Royal Hansen, practice director for @stake Europe, said, "Too many companies believe that IT security is a product issue. In fact, human beings are the weakest link in any security system. Expensive and elaborate security measures are often completely undone by a company's failure to enforce even the most simple precautions, opening up the entire corporate infrastructure to malicious attack."
Hansen continued, "There is no magic bullet for internet security. It is a process, not an event. However, companies need to think holistically about how they implement security and people are a major part of that equation. The sooner companies integrate human error into their thinking and take appropriate safeguards, the safer their systems will be."
According to @stake, the ways employees compromise security at corporate sites are:
- Writing their passwords on Post-It notes and leaving them on or near their machines. In an extreme example of this, @stake has experienced instances of a systems administrators loading all passwords to all servers on an (unprotected) Excell spreadsheet and leaving a paper copy of the spreadsheet stuck on the desk near the administration console.
- Setting their default passwords to be the same as their primary password.
- Entering an existing password when the system prompts for a password to be changed.
- Loading encrypted discs onto a system, failing to remove them and leaving the password open.
- Plugging modems straight into servers and bypassing multi-level corporate security systems.
- Plugging servers straight into the internet bypassing routers that may be acting as firewalls.
- Issuing security certificates with blank passwords.
- Failing to enter a password into Microsoft's server administration system so leaving a blank default password that compromises the whole corporate system.
- Carrying (and subsequently losing) laptop computers loaded with company secrets.
- Failing to keep up-to-date with and implement newly released patches issued by software vendors as breaches are discovered. For example, an Amazon.com employee failed to install a patch to a Microsoft Internet Information Server, allowing attackers using it to obtain credit card numbers and client information over a four-month period.