Wednesday, November 11, 2015

Fixing the Weak Link: The Human Element in Network Security

We’ve all heard the age-old adage, “you’re only as strong as your weakest link.” Although the phrase originated in organized team sports, we use it in business as well. An Enterprise will experience success or failure based on the sum of the whole and, if a certain team or team member isn’t pulling his / her weight, failure is imminent. This statement also applies to network security.

We deploy network security devices in an attempt to secure our network. We place firewalls at the Internet edge and datacenter edge. We have intrusion detection and intrusion prevention hardware or software components running alongside these firewalls to inspect for malicious traffic patterns. We filter our user’s web content to try and prevent access to malicious web sites or code. We run endpoint security software that does anything from scan for viruses to sandboxing applications. We implement multi-factor authentication. Some of us are finally inspecting application traffic and identifying the malicious traffic running over allowed ports. Fewer still are taking the application whitelisting approach and defining what CAN run on a device and blocking everything else. All of this is done with the best of intentions and that is to create the most secure network environment that we can to protect against attacks and attempts to access the data or systems we hold sacred.

And yet, we’re all failing. We’re failing because we’re addressing areas of perceived strength and ignoring the weakest link. “Our latest vulnerability assessment shows that we’re at risk because we have several unpatched servers and one of our web servers is vulnerable to a cross-site scripting attack.” Because of this vulnerability assessment, we now have approval to spend time and money to resolve these vulnerabilities. Unfortunately, this vulnerability assessment doesn’t show that Pat in our finance department has no idea what a phishing email looks like and has just clicked on the link in the “reset your password” email, logging into the company’s online banking portal for a 5th time to reset the password for the account that we use to process payroll each week… unsuccessfully, I might add.  Pat’s phone call to the help desk goes something like this: 

“Hey, are we having Internet problems? I can’t seem to get our online banking page to load.”

Help desk guru responds with “I can’t see any issues with our Internet. Seems to be working fine for me, so try it again in a few minutes. Maybe reboot your computer.”

By now, the fraudulent wire transfer of this week’s payroll has already been started using Pat’s credentials that were typed into the fake password reset form from the emailed link.  Pat is able to log into the account, post reboot, because Pat uses the favorite that was created in Firefox rather than clicking on the link in the email.

This story illustrates one of the many ways that an attacker can get what they want by exploiting the weakest link. At present, we view our network security systems, our firewalls, our IPS, our WAF, and our AV systems as our strongest links because they are configurable and do what we want them to do. People are the variables and are, inherently, our weakest links.  But they don’t have to be.

Some of the most secure networks, and ones that are the biggest targets by attackers, I might add, do not appear to have those perceived weak links. The people are still there, as are the weak links, but they are being educated constantly on the ever-changing threat landscape. Their employers perform routine Security Awareness Training. They perform in-house testing to reinforce that training and then do more training. Rinse and repeat.

They create policies that lock down the network and only allow those things which are necessary to perform core business functions. At the end of the day, your business exists to make widgets or provide a service to consumers. Unless your business IS Facebook or Twitter, what reason could you possibly have for being on those pages during the course of normal business. Obviously, there are exceptions to every rule, but it seems that we, as entitled members of society, have decided that we are all the exception and should have the right to access what we want, when we want, from wherever we want, even if it’s technically not relevant to the task or job function for which we are employed to perform.

If you truly want to protect your network, investing in the technology used to do so is only half of the battle. Education, policy creation and enforcement, and regular testing for new emerging threat types are the weak links that need to be addressed. Let’s face facts - we’re behind the curve when it comes to protecting ourselves from attackers simply because we are always in a reactive mode. If we can effectively educate our users and reinforce the fact that our business network is used to conduct BUSINESS, that’s going to shorten the curve exponentially. As a business owner, network manager, CIO, or whatever your title might happen to be, you may not be able to implement the necessary changes to make this happen in your organization, but I’ll bet you can exert some sort of influence over them. You wouldn’t be reading this if you couldn’t.

*The thoughts and opinions in this blog post are my own and do not reflect the thoughts and opinions of Great Lakes Computer or any of its vendors, clients, or partners.

-Chris C

Chris C has over 15 years of experience designing, implementing, documenting, and supporting networks and infrastructure from SMB through Enterprise level in a multitude of verticals. Currently Sr. Network Engineer at Great Lakes Computer focused on designing and implementing secure network solutions in the datacenter and service provider space. 


