Information Security: A Coherent Approach - Vulnerability continued
(Page 3 of 4 )
Compounding the problem of vulnerabilities caused by the human factor is a widespread tendency to place excessive trust in computers to do the hard work of managing security. This attitude is especially common among non-IT personnel, who ironically are the most likely people to underestimate the potential severity of a threat or the ingenuity of the perpetrator of such a threat.
Most people consider themselves immune to social engineering. This indicates that the second primary area on which many organizations should focus their security efforts is education. The benefits of investment in this area will, in most cases, outweigh those of increased investment in updated systems or improved security controls.
The third and final vulnerability group is that of system design. All but one of the factors in this group is software related. The exception is security bugs at the microprocessor level, which can open the way for hackers to subvert trusted kernel routines. At the software level, the key issues include software bugs and flaws, excessive system complexity, and the risks presented by legacy systems and platforms.
Clearly in many cases it is beyond the ability of an IT department or system administrator to combat such issues, especially, for example, where there are flaws or bugs in commercial software. Microsoft inevitably attracts much criticism in this department, but they are by no means the only guilty party.
Most commercial and open source software requires updates and patches, and the TCP/IP stack on which virtually all networking is based is itself vulnerable to attack. However, it is often possible to reduce the complexity of systems and, with the appropriate will, dependency on legacy systems can also be addressed.
