2.9 personnel factors
2.9.1 Seven Management Problems
All information systems must be developed by people, all information security measures and agreements are finally implemented by people.
People's factors are not negligible in the information system. Information security regardless of attack or defense, its key factors are people. But also
It is particularly easy to be affected by internal people, and many security measures are unable to prevent.
According to SANS 99, 1850 information security experts, the seven management issues of security vulnerabilities are:
The wrong personnel arrangement, assigning unstoppable personnel to maintain safety, lack sufficient time and training;
Erroidly understand the relationship between information security and business issues, considers information security does not affect business;
Unregulated implementation of safety operations;
Rely on firewalls to solve all security problems by safe isolation;
Ignore the reputation, I didn't realize the value of information and organization reputation, in digital society, the information system was broken
Bad will have a huge impact on the image and business of the company;
Headache medicine head, foot pain, pedicure, adoption of repeated, short-term measures, the same safety issues have repeatedly repeatedly
;
Safety is free, ignoring security issues, pretending it does not exist.
A key security principle is to use effective but will not give legitimate users who want to truly obtain information.
Affordable solution, finding a way to actually apply this principle is often a difficult to find a balanced move. Make
It is very easy to use too complicated safety technology to make legal users bored and avoid your security protocol. Always need test
Considering the impact of security policies to legal users. In many cases, if the user feels inconvenient, it is greater than that
The safety of the health is improved, and the policy actually reduces the security and effectiveness of the system.
2.9.2 An example
An example of a problem with a problem is a password of a legal user. The cipher randomness and easy memory is contradictory,
If the cipher randomness is better, it is difficult to remember; if it is easy to remember, then the randomness is poor. Sanitary
A full point of view, the password of legal users should maintain enough randomness, but from the user itself, they prefer
Select a password that is easy to remember. The problem is produced, the password that is easy to remember causes the violent exploration of the system password.
The chance of successful success is increased. Some automated tools have a large dictionary, part of the so-called weak password
In the forefront of the dictionary, arrange the possibility of password according to the usual statistics, such as 123, Password.
The password is likely to succeed in the beginning of the detection.
"The same is as dissatisfied with the password, the user is also very bad. If you ask them to choose
One password, they will choose a difference. If you have forced it to choose a good, they will write it in a convenience
Post, then stick it on the edge of the computer monitor. If you ask them to change the password, they will change the password back to them.
A password changed in a month. The actual study of the password found that 16% of the password is 3 characters or less, and 86% password is easy to break.
Translation. Other studies have confirmed the above statistics. In the operation test, Lophtcrack can be in less than a day.
It is found that 90% of all passwords are found and 20% of all passwords can be found within a few minutes. "
NSUN 2004
2.9.3 Social Engineering
Another interesting question is social engineering.
"In 1994, French hackers called Anthony Zboralski called Washington US Federal Investigation Bureau, fake
The risk is a FBI representative working in the US Embassy in Paris. He persuaded the people on the other side of the phone, ask the other party to explain
How to connect to the FBI phone conference system. As a result, he rose FBI's telephone bill to $ 250,000 within 7 months.
. Similarly, employees who call the phone, pretend to be a network system administrator or security manager, this is a hacker commonly used hand
segment. If hackers know very well about the company's network, he sounds convincing, then he can get passwords, account names, and other confidential information from employees. "
In 2000, Kevin Mitnick confirmed the social engineering before the US Congress, and he said: "I use it.
The attack method has been successful, and the result is a technical attack method, "he said," Company may be targeted
Technical protection spends millions of dollars, but if someone is mainly called some employees, and persuading employees
Operation on the computer, reduce the control of the computer, or persuaded employee leak confidential information: then these spending
It is a waste. "
Social engineering in the computer world can be seen everywhere. Email with virus or worms with spoofing standard
The title is induced by users who have no callus. I Love You Worm hides the email sent by the recipient knows
The deception recipient opens the VBScript attachment of the fake as a text file. The Trojan jumps out after the user is running.
None of the system prompts that look very normal, so that users do not add preparation. A variant of the high-wave virus
Execute the program name for Explored and Windows system shell Explorer only one letter, general purpose
This difference will not be noted.
Social engineering methods are also extremely difficult to defend. The technical method can only have some effects on this problem. To change the computer
The security technology is easy to make people change their habits.
2.9.4 Some Countermeasures
Ensure that the company's staff protect their workstations, not all damage from a system coming from
Operation or hacker with malicious users to attack the system. Often, the computer is only damaged by a simple user operating mistake.
. For example, many employees don't realize that downloading ActiveX files and the dangers involved in using Java applets, as well as
Multi-person When they leave the office (or even short time) they do not use the screen password protection program to prevent peeping
user. I often don't know unconsciously download the virus and Trojan Horse thus damages the normal function of the network. Educate each name
The safety technology for the user's early application is important to protect local resources.
It is also necessary to consider the administrator of the system. In general, the well-designed safety measures must also be matched correctly.
It can achieve the expected results. Taking a secure operating system as an example, the default configuration may not meet the specific needs of the system.
Need a system administrator reconfigured. In this case, the administrator is particularly important for the relevant knowledge of the system configuration.
To, the wrong configuration is like equipped with a copper wall, but forgets to lock the door, all safety technologies may lose
Some effects. In addition to the correct configuration system, system administrators also need to regularly see related security announcements, timely repair
The system vulnerability that has been discovered.
