58 replies to this topic

[beardednose]

I just had a shouting match with a respected security guy over this lately after a seminar. Wondering what you think....

[as0l0]

Will you tell use which side each of you were on?

[Travis]

people most definately, you could have the worlds greatest firewall IDS/IPS etc etc in place, and all it takes is one disgruntled employee to kick the server.

[whiskah]

people most definately, you could have the worlds greatest firewall IDS/IPS etc etc in place, and all it takes is one disgruntled employee to kick the server.

<{POST_SNAPBACK}>

u might have educated your people but what if ur policies, best practices, procedure s aint up to the mark..

i guess it has to be both people and process..

[tibbar]

i think technology can go a long way to stop problems, if you lock the system down tightly, even mr disgruntled should be unable to cause harm

[bonarez]

if you were to ask whitch was the most vulnerable > people. because it is the one thing you can't control.

[nuorder]

I'd say the people are the MOST critical because you can render a secure OS useless with an incompetent admin.

And if you have an insecure OS, a competent admin would be able to implement temporary fixes or apply patches to secure it.

[MsMittens]

To me, it's people. You can create the procedures and processes and you can install the tech, but if there isn't a "culture of security" (my nifty little term for it), where people accept it, abide by it and actually improve on it, then all those procedures, processes and technology are useless.

We know that tech can't stop a social engineer nor can some procedures/processes. Educating people to understand risks, threats, etc. can go a long way for the simplest of attacks.

Additionally, keeping an open mind as to the kinds of attack vectors is important. 10 years ago (*GAH* I've been online THAT long?!!?) spyware, e-mail e-commerce phishing and worms that we see today would have never been conceived of or imagined. What will be attack vectors of tomorrow? Who knows. But keeping open about it and, even if it sounds impossible now, keep watching for it.

[belgther]

People are the biggest reason for security glitches. Because technology and processes are made by people, too, with their flaws...

[White Scorpion]

definitely people. people can f*ck up just about every system, no matter how secure it is.

also people are the creators of processes and tech so it is always people. a computer can't make a mistake, a person can (and will).

[beardednose]

Once the responses slow down, I'll share the two sides of the debate. I don't want to influence anyone's opinion (just yet).

[s3ntinel]

People definitely. Technology can only stop what is known about, Process is only useful if people adhere to them.

You will always find someone who will open a zip file attached to an email from someone they've never heard of with a content that makes little sense . When asked, they will invariably say that they wouldn't do it at home, but they thought they'd be safe . This makes NIDS and AV pointless.

BTW, I reckon that the future of security breaches will be a spam email sent to an entire company's email address space containing an exploit that'll download a trojan containing a keylogger. The trojan will then log all keypresses when the current user name appears in the browser etc and then upload it via HTTPS to a compromised site. NIDS can't touch it unless you have an SSL proxy, AV won't detect it if you use a keylogger with a "Legitimate commercial purpose" and you'll have the keys to the kingdom!

What process or technology will stop that? None, only education will mitigate against the threat.

[da_cash]

in my oppinion most common reason for security breach are lazy, curious or not properly educated people...

people use easy guessable passwords, open dangerous files in emails without checking it first..

for example just create a page which contains the words "DO NOT ENTER HERE"
and you'll be surprised how many pplz will go there

[Pazort]

It cannot be disputed that ALL of these are essential to creating a secure environment, but the most important would certainly be people.

Technology can go a long way to limit the damage people may inflict onto a potentially secured environment, but there may always be a degree of social engineering or perhaps a case where a disgruntled employee quickly learns how to counter your defenses from the inside, which would still leave you extremely vulnerable. In addition, many people are entirely overconfident with their knowledge of computer systems. It is not uncommon that a person would feel they know exactly what they are doing and what all the consequences are simply beacause they are proficient with an application.

Technology cannot be underminded, however. It is essential to be up to par constantly to defend yourself even against physical attacks, and without proper policies in place, mistakes are likely to be made, leaving your systems wide open to potential attackers.

[tibbar]

clearly a disgruntled employee determined to cause trouble is going to be a problem.

my point is if you use a secure OS with limited privledges for users, strong firewalls + IDS and a good backup policy on data then it is actually quite difficult for someone to cause a problem on the network.

even if someone is fooled into running a dangerous attachment, visits a spyinfected sites etc, the limited privledge account will prevent any serious damage taking place.

the ids + firewall will stop 95% of lan bypassing backdoors.

so my point is that people are always a weak point, but with careful use of technology we can limit the damage people can cause - e.g. losing a password to a limited privedge account is not such a terrible thing.