Last week there was a rather detailed post on the attack at RSA. It is well worth a read because I think many of the techniques employed in the RSA attacks have been or will be employed against ESPs.
Early in the article, the author asks a question.
These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in. What does that tell you?
It tells me that the weakest link has been and always will be the humans. And, lets be honest, for all my ranting about how ESPs are behind in the realm of security, if a company as security conscious and aware as RSA can get cracked like this, none of us are safe.
I’ll be honest, I don’t know what the answers are. Security is not my area. I do know we have to do better.
Laura,
I think organizations need to educate the end user more. You would be surprised how many people just don’t know and if WE the industry and WE the employers spend more time educating our employees i think we would be much safer. Hackers tend to be smart enough to find the easiest way to breach something, and as we all know that’s us! Social hacking 101!
While I agree with the previous commenter that organizations may need to put more of an effort into user education, I do believe that it is too easy to see this as the solution. Humans are… human. They make mistakes, they may be tricked into doing something they shouldn’t, despite the fact they have been taught otherwise, perhaps even because of it*. I think firstly and foremostly, we should know that, as you put it “none of us are safe”. Secondly, systems should be built so that users can not do things they shouldn’t do, even if they tried.
* a lot of phishing scams use the fact that users are wary of scams to trick them into doing something. We have been telling users for years to be wary of messages from a company you deal with that do not mention your name. This adds implicit credibility to messages that do contain your name and the Epsilon-leak may mean an increase to such messages.
+1 @Martijn: I work in an organization that puts a security manual on everyone’s desk, makes you sign yearly that you’ve read all of it, has walls covered with security posters and annual security refresher training, and an information systems security person in every office, and the security is still really not all that much better than other places I’ve worked.
Security is a system, and the humans are always the weak link in that system, so it makes sense to put a lot of effort there, but there are other factors involved in that system that also require some effort.