It doesn’t matter how extensive the encryption, logging, authentication process, authorization process, or auditing process is. Humans will always ruin it. Always. As in: Always. It doesn’t matter how awesome you design a wrench, eventually, some human will use it to pound nails.
A data center with the heaviest protections. The retina scanners, palm scanners, voice print analyzers, fingerprint readers, gesture analysis, gait analysis, facial recognition, thermal pattern recognition, ID cards, smart-cards, certificates, armored entrances with cameras and blocking zones. The armed guards, guard dogs, razor wire, land mines, active vehicle barriers, satellite surveillance, motion sensors, audio sensors, light variation sensors, phone and wireless interception. Whatever.
Eventually a human will ruin it. Usually, from one of the following:
- Weak passwords
- Easily-guessed passwords
- Written down passwords
- Leaving an unlocked computer unattended
- Leaving an unlocked smartphone unattended
- Speaking a password (or sensitive ID information) over unsecured communication
- Turning off antivirus protection
- Turning off firewall protection
- Turning off UAC
- No protection on smartphone (dumb user)
- Bragging to a stranger about something job related
- Mentioning that they even have a top-secret clearance to someone who shouldn’t know (or care)
My personal favorite source of exposing vulnerabilities is human ego. Humans LOVE to brag. Get them drunk, stick a semi-interested person in front of them, and it’s like a wind-up toy. Blah blah blah. “Let me tell you about what I do…” and “where I work…” and so on. And if the listener knows just enough to ask the right questions, they can trigger a response like pushing vending machine buttons. A classic example taught in many intelligence schools is (dove-tails onto drunk’s last sentence): “Yeah. I hate that too. Do you also hate dealing with ____” (insert process/system/role/etc).
The minute you tell a stranger in a comfortable social setting (IT conference, bar, etc.) that you have a security clearance, you might as well tell them “I also have millions in the bank!”
Then there’s the technology itself. Designed by humans, for humans to poke at like the chimps at the beginning of “2001: A Space Odyssey”. They’ll Google or Bing for something during a casual conversation, like fishing rods, which shows a few hits of hot babes with fishing poles, and they click on the bait. Once their personal device is compromised, it’s too late. Once one password is guessed, others usually fall in line. Why? Because lazy humans often use the same password for all of their accounts.
Keep in mind how the most recent data breaches occurred. The hacked credit card swipers. The hacked wi-fi access points. The hacked stolen phones. The disgruntled employee. All of these could be traced to human error. Call it hubris or ignorance, it doesn’t matter. Just call it “opportunity for malicious exploitation” and stamp their hands as they enter the night club.
Case in Point
Nearly every doctor’s office I’ve visited does the same stupid thing: the receptionist calls up the next person on the sign-in sheet. Then they ask the patient to confirm their address, birth date and last four of their social. The patient replies out loud, and even though not shouting, it’s typically loud enough for a few nearby patients to hear. All it takes is one of them copying down the name and spoken information and now they have enough to get past most credit card systems, billing systems, banking systems.
In one study, a security firm was able to talk their way past a bank representative over the phone by insisting they forgot their account number, but had just enough of the basic challenge questions down to get past the guard dogs. Last-4 of social and a birth date, are like having a bag of fresh steaks for the dobermans that patrol the fence.
Humans are the worse thing to ever happen to technology. But there’s a good side to this. If you adopt the Gary Oldman character’s view from Fifth Element, then a broken glass is a job-creator. Fixing things kills jobs. Errors are good. It’s all a matter of perspective.
Bet you didn’t see that coming. 🙂