Proactive IT Security
 

The major security risk: Users

[Privacy issues, Social engineering, Trends & predictions]

Security Information  Week 9, 1999

The IT department in an organization often uses vast resources to be updated on security risks associated with hardware and software weaknesses. However the persons responsible for security often forget to stress the highest security risk by far: uneducated users.

Why would a cracker use a lot of resources to break into a network and install a malicious program when he/she could easily persuade a naïve user to install the program. Too many users do not check programs for viruses and trojans if they appear to originate from a reliable source.

Spoofing a reliable e-mail originator for example, is quite an easy task for any competent IT person. Most users will not notice that the e-mail is spoofed.

Consider another scenario. A person comes to an organization and presents herself as a representative from the company which supplied the new PCs some time ago. She explains that a major bug in the preinstalled software has been discovered, and tells that her company now am going to correct the problem on all the PCs in question. Chances are quite good that unless there is a policy in the organization for such a situation, she is able to access PCs, the network and probably get some users' passwords as well.

Socializing is probably the easiest and most effortless way to get unautorized access to an organization's computers, networks and information.

Thus it is important to educate the users to be aware of the risks involved. Some basic rules are:

  • Passwords are personal. They should not be written down or told anyone.
  • Set up minimum password requirements with respect to
    • length
    • the use of special characters as well as letters and numbers
    • password changes at intervals.
  • A computer should always be secured when it is left unattended. Use reliable software to avoid unautorized access to information on the computers.
  • All new programs should be checked by an updated virus control program before installation.
  • Documents attached to e-mails should be checked by an updated virus control program.
  • Detailed rules for what a user should do if he/she detects viruses should be implemented.
  • Routines for access to the premises from persons not belonging to the organization should be implemented.

Per Olav Førland