Tuesday, September 22, 2009

The Biggest Threat to Information Security (IMHO)

We had a 3-day information security training last week, it was good but some of the things that were discussed only served as a reminder or a reviewer. The training room itself was large enough for the participants, the instructor looked confident (most of the time) and took time to answer questions and gave a few exercises. Breakfast, lunch and snacks were also served.

We were also introduced to a number of online and offline tools for data gathering and penetration testing. Live demos, such as the use of Cain and Abel, were given enough time so that we could get our hands wet and learn in the process.

The use of good passwords was also discussed and emphasized. Pointers and tips on how to spot fake or malicious emails were explained after giving sample emails that we could work on.

The importance of data encryption was also talked about during the training; PGP was mentioned as an example.

It was also pointed out that the human factor must also be considered as one of the weakest link in information security. No technology or any piece of hardware can provide security if humans make mistakes or when they deliberately and knowingly reveal confidential information. This is where proper education and training comes into play.

The difference between vulnerability assessment and penetration testing was also discussed. Choosing a PT vendor was also given importance. It was pointed out that the security certification of any penetration tester is worth considering but should not be the primary basis for selecting a particular vendor.

We also had an interesting and lively discussion about the computerization of our elections. We heard a lot of different opinions and views about the issue. I pointed out that it is not enough that the proposed system itself is secure and hacker-proof, the people behind the system should be trustworthy and cannot be bought with any amount money. Again, the human factor should be considered here.


After the training, I realized that there is no such thing as a secure system, it simply does not exist. Computer systems are designed, built, maintained and managed by imperfect humans who err every now and then. Human nature is the biggest threat to information security.

No comments:

Post a Comment