This is going to be a long reply, so hold onto yur fedoras. I'll have to do this in pieces.
My vote: People are the most important aspect of security, and usually the most neglected.
Think about it this way:
One of the reasons we invented technology is because people are so naive and forgetful (read: stupid and lazy
The technologist that I was debating said that he felt technology plays a major role in security. Every reason he gave ended up depending on people.
I gave him 3 nosey reasons why people are more important than technology:
1) The software and hardware that we often depend on is often misconfigured (or not configured!) or crashes. In this case, technology can't help you.
2) People can turn off the technology or otherwise render it neutral. Example: sharing your password, turning off antivirus or the firewall, etc.
3) Too often, there is NO technology to protect you. When you get that social engineering phone call or the phishing email, there's no voice in the background or popup window warning you to be careful! de nada!
A few responses to your comments....
I think the most important thing here is IF you can enforce policy.
Exactly. People are required to enforce the policies (they write them too).
improve technology, it's the greatest defense and the most reliable of the three varialbes.
No way. Same as above. People create and implement technology. If the people are bad or uninformed, you end up with poor technology. Also, people can render good technology useless---Bruce Schneier constantly warns that you can take good crypto algorithims and implement them in a way that decreases security and results in poor crypto.
Technology is only as reliable as the people who created it (beat that drum, baby!), and even then, they can't cover all the bases, so attackers undermine it.
Security is all about the weakest link. The weakest link in the above is the human element. Social engineering doesn't require high tech skills and works very very well.
The reason social engineering works so well is because THERE IS NO TECHNOLOGY involved! That's why training people is so important. You might say that proves the tech point, but history has shown even when protected by technology, either point #1 or #2 happens, or in spite of technology, the attack succeeds.
Well, i think if your system got hacked itīs 80 % the fault of the admin of the system.
Because if you always update your system,firewall, anti-virus,etc., donīt click on bad links biggrin.gif and choose safe passwords itīs very sure, that you wonīt get hacked.
But social engineering bypasses these. IT is not immune to this. Same song, third verse.
People do follow VERY closely, but its something that cannot be controlled, user education maybe, but people in my opinion are a dead option... The more i think of it, its a toss up between them.
you cant control people, but you can control what they do
Invite me to your planet sometime. I envy you! I haven't experienced that at all. While you can change policy and replace technology, the biggest change impact can be had by FIRING PEOPLE. When you fire or discipline someone for not following policy (or whatever), the word spreads and other people are impacted.
When I trash one technology for another or revise a policy, none of the other techs or policies are offended or run for the hills.
THE BIGGEST and CHEAPEST IMPACT ON A BUSINESS can be had by FIRING PEOPLE for doing stupid things. Yes, there's lawsuits, but want to improve compliance and raise moral? FIRE A MORON!
but i can see the other side of the coin, policies and hardware are only defence, people tactics are offence... Using IDS and Policies will only be one step behind the threat, always, whereas controlling the people will allow you to avoid the problem in the first place... Prevention is better than cure
Well, technology can report intruders and deny them access, but I don't see that as a true offense.
for example just create a page which contains the words "DO NOT ENTER HERE"
and you'll be surprised how many pplz will go there
I clicked the words and nothing happened The debate ended when I asked my new friend a simple question:
"How come, on the XP box on which you gave the presentation, you didn't have any agents running in the task bar except for PGP?"
"I don't need them," came his reply, as a huge, smile peeked out from my heavily bearded face.
"My point exactly," I said.
Game, set, and scratch........