Yikes!

Ok first read this story.

Now this is one of the most clever pen tests I've ever read about. The best one, has one of the testers turning in reams of paper in a report about all the security defenses of the company, as well as 2 paychecks the company had sent him. NOT as a pen tester, but as an actual employee! He had faked his way into a position in the company. Impressive. Yes they may have eventually found him out. But how much data would he have mined by then??

All this shows is that regardless of the technology we employ to safeguard ourselves and our environments, there will always be one weakness that can not be eliminated - people. Hackers (ethical or the regular variety) call it social engineering. In almost any situation you can ask people for information that they normally wouldn't give out, and if done in the right way you can glean the information you seek, or at the very least a key to the next door. People will always be our weakest link in security. Always.

There is hope though. Although it may only be a small light at the end of a long, dark, musty tunnel of confusion. Education. Educating the users around us is crucial. I would put educating your users ahead of almost every single tool you have in the arsenal against being hacked. Consider this: If everyone had been educated about email viruii, would the email spreading viruii outbreaks have occured? If no one clicks the obvious (well... obvious to almost everyone now) forged emails, with the infected links, there would have been no web wide crash. An educated user won't give out a password in a forged email saying "we need to update your account before it's deactivated! Click this (forged) link to reset your password now!" Education ( and a tiny bit of common sense) can prevent all of that. [Why do they call it common sense, when it is anything but?]

Ok, I'll step away from the soapbox and return to my usual mediocre drivel, but I stand behind the veracity of my statements. I stand behind my hardware firewall, my router, my anti-virus software, my software firewall, and my NAT translators... I'm educated - but cautious. (maybe my puppy surfs when I'm not home. You just never know....)