[ISN] Uninformed staff pose security threat: Expert

From: InfoSec News (isn@private)
Date: Mon Nov 28 2005 - 22:46:20 PST


http://www.computerworld.com/securitytopics/security/story/0,10801,106565,00.html

By Brian Eaton
NOVEMBER 28, 2005
ITWORLDCANADA

TORONTO -- All it takes is one employee to unknowingly compromise a
network's hard outer shell.

And when that happens, all other security measures could simply melt
away, said Clemens Martin, founder of the Hacker Research Lab at the
University of Ontario Institute of Technology (UOIT).

"The reality is many businesses are operating under a false sense of
security," said Martin, who is also director of IT Programs at UOIT.  
"All too often, we see corporate networks that become compromised by
an 'igloo effect' of sorts."

The good news is that many corporate executives are becoming
increasingly aware of this risk.

Most business leaders polled as part of a recent Fusepoint/Sun
Microsystems/Leger Marketing survey stated that the greatest threat to
their data security was not likely to come from a malicious external
attack, but rather from the hands of an uninformed employee.

Martin also believes the private and public sectors have similar
security concerns.

He said that in both sectors the infrastructure used is similar, and
malicious attackers are keen to infiltrate both.

There is a common interest among the "bad guy community" to get inside
networks in both sectors, and attacks designed to fool uninformed or
undereducated employees and public servants are becoming more
sophisticated, Martin said.

Depending on an individual's e-mail settings, and security products in
use, an e-mail may just have to be clicked on -- without any
attachments whatsoever being opened -- for the attacker to get in, he
said.

"If you look at HTML-formatted e-mails, just like a Web page, there
can be embedded code that can download," Martin said. "There is a
risk, but there is also protection."

Martin pointed to products from Cupertino, Calif.-based Symantec, but
also noted that security software and conventional insurance are two
different things.

"You can buy an insurance policy for almost anything," Martin said.  
"But you can't buy insurance to hedge against IT security risks
because the problems are not understood as well as earthquakes or
fires or car theft. Those [problems] have been well studied over years
and years."

Most IT security problems are studied in computer science departments,
he said.



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.



This archive was generated by hypermail 2.1.3 : Mon Nov 28 2005 - 23:04:16 PST