I was going through some old boxes recently and found a copy of the March 1996 issue of Digital News & Review, a magazine where I served as editor-in-chief. One of my then-columnists, Rick Cook, wrote a story under the headline: How secure is Windows NT? Cook's position was that focusing on security built into hardware or software was useful, but the wrong place to start thinking about building a security strategy. The right place was with the human component, not a technical one.
Cook's position is as valid today as it was 22 years ago. President Clinton at the time was said to have a sign in his office that said: “It's the economy, stupid.” (That's actually a busted myth. “The economy, stupid” was a campaign slogan Clinton used, but there was no sign.) One could postulate that security staffers had a sign over their desks saying: “Data Security: It's the human element.” They would have been right then and they still would be right today. Social engineering and the human factor in the equation is still the primary source of security breaches.
Cook's argument used a then-20-year-old computer scam perpetrated by a fellow named Jerry Schneider, who stole hundreds of thousands of dollars of telecom equipment from a major phone company. After serving his prison time, Schneider later became a security consultant, teaching executives how to train their staffs to identify and reject social engineering attacks, then commonly committed by phone. Sound familiar? Today we call it visihing — voice phishing. It has been going strong for nearly 50 years.
Cook's advice of the day: “Your security policy should respect the corporate culture where it can, change the culture where it must, and always try to work by persuasion and education rather than force.” Those words could have been spoken by security trainers today.
Defending the network through training, education and persuasion is still a top recommendation. Looking back at the industry, Cook recognizes that even after such a long time, companies are still falling victim to the same attacks because, frankly, as an industry, we have yet to learn yesterday's lessons well.
“One of the problems with security is that the old attacks don't really go out of style,” Cook said in a recent email exchange. “Our attention is just diverted to new attacks and it's easy to forget about the older ones. Plus we keep making the same mistakes so thing like SQL injection remain viable. Eternal vigilance is the price of security.”