Information Technology (IT) managers are constantly tasked with evaluating their organization’s overall security posture and reporting the greatest vulnerabilities to leadership. Senior management is often surprised to hear that the greatest vulnerability within an organization is not a misconfigured firewall or a virus being forwarded across an internal e-mail server, but rather a human being. When compared to a piece of hardware or software, a human user is easily the single most targeted weakness within an organization.
Defining the Human Vulnerability
Charles and Shari Pfleeger define a vulnerability as “a weakness in the security system, for example, in procedures, design, or implementation, that might be exploited to cause loss or harm (Pfleeger & Pfleeger, 2007, p. 6).” Hackers and other malicious entities often target humans as being the weakest link in a security system because their decision making process is much more complex than the “yes/no” or “on/off” logic process of a computing system. Quite simply, the fact that humans are often careless, emotional, forgetful, and mistake-prone make them excellent targets. As a result of the inherent nature of human beings, they are easily manipulated or exploited by adversaries in an effort to seriously damage an organization’s assets. The human vulnerability ultimately takes shape as a result of a broad collection of vulnerabilities including a lack of security awareness, irregular or inconsistent training and education programs, and the absence of auditing.
Security Awareness
Individuals who are unaware of the basic tenants of safe computing are an enormous vulnerability to an organization’s assets. Users who lack a solid foundation in security awareness may pract...
... middle of paper ...
...riculture Office of the Chief Information Officer. Retrieved February 26, 2011, from http://www.ocio.usda.gov/directives/doc/DM3535-002.htm
Schneier, B. (2005, December 19). Insider Threat Statistics. Schneier on Security. Retrieved February 26, 2011, from http://www.schneier.com/blog/archives/2005/12/insider_threat.html
University of Maryland University College. (2011). CSEC 610 CyberSpace & CyberSecurity – Module 2: The Vulnerability of Organization Networks and the Internet. Retrieved from http://tychousa9.umuc.edu/cgi-bin/id/FlashSubmit/fs_link.pl?class=1102:CSEC610:8480&fs_project_id=304&xload&tmpl=CSEC610fixed&moduleSelected=csec610_02
Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann Publishers.
Wiles, J. (2005, Spring). Social Engineering - The Mother of All Trojan Horses. IA Newsletter, 7, 6,7,12.
However, I feel users had a different vision/perspective on security mechanisms and they trusted each other during those times and did not have to worry about protecting their information (this is how exactly, one person’s ignorance becomes another’s person’s - hacker, here bliss). This book helps us to understand the vulnerabilities; its impacts and why it is important to address/ fix those holes.
The Web. 16 Oct 2011. GlobalSecurity.org -. N.p., n.d. Web. The Web.
The term social engineering refers to intrusion that is non-technical but a result of human interaction. The attacker uses trickery to gain the confidence of an authorized user tricking them into giving up information that the attacker can use to gain access to systems and compromise normal security procedures. Most of the time authorized system users are unaware of the fact they have access to important information, and the attackers prey on these type of users who they know can be careless about protecting it. The greatest threat to security systems today are a result of social engineering. (Rouse, 2006)
Advances in technology have evolved at a phenomenal rate, unpredictable to humans only a couple of decades ago. While we may not be flying to work in our jetpacks or being tended to by our robotic butlers, we have successfully created social networks capable of connecting societies at a single tap of a screen. In a matter of seconds human beings are capable of posting, tweeting, and liking ideas with millions of people connected throughout the globe. With the aid of social media, “memes” have become more and more successful in their attempt of replication. “Everything that is passed on from person to person is a meme”(Blackmore), and through social media people can share anything from what they just ate for breakfast,
Social engineering, the ultimate way to hack password or get the things you want. How most people get into accounts like G-Mail, Yahoo, MySpace, Facebook, or other online accounts. Most people think that hacking a password you need to be computer savvy. This is not the case, those people are crackers. They use custom code or programs to break the passwords. The best way is to use social engineering, I will explain later in the paper why. Before I go any further into this paper, that this information is for research and to increase your knowledge and awareness about security. Also, I hope it will teach you what to watch out for.
Social Engineering: What It Is and How to Help Protect Yourself. (n.d.). Retrieved from http://www.microsoft.com/security/resources/socialengineering-whatis.aspx
Security helps the organization meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets through the selection and application of appropriate safeguards. Businesses should establish roles and responsibilities of all personnel and staff members. However, a Chief Information Officer should be appointed to direct an organization’s day to day management of information assets. Supporting roles are performed by the service providers and include systems operations, whose personnel design and operate the computer systems. Each team member must be held accountable in ensuring all of the rules and policies are being followed, as well as, understanding their roles, responsibilities and functions. Organizations information processing systems are vulnerable to many threats that can inflict various types of damage that can result in significant losses (Harris, 2014). Losses can come from actions from trusted employees that defraud the system, outside hackers, or from careless data entry. The major threat to information protection is error and omissions that data entry personnel, users, system operators and programmers make. To better protect business information resources, organizations should conduct a risk analysis to see what
There are countless stories of companies falling victim to sophisticated social engineering attacks by some of the best cybercriminals. The war against companies and cyberspace marches on. It is important for organizations to understand what social engineering is, the various types of social engineering attacks, the reason for
The user domain can be a very large security hole that is not easy to cover. Helping people understand the value and reason behind certain security requirements can help close the gap, but it is something that needs to be continuous. One threat which people of a company face is social engineering. The
Whitman, M., & Mattord, H. (2010). Management of information security. (3rd ed., p. 6). Boston, MA: Cengage Learning.
Principle of Security Management by Brian R. Johnson, Published by Prentice-Hall copyright 2005 by Pearson Education, Inc.
In reference to computer science, physical security is one of the most important accomplishments a business can achieve. Due to the advent of the modern technical age, all of a company’s records are held on their data systems. First and foremost, theft or loss of historical records and accounting data would instantly cripple an enterprise and could very well lead to its ultimate demise. The high profile news reports just in the last decade verify that. Hackers stole the financial records of several banks, which included the personal information of thousands of customers. Ditto for the Veterans’ Administration, for an employee’s laptop was stolen off site. Inside the computer’s hard drive were the ever important Social Security Numbers of hundreds of thousands of veterans and their families. For example, a financial institution goes to stark measures to ensure the money and securities stored there are safe. Not only are there outside locks on the doors and an elaborate alarm system, there is a fireproof steel vault with the finest timed locks available. Most usually, the valuables are further stored in locked boxes inside that vault. Just like that bank, an organization must strive to make physical security a priority. However, simply locking the data and equipment is far from sufficient. The information technology also needs an “alarm” of sorts, so that the company’s police, the information security specialists, can identify the threat and diminish or eliminate it.
National Institute of Standards and Technology. (2012, March/April). Basing Cybersecurity Training on User Perceptions. (IEEE Report 1540-7993/12). (pp. 40-49). Retrieved from University of Maryland University College IEEE Computer Society website: http://www.computer.org.ezproxy.umuc.edu/portal/web/csdl
McGuffin, Chris, and Paul Mitchell. “On domains: cyber and the practice of warfare.” International Journal 69.3 (2014): 394+. Academic OneFile. Web. 5 Oct. 2015.
The internet offers high speed connectivity between countries, which allows criminals to commit cybercrimes from anywhere in the world. Due to the demand for the internet to be fast, networks are designed for maximum speed, rather than to be secure or track users (“Interpol” par. 1). This lack of security enables hacker...