  1. I love significantly your own post! I look at all post is great. I discovered your personal content using bing search. Discover my webpage is a great one as you.I work to create several content this post. Once more you can thank you and keep it create! Enjoy! 4k compute rmonitor

  2. However, it should be noted that if the proposed fix to your current PC is to reinstall Windows, this issue is moot because all of your applications will have to be installed on a new Windows installation, just as on a new PC.reset windows 10 password

  3. I feel happy about and learning more about this topic. keep sharing your information regularly for my future reference. This content creates new hope and inspiration within me. Thanks for sharing an article like this. the information which you have provided is better than another blog.
    IELTS institute in Delhi
    IELTS Coaching in Delhi
    best IELTS Coaching in Delhi

  4. Here is very much want the most impressive sparkle terrific. Each one of these moderate areas are meant by means of selection of makeup foundation curiosity. I love individuals much.

  5. If you get bored with your rental PC you can trade it in for another model such as a gaming pc.

  6. In most cases, the security devices that are put into place are dependent upon the application uses the computer is created for.

  7. I think this is an informative post and it is very beneficial and knowledgeable. Therefore, I would like to thank you for the endeavors that you have made in writing this article. All the content is absolutely well-researched. Thanks...

  8. Usually I never comment on blogs but your article is so convincing that I never stop myself to say something about it. You’re doing a great job Man,Keep it up.
    Study Abroad in New Zealand
    ielts coaching in gurgaon

  9. I like your post. It is good to see you verbalize from the heart and clarity on this important subject can be easily observed... hoverwatch coupon code

  10. Very good points you wrote here..Great stuff...I think you've made some truly interesting points.Keep up the good work. E-COMMERCE MLM SOFTWARE

  11. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. computer

  12. You there, this is really good post here. Thanks for taking the time to post such valuable information. Quality content is what always gets the visitors coming. curved computer monitor

  13. Finding the best biological science paper writing help and Biological Science Writing Services is not easy unless one is keen to establish a reliable biological science research paper provider & biological science coursework writing services.

  14. This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free. algebra calculator factoring

  15. Keep up the good work , I read few posts on this web site and I conceive that your blog is very interesting and has sets of fantastic information. IP School

  16. your blog' s design is simple and clean and i like it. Your blog posts about Online writing Help are superb. Please keep them coming. Greets!

    Python Training In Pune
    python training institute in pune

  17. This is really awesome, am so glad to read this informative article. I must confess this one of the exceptional blog that I have ever come across. Keep sharing this kind of information to users.
    poker online

  18. Watch movies online, watch new movies, series Netflix HD 4K, ดูหนังออนไลน์ watch free movies on your mobile phone, Tablet, watch movies on the web.

    SEE4K Watch movies, watch movies, free series, load without interruption, sharp images in HD FullHD 4k, all matters, ดูหนังใหม่ all tastes, see anywhere, anytime, on mobile phones, tablets, computers.

    GangManga read manga, read manga, read manga online for free, fast loading, clear images in HD quality, all titles, อ่านการ์ตูน anywhere, anytime, on mobile, tablet, computer.

    Watch live football live24th, watch football online, ผลบอลสด a link to watch live football, watch football for free.

  19. Samudrabet merupakan situs judi slot online terpercaya Indonesia yang menyediakan permainan slot games terlengkap bet kecil jackpot besar sangat mudah menang free spin dan bigwin online 24 Jam.

  20. The information provided in the article is really resourceful.

    Completing the given assignment in time can be a very difficult job for the students as they have to balance other studies as well as their daily chores alongside completing assignments on time. Midwifery comes under the broad topic of nursing and midwifery assignment help is the place to come seeking help.

  21. 1. From creatively building an open online platform to delivering the best tech content, you are one of the best tech authors present in our community. Looking for mobile app Development Company, then you are one click away from best app Development Company in Gurgaon. Click on Best mobile app development company Gurgaon.

  22. บทความโป๊กเกอร์ สาระดีๆความรู้โป๊กเกอร์ ต้องที่นี่เลย เว็บ มาอ่านบทความโป๊กเกอร์ได้ที่นี่เลย

  23. Manfaat olah raga adalah Exercise or engaging in physical exercise on a daily basis is one of the most important things you can do to keep your health in check. Exercise and physical activity provide several health advantages to individuals of all ages and abilities. In addition to increasing the capacity of the brain, exercise has been shown to help people maintain a healthy weight, prevent disease by strengthening bones and muscles, as well as boost the ability and endurance of the body in everyday tasks.

  24. Hello, I have browsed most of your posts. This post is probably where I got the most useful information for my research. Thanks for posting, you can also checkout this aust post utme past questions and answers