WetWare..the weak link.

It has been highlighted and debated for a number of years that ‘Security is as strong as the weakest link’. This has been transferred into the Information Assurance spectrum with ease. Now some may say ‘It is easy to highlight X as the weakest link’ and in many cases this is a convenient focus for organizations to direct their eventual blame on.

In recent months with the release of papers such as the CSI Survey 2007 the pressure to identify the weakest link as the ‘end user’ has continued.

This is not new I hear you say. Techs & Geeks the world over have long since lamented about the trouble caused by ‘users’. IT systems would be just perfect if ‘users’ did not touch them!

This then produces the backlash that IT or Infosec types do not understand and are not part of the business solution. Continued further this leads to a loss of influence and a reduction in strategic vision.. but that is for another time.

Stereotypes aside there are thousands and thousands of individual examples where ‘users’ have become the point of failure in the IA environment. Very often these are people attempting to get something done by attempting to work their way around good security practices in place.  Clear and concise policies, guidance and standards can form the partner to technological solutions in an attempt to prevent such enthusiastic work practices.  The final part of the picture is always the person.

An example of this happened at an organisation where an employee had been working at home and tried to email themselves a document. The business email AV solution rejected the attachment and sent the sender a message to explain that this had been stopped due to a virus in the attached document. A helpful and clear position you might think, alas the employee persisted. The next day they sent the document again and the same series of events happened. Being resourceful the employee decided to email the document to a very popular web based mail provider. Upon arriving at work they accessed the web based mail system and attempted to down load the file. Now the local AV solution stepped in a prevented the process. Not to be prevented from working the employee disabled the local AV solution and downloaded their document. They were now able to continue working….

The next day they went to access some historic information in a database they had been using only to find that 18 months work had been damaged by the virus that they had so diligently worked to bring into their business.

This business had good (for the time) technical measures in place, they had clear guidelines on the use of systems and what activities could and should not be undertaken with the business systems. It was the human link that broke.

A much more common event is people following a link in an email message from someone they do not know based on the lure of something they may wish to have or see. This is often described as ‘Social Engineering’. Though this term is not very palatable in some communities.

The most recent label I have seen used to describe this problem is ‘WetWare’. 

It cannot be overstated how important awareness and training for the people element of Information Assurance is.  If organisations cannot get this message and culture to be understood then they face a very, very tough challenge and will struggle to achieve their goals in IA.

~ by Simon Hancock on December 11, 2007.

2 Responses to “WetWare..the weak link.”

  1. What is the source of the anecdote?

  2. The example came from an organisation that I worked with in the past. No names, no packdrill.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: