At times I laugh when I see companies, banks, educational institutions laying so much emphasis on the deployment of firewalls, anti-virus, server room protection e.t.c. Yes firewalls, anti-virus are good but without a comprehensive information security program in place all these security technology tools will only provide a false sense of security. When we start thinking about information security, we need to think about security as a system not a single technology. Let Us take a Hypothetical Scenario A company has over 5 million clients. It has an e-business website. It has deployed firewalls, anti-virus solutions and other vendor security solutions. It conducts 90% of its business through its e-business website. A Hacker studied the situation and asked; how do i get at this company? What is the weakest link in the companies information security model? Why the weakest link? The hacker knew that going through the firewall, the intrusion detector systems would take him time which he was not willingly to spare. The hacker found out through painstaking research and study that the over 5 million customers were the weakest link. The attack followed; - A fake website of the company was created.
- E-mails were sent to the company's over 5 million customers.
The E-mail read. Dear customer, We have deployed new security solutions that will help increase the security of conducting business with us through our website. Please kindly enter your contact and billing details, by clicking on this link. www.wilbroser.com/details.html. Thanks for your cooperation. Yours faithfully,
Alex Brown
Head of IT
Result of the E-mail Out of the 5 million customers, 3 million of them clicked the link and reentered their contact and billing details. The remaining 2 million felt indifferent and didn't respond to the mail. The credit card information of over 3 million customers was stolen. Why did the Hacker Target the 5 Million Customers of the Company? The hacker found out that to commit e-fraud, it will take more effort and time going through the firewall, anti-virus and the other security solutions of the company. The thought of the weakest link came. The company has never embarked on a security awareness training program for customers. A lot of emphasis has been on staff and security solutions. The hacker identified the customers as the weakest link. Having identified the weakest link , the attack was launched. Why Was the Attack Successful? 1. The over 5 million customers. None could tell the difference between a fake copy of the company's website and the company's website. 2 The customers could not tell if the company sent mails to customers when there is an upgrading of their information technology infrastructure. 3 The customers could not tell the difference between a fraudulent mail and a mail coming from the company. By reading this article, you will hopefully be convinced that your information security model goes beyond the use of any single piece of technology. Most people clearly understand the need to secure their information assets. Unfortunately, this high priority generally leads to technology that drives the security. While I will never be one to argue that a firewall is not a good idea to include in a security model, this is not the proper approach to creating an information security model. It creates a security model that is built around what security a particular device can provide, rather than the security the organisation needs. I counsel my clients that, instead of talking about hardware and software, the first order of business should be to create an information security policy. A security policy is a high-level statement of principle and describes the needs of the organisation. Once we know what we need to do, we can then discuss the information security model. The Information security model is the actual hardware, software, and configuration guidelines that will be used to enforce the policy. Most e-frauds in this age will come through the weakest link in the information security chain. Identify your weakest link now. |
