 |
June 20, 2011, 07:35:28 PM |
|
Want to know the weakest link on your computer? That's you. Yes, you, not exactly you as you but you as human. The human part...
For starters put one thing on your brain: There's no such thing as electronic security! Electronics provides surveillance, not security.
If you've a cam filming someone being murdered, the only thing the cam does is that: Tells you what happened. Will change nothing for the murdered guy, unless you believe in heaven and ghosts smiling at court-house.
Whereas a human officer would try to use his psychological abilities to demote the murder from doing it. Doesn't mean he will succeed, but might and that makes a whole difference.
In fact you can run a system with plain-text passwords and users with passwords as simple as 123 (well...maybe not this much) and still look like the ultimate safe heaven, as you can run the top edge electronic "security" system and have it as secure as a toy box. It all relies in one thing: how much did you weighted the human factor?
«Hey! I use SHA512 password hashing!» So?!... It will just slow an eventual attacker from know what they're, not prevent him from doing so, specially if you've no clue that your db has been compromised.
In fact your security is reversely proportional to how many people has access to it. If you've something you run alone, you're 100x safer than if you've 100 co-admins.
Add injury to the sorrow, comes auditing. Many of them are who's in need of an audit and by adding auditors you add an unknown human party to access your system.
Whereas machine security is somehow linear, hole/exploit/virus, humans are random, they argue over something and one may not care to how many innocent people he may hurt to get to the other.
My advice here, for those interested in security is to weight as much as possible the human contact with your system. Do not forget to look for holes in the machine, but don't go by create a crater in the human side to fill a tiny hole in the machine!
|
