Technology is getting better all the
time in helping provide security
for businesses across the globe.
Developments such as biometrics, integrated access control systems, single
sign-on and different levels of system
access controls are making them
stronger and more sophisticated. But,
at the end of the day, the systems still rely
on people to make them work properly.
“The problem we run into is that people still have to use the technology,”
says Murray Jennex, a certified information systems security professional
(CISSP) and associate professor at San
Diego State University. “We’re finding
that people are ignoring or misusing
the technology as we implement it.”
Smart Business talked to Jennex
about what companies can do to
improve the security they already have.
How do people ignore current technology?
We can implement strong passwords
for a system. Yet time and again, we go
into a company where we have these
strong password programs, including
technology that forces people to
change the passwords, and you still see
them written down on a monitor or on
a sticky note. So you have to ask yourself whether we’re improving security
by using better technology. This is
where companies have to do an integrated program that includes training
on how to use the technology. Training
on security awareness, that teaches
why the technology is there in the first
place and what the student’s role is in
security, is also important.
As technology improves is it easier or harder to manipulate?
It could be both. In many ways, as we
improve technology, it becomes easier to
use it to implement technology. But
improved technology is a double-edged
sword. What makes it so easy to use also
makes it easier for the hacker to attack you.
Another problem is if a system is too difficult to use or if people don’t want to follow
the security policies we want them to use,
they simply bypass it. Say we implement a
network monitor or network intrusion
detection system. If the systems are too difficult or time consuming to use then the
company may not use them properly.
Additionally, having these systems installed
and not used properly may even allow others to use them to monitor your systems and
to find potential weaknesses in security.
So it’s really a constant battle. In one
of the studies I did, I looked at what it
took to be an effective security person
versus an effective hacker from a
knowledge requirement perspective. It
takes a lot of intelligence to be good at
security because there’s so much technology and so many things to learn
about your particular systems so that it
can be implemented properly.
On the other hand, the tools are so
easy to use that you don’t have to be all
that smart to be an effective hacker.
And most of these tools are available
online, for free.
Is a company more at risk internally or
externally?
All of the numbers say it’s internal.
Eighty percent of the risk for security
breaches come from within the company while 20 percent of the risk is from
outside the company. A lot of it comes
from disgruntled employees or people
who aren’t aware of what they need to
do for security. Kevin Mitnick, a social
engineer and well-known hacker, had a
hacking approach of talking the people
in a given company into providing him
all of the information he needed to get
into the security system. I have found
that this can be a common problem.
Receptionists that don’t know how to
handle questions or what to do when
someone they don’t recognize, but
looks like they may belong in the company, is asking certain questions. All of
these things make it easy for a hacker
to attack.
Phishing attacks are popular right now,
and they blatantly ask for your information
right over the Internet. Phishing is nothing
more than an educational issue. If your people know how to handle such requests, your
security system is that much more effective.
While it’s amazing that people respond to
phishing requests, it’s because they haven’t
been trained not to respond. If phishers get
a 2 to 4 percent response, that is still a lot of
people.
Malware — software designed to infiltrate or damage a computer system
without the owner knowing about it —
is another concern because people
don’t know that they shouldn’t download certain documents or open certain
attachments. And some of the IT people are the worst offenders because
they believe they can fix anything that
goes wrong.
MURRAY JENNEX is a CISSP and associate professor at San Diego State University. Reach him at (619) 594-3734 or
[email protected].