News that the US Department of Homeland Security has identified the weak link in IT security is the human element comes as no surprise.
After DOHS staff quietly dropped data disks and USB sticks in the car parks of government agency and allied company buildings, they found 60 per cent of them were inserted into the company/agency’s computer systems.
What’s even more ironic is that if the disk case had an official logo, then the `success rate’ soared to 90 per cent, something that the DOHS notes as proving there is no device known to mankind that prevents people from being idiots.
This observation – the proof of anecdotal evidence if you will – has ramifications in all aspects of IT security, and especially, I believe, when it comes to network security, as it also shows you cannot rely on staff installing IT security systems properly.
Whilst many IT security professionals do install their IPS, IDS, UTM and firewall systems effectively, as well as configuring them correctly, there is a sizeable minority who do not, largely due to a lack of effective training.
And then the question becomes – how do you spot these incorrectly configured systems, whose insecurity tends to get worse as time goes by, often owing to patches and updates not `taking’ as they should – another symptom.
The answer is automated and effective auditing of the security appliance and allied systems, which then assists the IT security management about which areas of network/IT system security need tightening up on.
Automated pen testing and auditing systems cannot even hope to correct for the human failings identified in the US DOHS survey, but that can compensate by acting as a real-world check on the efficiency of a given IT security system, quickly and efficiently identifying the areas where security needs to enhanced.
The fact that the test subjects were `infected’ with an ET-call-home app – which could have been a trojan or similar piece of malware – clearly proves the case that human operatives make errors.
IT systems, however – when properly configured – do not normally make such errors, so applying a safety net of IT security audit layer makes a lot of sense.
A security layer won’t stop human error creeping into even the most effective of IT security departments, but it will help management compensate for configuration and similar consequential problems. To err is human, but to fail to compensate for those errors is an unnecessary risk.