Security: The Problem Is that People Are Human

Carl Weinschenk

This PC Advisor story -- which focuses on the carelessness of UK Facebook members -- will depress security personnel. Facebook, of course, is worlds away from corporate applications. But not all Facebook users are teenagers and some of the behaviors described in this story no doubt are carried into the workplace.


That's a scary thought. Without getting too deeply into the minutiae of how Facebook works, the story describes how easily folks allowed access to vital information, including in some cases their mother's maiden name. The bulk of the story is based on Facebook members' reaction to a fake profile set up by security firm Sophos. Twenty percent of those who received random requests allowed access to their full profiles. The story says that 72 percent of those who allowed access also gave out their e-mail addresses, 84 percent revealed their dates of birth and 23 percent provided their phone numbers.


The key point isn't that Facebook users are careless. It's that people in general are careless. Perhaps such behavior so boogles the collective mind of the IT department that they have trouble dealing with it. Unfortunately, there are a legions of folks out there who just don't get it. Some of these use corporate computer networks. Worse yet, some of these folks actually run the companies.


There are a number of ways that user sloppiness can hurt the organization. Phishing, of course, is one. The danger of criminals' clever rouses designed to separate people from their identifying data is evident by research done by Markus Jakobsson at Indiana University. Jakobsson -- whose work was outlined in ComputerWorld's coverage of the Usenix Security Symposium in Boston -- ran experiments that showed people are willing to trust half-signed digital certificates. While subjects did a good job of not clicking on links in e-mails, some did copy URLs and paste them into their browser, which also is potentially dangerous. Finally, Jakobsson found potential problems with credit card procedures and the willingness of professors to use university passwords to gain access to sites that didn't look like they were hosted by the school. DogReader does a good job of describing the next phase of phishing, which is spear phishing. This is the practice of using specific information to send a request for information that appears more realistic. The example used in the posting is an e-mail that appears to come from the IT department asking for an employee's security code. If done well, it is difficult to distinguish between these forays and legitimate e-mail.


Phishing is one way in which user ignorance or laziness can cause losses. Another is physical. TechNews offers several tactics to ensure the safety of laptops: Treat the device as cash; keep it locked; store passwords elsewhere; don't ever leave it alone, and be especially vigilant in hotels, airports and, presumably, similar venues such as public hot spots.


The unfortunate reality is that there are many ways in which employee ignorance, laziness, or even, in some cases a desire to do a good job can cost a company. Perhaps the most frightening single issue, however, is that the awareness of the dangers seems to be strikingly low. Combining this with the cleverness and brazenness of cyber criminals creates great danger for organizations. This drives home the need for proactive corporate policies backed by strong technology.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Aug 15, 2007 10:15 AM Graham Cluley Graham Cluley  says:
Hi. I totally agree with you that it's the "human factor" which is causing the biggest problem here - not technology. If only we could fix the squishy fleshy lump that sits in front of the keyboard with an update. that would be terrific!By the way, the Sophos investigation wasn't just into UK Facebook users. In fact, most of the people who agreed to be Freddi the frog's friend were based in North America.I would recommend that anyone who uses Facebook thinks carefully about who they agree to add as a friend, and read the suggested Facebook privacy guidelines Sophos has posted at http://www.sophos.com/security/best-practice/facebook.htmlBest wishesGraham Cluley, senior technology consultant, Sophos Reply
Sep 4, 2007 6:23 PM David Lineman David Lineman  says:
This is just another in the endless list of examples that show how people can always overcome even the best security technology. Awareness and training is the only way to make progress on this problem. I encourage organizations to check out the free security awareness resources at http://www.mysecurityiq.com/ including the book Information Protection Made Easy.David LinemanInformation ShieldAuthor of: Information Protection Made Easy - A Guide for Employees and Contractors Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.