Does anyone else remember that AWESOME TV game show that aired in the US in the early 2000s? It had that delightful British woman who would gaze at the contestants with only slightly disguised contempt, and then send the least intellectually capable off with a dismissive nod and a wonderfully throaty: “You ARE the weakest link!” That was a great show. But I’m not sure it really taught us anything. Because in today’s scary cyber security climate, it turns out that all of us – the humans – are “the weakest link.”
We’re obviously the weakest link when it comes to writing software. As an old developer, I used to say that software isn’t buggy – people are. We code this stuff. We are the ones who make it buggy. We are the ones who don’t know the security holes and don’t plug them before we send this stuff to production. So, we can’t blame the software. We have to blame ourselves. Because we are the weakest link.
With software bugs, at least there are tools that can help protect us. Technologies like WhiteHat Security’s Sentinel Source scan source code for security vulnerabilities before it goes into production. If we make a mistake and send a vulnerability to production, WhiteHat’s Sentinel Dynamic can find it, and help you mitigate and remediate. We can at least protect, to a certain extent, the damage caused by the human weakest link.
But what about the things no automated tool can possibly find? Those things that even the most incredibly talented WhiteHat hackers can’t protect against?
What about the people who talk too much, too loudly, and share way too much information? What about THOSE weakest links?
Last week, I encountered two really bad weak links. Both of them in Delta SkyClubs – one in Tampa, and one in Atlanta.
The guy in Tampa gave me so much information about his email address, company, and the domain to which he was trying to connect that I could have taken over his account – if I were a lesser person, of course. He was on the phone with his help desk, lamenting the fact that he couldn’t log into his corporate email. He shared with the entire SkyClub his email address, his logon id, the domain to which he was connecting, and his company name. He also shared with us the fact that he had no problem connecting before he tethered his laptop to the physical network the day before. Oh, he also mentioned that they use Office 365 for their shared documents.
He gave me so much information that I could have taken over his account, dug into his documents, and found enough information to bring his company to its knees (the name of which I know, thanks to his vocal immodulation disorder).
But, of course, I didn’t. Because I’m one of the WhiteHat hackers.
The second incident was in Atlanta. And, frankly, this guy was a hacker’s dream. Not only did he share with me the full names of 10 contract physicians at a Columbus, Ohio area hospital that was recently taken over by a healthcare management company (he told me that name, too!), but he also used the full name of the person on the other end of the phone no fewer than five times.
He also shared with me (and everyone else in earshot) his plans for taking over the next hospital. I know where it is, and how his company is planning to take it over.
But the best part?? He got up to go to the men’s room… AND LEFT HIS COMPUTER UNLOCKED! Yes, I did take a picture. But I won’t share it. I just did it to prove to myself that even the most ethical of hackers have access to things they should not have access to.
Look – we’re all people. We all make mistakes. But the results of those mistakes are easier to control with automation on the software side. And even on the people side, we can do proactive control through high-quality eLearning to help them recognize when they are engaging in behaviors that put your company at risk..
That said, there will always be people who act like the idiots in the SkyClubs. People who don’t recognize when they’re sharing so much information that bad people are plotting their downfall.
Are YOU the weakest link?
With WhiteHat Security, you just might be… the STRONGEST link.
*** This is a Security Bloggers Network syndicated blog from Blog – WhiteHat Security authored by Katie Tierney. Read the original post at: http://feedproxy.google.com/~r/WhitehatSecurityBlog/~3/-JdcczPgsh0/