can build an imposing castle, but it can't protect you from people inside it opening the gate.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Well if companies...
By afkrotch on 2/5/2009 3:20:11 PM , Rating: 2
Guess you're not using a CAC yet. Not like it really matters to much for me.

I need a pin for the CAC to login. My admin account requires a 16 character password. Our servers also have an admin account password. Each server tends to have around another 5-10 accounts each with their own password. I have to remember 3 different pins. One to enter the bldg, one to enter the NIPR server room, and one to enter the SIPR server room. Also 2 SIPR accounts (normal and admin) each with their own 16 character passwords. The SIPR servers also have passwords.

We have a cold site with more servers and passwords. I have accounts at other military/federal/national website for my admin duties. It gets a whole lot of crazy when you're on the admin side of things.

I end up locking my account out for most everything, cept for standard CAC and NIPR admin account.


"And boy have we patented it!" -- Steve Jobs, Macworld 2007














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki