(Part 2 of 2)

A few days ago I posted Guarding Against the Inside Job which was the first half of this thought — today’s post is part 2 — the fun one: Idiocy! Many of you already know that this name resembles that of one of my favorite movies. Need a hint?

Idiocy

Yep, Idiocy and Idiocracy are pretty close but they essentially mean the same thing: people doing really dumb things. This is the fun one, not just because of the name, but because we have all seen it and perhaps even fallen for it a time or two. This is where someone within the company just does something that’s dumb and, by doing it, opens the door for an outsider — a real “hacker” — to come in and have his way with the company computer system.

Let me start by asking you this simple question:

Have you ever heard of Stuxnet?

It is only the first known militarized use of a computer worm — the most advanced and sophisticated computer worm the world has ever seen. This is the one that took out Iran’s nuclear centrifuges. Now do you remember?

What is even more interesting about Stuxnet is, despite all of its sophistication, it couldn’t get into Iran’s nuclear facility on its own — it needed some help. By most accounts it found it in the form of a USB stick that someone working in the facility brought in and plugged into a computer in the facility. That was all of the help Stuxnet needed and it took care of the rest itself. If you want to read more about this, check out Hamish Barwick’s (@HamishBarwick) fascinating article Nuclear warheads could be next Stuxnet target — it is guaranteed to send a chill down your spine!

The point about the USB stick should send chills down the spine of every company out there as well. Do you want to take a guess at how much this happens at your company?

If you haven’t done a study to find out, that’s ok, you’re in luck. The United States Department of Homeland Security did one for you to find out how hard it is to corrupt workers and gain access to organizations’ computer systems. This is all explained in an article written by Cliff Edwards (cedwards28@bloomberg.net), Olga Kharif (okharif@bloomberg.net), and Michael Riley(michaelriley@bloomberg.net) in Bloomberg entitled Human Errors Fuel Hacking as Test Shows Nothing Stops Idiocy in which the authors provide a quote from Mark Rasch that sums it all up nicely:

“There’s no device known to mankind that will prevent people from being idiots”

In the article the authors explain the test by which computer disks and USB thumb drives were secretly dropped in the parking lots of government buildings and private contractors. Of those that were picked them up, 60 percent were plugged into office computers and if they had an official logo, 90 percent were installed.

You really need to read the extensive and very informative article. The ultimate finding was that human error alone can essentially nullify all of the expensive security systems your company has in place; humans are the weak link in the fight to secure networks against hackers.

From everything we have seen so far, that is indeed the case. So the question you have to ask yourself is, “are your people as well prepared as your network?”