By Tiziano Modenese
Network Security Specialist
& Training Manager
April 23 2019
“People represent the weakest link in the security chain and are systematically responsible for the failures of the security systems, as declared by Bruce Schneier in his book “Digital Security in a Networked World”. Mike Danseglio, former Program Manager at Microsoft Security Solutions, touched on this thought with more conviction: “Phishing is a big problem Because there’s really no patch for human stupidity. “
And the numbers actually seem to be on their side: according to a study led by IBM, of the attacks brought in 2014 by the internal network, the 95% was attributable to the human factor. After the recent innovations of the security tools it has been realized that these don’t work so well if they are not exploited properly and if there is a lack of a cultural concept in terms of security. And this is the challenge that was launched in order to fill the gap in cyber security: train people in order to reduce Data Breaches that cannot be avoided by technology.
From a purely technological point of view the main manufacturers of technology have focused their efforts on the creation of products that represent a real revolution for those who are in charge of security. A classic example is the firewall, which no longer limits itself to applying the rules for access to and perform the function of IDS/IPS, but also acts as a WAF (Web Application Firewall) for Web protocols, from collector of network elements, it operates behavioral and package content analysis.
And who knows how many many other functions will take place in the future!
Nowadays we have an actual Social Engineering industry, which brings users, even those with good preparation, to click where they should not, or more generally to carry out unauthorized actions. And despite the many technological tools that help mitigate these actions, ranging from SIEM (Security Information and Event Management) to the various UBA (User Behaviour Analytics) what still remains as the pivot element is the human intervention.
The most classic phenomenon is still that of phishing (yes, we all won a free iPad or we were threatened to see us close the bank account if we had not clicked on the link and entered our credentials), but it is not the only: it is spreading more and more the technique of Cyber Squatting, which would be… No spoilers! It will certainly be the subject of one of the next published articles.
The biggest problem is that they are not malicious users who carry on actions with precise intentions to harm their company, but only users who act unknowingly.
It follows that the range of potential fronts from which to defend itself increases considerably. Is therefore fundamental to invest in education-it would be said ‘ literacy ‘- of the people, in terms of Cyber Security.
Good news fortunately are not missing, in fact we are making more and more clear the actual situation, and of what extent it has. The same frameworks as Cybersecurity created by the most authoritative entities, such as NIST, CIS and “Our” CINI puts in”high priority” – the maximum one – the control of staff training. And go further, requiring continuous and recurrent training for the staff. And that’s just the key concept they want summarize: technology still shows obvious limits, and today’s systems are still built and used by people, highlighting the importance that still IT covers in companies, as in the IT world, the human factor.