I recently came across some content in a book outlining the benefits of SSL. The author depicted a scenario where SSL is in place to help the user authenticate the server/site he’s connecting to and if a certificate-related error popped up in the browser then the user would know that the site was malicious and (presumably) not continue on with the connection. This very situation is an example of how we assume/presume/hope that users are always paying attention and will do the right things with security.
What do you think would happen with the average user in this situation? I’m confident that most people would simply think nothing of it, click past any pop-up warnings and continue about their business. Why? Well, that’s what people do. And that’s the very problem with have with information security today.
No doubt, we have to be able to balance security with convenience and usability but the moment we allow users to make security decisions – especially ones that could involve phishing and related malware attacks – we open our networks up to complete compromise. This goes along with something I’ve been saying recently: Your network is only one click away from compromise™ [my new trademark ;-)].
Training, technology – you name it, nothing is 100% certain other than the fact that you have this risk in your business this very moment; guaranteed. I’m not convinced we’re going to be able to get past this.
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”