Wednesday, September 17, 2008

Security @ its core - The Human Factor

Kevin Mitnick was and is a wonderful hacker who really implemented the situation that shows the human factor in the world of information security. There are many other books and movies that explain the same. Why is still a major factor in insecurity? Well, this has been the case for almost 10,000 years that is ever since humans have started trying to keep their stuff for themselves.

Security is not required if people do not want to have things for themselves. If countries share all their wealth and if people let anyone come into their house and does not account for any products or property that they have then security is not going to be essential in such an environment. But, that is not human. That is when security comes into place in various forms.

Social engineering has played a great role to point out the human factors and weakness in information security. Having read/seen this in many articles, why is there no such thing as complete security? That is because, humans by nature have weakness and ties to something or someone that could be valuable to them. For example, people with secret or top-secret clearance do not share their work or work related data to any of their family members since the first person any bad guy would go against is someone or something that is valuable to you, which could put the nation's security in jeopardy. In general, reconnaissance and scanning are part of social engineering. Though enumeration is the phase on which you would put the meaningful parts together.

Does this mean that people who are in infoSec or CyberWarfare not have any family ties or ties to any valuable things to them or, does this mean that information security can never be complete as long as it involves a human? Think about it...

- EF

No comments: