Human Overconfidence
History shows that we tend to rely too much on the claims which operating system vendors and business software vendors make. New systems sell themselves as being more secure and more fail-safe than their predecessors. While this is undoubtedly true, one must remember that at every release of each operating system and business software throughout the years vendors have all made the same claim, over and over again, year after year. This has never. However. deterred hackers and other malicious individuals from researching and executing attacks against newer systems.
A case in point is Microsoft Windows Vista, which by end 2007, will hit the 10% market share, with a projected 30% adoption rate expected by end 2008. Microsoft Windows Vista does not only equate to a new operating system, it also equates to a new user expierience. While this system is much more secure than its predecessors, its users are still the same as before, and therefore they are the path of least resistance to the average network environment exploit. Through social engineering, security features such as the new user access control can be easily circumvented, duping users in installing software which is insecure or tainted with malware.
Humans’ misplaced trust
Trust should be earned and not automatically afforded. Dangers to business do not only lie outside of the business perimeters; recent history shows that insider attacks to businesses cost as much, if not more, than attacks originating from the outside. Insiders have their own advantages for they have an intimate knowledge of your network and its inner workings. In 2008, an ever increasing proliferation of portable storage and communication devices (iPods, USB drives, USB WiFi cars, etc) will highly facilitate data theft, logic bombs and other forms of sabotage that can throw your business back to the Stone Age. Yet again, while it might be easy to put the blame on such devices it’s not these devices that are at fault; once again, technology is a neutral entity. The main fault here is the use made of such devices – banning them will simply not work because you simply cannot rely on voluntary compliance, supervision is too laborious, the devices can be easily concealed and you’ll just create dissent.
Human lack of knowledge
When it comes to network security, ignorance in neither bliss nor excuse. In 2008, a lack of basic security principles and a lack of knowledge in the trends that malware, spyware, spam and other malware are taking will greatly contribute to the downfall of network security. This most often is due to lack of time or resources to research security principles and trends; an issue that translates into a firefighting approach to network security: reacting to incidents after being hit.
This is, once again, a human issue. Malware does not evolve on its own, in a vacuum. The reason why malware evolves is greed – Hackers and other malicious individuals today create targeted attacks not to create havoc but for financial gain. Targeted exploits that attempt to address the inquisitive human nature to make them click on a tainted link will become more and more commonplace. This makes them much more dangerous than ever before, making the issue of lack of knowledge even more critical. Limiting human inquisitiveness through a blanket ban on access to resources will also backfire since it will create both dissent and boredom, all of which hamper productivity.
Human gullibility
Being gullible does not only make you the butt of jokes but also exposes you to myriad network security threats. In 2008, targeted email spam will continue in its evolution with newer and novel attempts to breach network defenses using social engineering. These will extend beyond email and attempt to, for example, compromise VOIP infrastructures through denial of service attacks, SIP vulnerabilities and Spit (Spam Over Internet Technology) attacks. In 2008, an increase in the number of attacks targeted at specific individuals or businesses is also expected, and it is highly plausible that the perpetrators of such attacks will use social engineering to gain access to confidential information that enables them to gain access to your systems.
