To be breached is human

Recent surveys hint at why it is so hard to protect networks and IT systems from attack: Our IT systems are designed, built, managed and used by us.

While the security industry likes to focus on application security and system vulnerabilities, as well as the effectiveness (or lack thereof) of the tools used to defend IT systems -- the vulnerabilities that create real-world breaches are often created by the wetware between our ears -- not defective tools.

Earlier this week, in the story "It's the human threat, stupid" we covered how people social engineer and attack. Since then, some survey results have revealed how people may also often be their own worst enemy when it comes to protecting IT systems. The results hint at why it is so hard to protect networks and IT systems from attack. And the clue is this: Our IT systems are designed, built, managed, and used by us.

Also see: Humans Being: Why those outages are our fault

For instance, according to a survey conducted by network security firm AlgoSec, of the more than 100 information security professionals who responded, 66 percent reported human error in network configurations as the most common cause of outages during the past year. About 9 percent cited errors in their gateways as cause for outages. An earlier CSOonline story reported on the inherent vulnerabilities found in some gateway and firewall applications.

Why such a high percentage of security (in the sense of system availability) failures blamed on people? Complexity, argues Avishai Wool, chief technology officer at AlgoSec. "Managing the sheer number of devices, not to mention the changes that these devices undergo, is a daunting task for any organization, he wrote in a blog post.

The human vulnerability was also highlighted in another survey, the "2011 ISUG Report On Data Security Management Challenges." This survey, which questioned 216 International Sybase Users Group (ISUG) members, found that 46 percent of root causes of breaches in the past year were human error. That more than doubles insider attacks (20 percent), external attacks (17 percent), and even accidental loss of data containers.

While analysts agree that user errors create vulnerabilities, they don't necessarily agree that user errors are the cause of a breach: much in the same way as an unlocked front door on a home makes it vulnerable to burglary -- but it is the thief that is the root cause of the crime, not the homeowner.

"Humans are going to cause errors, and you have to design your systems to be secure around that fact," says Pete Lindstrom, research director at Spire Security. "You need to build in security resilience, so that if any single control fails, other mechanisms are in place for protection. So while enterprises can work to reduce human error, they won't eliminate it, so they have to plan for it," he says.

Such plans would include proactively looking through systems for configuration errors, database monitoring, having the right access controls in place, among many others, Lindstrom says.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!