We're Only Human

My four year-old son recently discovered that we own a computer. In just a few short weeks, he has learned how to operate a mouse and play online games on his own. He’s so confident that once I set up the Web site, he orders me to leave so he can play in peace. A few days ago, I returned to the computer to discover that he had somehow disabled our firewall. Obviously, he didn’t do it on purpose, and there was no data corruption. I did need him to show me how to restore the security feature.

The incident caused me to wonder about all the security and safeguards in place on a network, and how they can be rendered irrelevant by simple human error. In February of 2006, a human error at Blue Cross and Blue Shield of North Carolina allowed the Social Security numbers of more than 600 members to be printed on the mailing labels of envelopes sent to them with information about a new insurance plan. The SANS Institute’s 2006 report on top 20 Internet Security Attack Targets, users, excessive user rights and unauthorized devices were named points of weakness.

From the report: “Some attacks cannot be effectively prevented by technical controls alone. Unwary users can be enticed to do unsafe things. Clever users can find unsafe ways to get things done, unintentionally exposing the company to attack. To protect against attacks exploiting these weaknesses, administrative controls supplement technical and physical controls.”

What are some good ways to proactively approach the unpredictability of human behavior?