Sunday, May 20, 2007
IT Security: YOU Are The Weakest Link
There is a single most important rule to IT security:
Always address the weakest link.
This rule may seem obvious at a first glance, but don't forget the secret society of NOKEY (1). The members of NOKEY make companies spend huge amounts of money to strengthen the strong links, skillfully steering their attention away from the weakest spots. Sometimes the weakest links are so hard to improve that I believe they really do us a favor.
But what is the weakest link in a IT security environment. In 99.9999% of all cases this is easy to answer:
You are the weakest link. Goodbye.
If you don't use passwords like "opensesame01" or "k00lN4M3" and always play around with the magnetic card reader before you put your credit card into it when you buy a nice necklace for your wife, I don't mean you personally. And of course you don't do this.
But as long as people just hack their PIN into every beeping box that asks for it and use passwords that are as random as the unpredictable zero, it seems to be a job-creation measure to build a certification process that asks for high security standards. Why should a talented criminal bother to spend tens of thousands of Euro to hack an operating system when the data is easily accessible via the careless user?
There may be a solution besides not allowing a system to be used. Educate the user. Go out and spread the word. If you read this, you're probably a person with a strong understanding of basic security principles. Explain the necessity for randomness in a user password. Make people around you use a tool like PasswordMaker and threaten them with endless lectures about cryptographic algorithms if they ever write down a PIN.
And when you really managed to build a system where the user is not the weakest link anymore, we can talk about algorithms.
(1) Nameless Organization of Kernel Error Yield