Information Security Improving with time?

   I ran across two interesting articles today on a website called  One was an Interactive Timeline to Breaches at US Financial Institutions so far this year.  When I came across this article I wondered how it compared to a similar timeline for 2009.    The biggest breach in 2009 for a financial institution was the Heartland Payment breach in January of last year where 130 million records were lost, while the  biggest number of records lost so far this year, is 1.2 million.  If you take out the top two breaches, then it was interesting to see that January and February had about the same number of breaches but it looks like in terms of number of records lost 2010 wins.

    This brings to mind a couple of questions.  First, with security becoming more recognized why are breaches happening at the same rate?  This could be for multiple reasons, the first of which being that the hackers are getting more advanced.  While I don’t doubt this I believe the answer is much simpler.  If you talk to any security professional they will say the biggest threat to any company is people or Social Engineering.  You can have the most advanced security controls in but if people write their password on sticky notes and put them on their desk or computer then no security controls will ever help. 

     Now I am not saying people are the downfall of security and you should never trust your employees, but it is something that needs to be considered in any business.  Businesses need to educate people on not only basic security practices but why these practices are important.  Train people not only how to create a secure password but how to recognize someone trying to talk their way into a business.  Social Engineering causes more problems for companies then someone hacking their way into a companies secure servers because it is easier.  With just a phone call you can try to get someone to reset a password on an account and therefore give you access into a system.  If you want to learn more about social engineering Kevin Mitnick has a great book out called The Art of Deception: Controlling the Human Element of Security.  

   Now I am not the most experienced security person so any thoughts or suggestions are appreciated.  What do you guys think?  If you are in the security field, how do you combat this problem and if you aren’t in security how do you think about being trained on basic security practices by your company at regular intervals?  Do you think it helps? Why or why not?

4 thoughts on “Information Security Improving with time?

  1. Hello Sir,
    This Comment is based with Respecting your thoughts.
    Really good point referring to “Social Engineering” I must say;but i still don’t get it,like you explained how people foolishly give away their passwords.I don’t think so people are that dumb to give away their passwords over a phone and ask the other person to take control over their account/machine until unless the other person is from the same company and he/she is from the IS(Information Security) team.I feel we can consider Social Engineering the last factor for a security breach.We still have bigger problems like phishing and hacking.Talking about phishing,it’s the most easiest way to get a particular user’s. information.We just have to build a look alike page and its scripting can be done by PHP , get a .txt file and code the server script in such a way that when the user puts its essential log information to access further, the credentials gets stored in the .txt file we created.All we need is a php page with the server script,.txt file to store the credential and we need to upload these 2 files on a server and send the server’s link to the user who’s information we want.
    Now this concept is increasing and surveys have said,phishing is far more dangerous than hacking.As hacking involves tools,network layer etc.We need to buy pass many security tools to get inside a system for hacking.
    So according to me , we can give social engineering as one of the factors of security breach but not the main factor.
    With Best Regards,
    Nilay K Sangani

  2. Nick Malone says:

    Great point Mike. Security professionals and businesses alike need to be more aware of the human factor in information security today. A well trained and aware staff will go farther towards towards insuring the security of your information assets than any technical controls.
    I used to write down my passwords. I really try not to now days, but when I need to have a 44 character password that changes every 7 days, it gets tough to remember (exaggeration).
    Furthermore, I believe that phishing and other scams like the Nigerian Prince (who still owes me a $million BTW) are all considered forms of social engineering. Now correct me if I’m wrong, but these things are generally targeted at customers not businesses?

  3. Yeah that is very true Nick. I would say that in terms of threat of a phishing attack on a regular consumer is greater then to a business. But that also brings up the problem of businesses having to deal with both. Nilay, I would agree that it is easier to get someone to fall for a phishing attack but from experience people want to be trusting, so if someone calls pretending to be an IT person for the company and wanting them to install some program that is needed there are still a lot of people that would do it. Hence the need for better education of users.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s