Kevin Mitnick, the legendary hacker once said, “People are the weakest link. You can have the best technology, firewalls, intrusion-detection systems, biometric devices – and somebody can call an unsuspecting employee. That’s all she wrote, baby. They got everything..
Recent wikileaks episodes can be taken for example, the real danger relies on vulnerable people. A Cyber war is already started between Wikileaks supporters and opponents. Websites after Websites are now being DDOSed. Already lose of millions of dollars has been reported. The leaked documents started to create friction between some governments. The real impact of all these incidents cannot be predicted. However, one thing we can be sure, Wars never bring anything good to humanity. Let it be Cyber war or Normal war. History teaches that very well.
So, Who are vulnerable people? What can we do to stop them?
The answer to the first question is, Everyone. We are all vulnerable, nobody is perfect, and there will always be some weak points which can be exploited. The behavior of these “Biological machines” could be changed by n number of reasons. Emotional or Physical or Political… We human are quite unpredictable. Even though, Our Science and Technology could map human genes and we are in the process of uncovering the secrets of human Brain, it would take us may be decades to fully understand about ourselves and predict our behavior. As long as we remain as a mystery, more and more episodes such as Wikileaks will be happened without a doubt.
Now, the second question, how do we stop vulnerable people? First step, identify the vulnerable people. Well, who are all vulnerable?, As I said before, Everyone. So, what we could do to reduce the risk?
That is a tricky question.
We know, no matter what controls you put, Risk can never be fully eliminated. There will always be some risk, which you will have to accept. While considering the danger from People, you are left no choice than being optimistic and trust on your controls.
However, you could continuously try various methods to reduce the likelihood of People executing their malicious intentions. If you could design fool proof processes and pretty good monitoring and reporting controls, you shall be able to reduce the likelihood to an extent. But, is it possible to design a fool proof process; does it worth putting so much of your money on Monitoring and Reporting controls?. That question you need to ask yourself. It all would be depending on the Criticality of information you are trying to protect. Whatever decision you take now, will decide the fate of the Information and ultimately all of your assets.
You may ask now “Are you telling me that, Lack of proper monitoring controls and fool proof processes resulted incidents like recent wikileaks episodes?”
Neither I can say Yes, nor No. Will need to conduct the thorough analysis to find out the root cause and then learn from it. You always have the room for improvement. Security is process, a continuous process. There is no full stop. Learn from your mistakes. Governments and Organizations started to think of Yoga, Art of living and such type of Mental health programs as part of their Security Program to help their employees to be mentally healthier, thus reducing the chances of being malicious. You could try any approach that you think could help. Security is nothing but common sense, you should use it well while finalizing your control objectives and selecting your controls.
And one last point I would like to mention is, the importance of Security awareness training. Sometimes you can see innocent people are used by an attacker through simple social engineering tricks, they might not even know that they are doing something that could compromise the overall security of your Organization. So, all of your employees, top to bottom, must know about your Information security policies and must get adequate awareness training. Also try to setup an anonymous reporting option to encourage every employee to report anything they find suspicious.